Holes Remain in Smart Grid’s Cyber-Security Standards

Key security issues still need to be addressed as IT is integrated into the nation’s electricity infrastructure, according to a recent report released by the U.S. Government Accountability Office (GAO).

If done right, proponents say the interconnected system — commonly referred to as the smart grid — would provide a range of benefits, such as provide operators with more information about the condition of the electricity system, and allow consumers to receive real-time information about pricing and demand.

However, if the IT systems are not installed correctly, the electric grid will be more vulnerable to cyber-attacks and disrupted service, according to the report.

Six key challenges persist, as identified by the GAO:

• Aspects of the regulatory environment may make it difficult to ensure smart grid systems’ cyber-security.
• Utilities are focusing on regulatory compliance instead of comprehensive security.
• The electric industry lacks an effective mechanism for sharing information on cyber-security.
• Consumers are not adequately informed about the benefits, costs and risks associated with smart grid systems.
• There’s a lack of security features being built into certain smart grid systems.
• The electricity industry does not have metrics for evaluating cyber-security.

Work began years ago on security standards for the smart grid. The Energy Independence and Security Act of 2007 gave the National Institute of Standards and Technology (NIST) and Federal Energy Regulatory Commission (FERC) the responsibility of coordinating the development and adoption of smart grid guidelines and standards.

Last year, both agencies released the first round of this information for the GOA to review. After assessment and evaluation, the GOA found that the guidelines were not adequate in covering potential cyber-security issues.

“While NIST largely addressed the key elements in developing its guidelines, it did not address an important element essential to securing smart grid systems and networks that NIST had planned to include. Specifically it did not address the risk of combined cyber-physical attacks,” according to the report.

NIST officials said they intend to update the guidelines to address the missing elements and have already drafted a plan to do so.

“Without it, there is increased risk that important cyber-security elements will not be addressed by entities implementing smart grid systems, thus making these systems vulnerable to attack,” according to the report.

At the same time, FERC began a process to consider an initial set of smart grid interoperability and cyber-security standards for adoption. However, FERC hasn’t developed an approach to monitor the extent to which industry follows these standards, the report said, because according to the GAO’s analysis, it has not yet determined whether or how to perform such a task.

“Without a documented approach to coordinate with state and other regulators on this issue, FERC will not be well positioned to promptly begin monitoring the results of any standards it adopts or quickly respond if gaps arise,” the report said.

The GAO recommends that NIST finalize its plan and schedule an update of its cyber-security guidelines to incorporate missing elements, and that FERC develop a coordinated approach to monitor the standards and address any gaps in compliance. Both agencies have agreed with these recommendations.

The report also stated that although challenges remain, progress has been made, such as installing smart grid modernization on homes and commercial buildings that enable communication between the utility and customer.

“Smart grid modernization is an ongoing process,” the report said, and various initiatives continue to ensure safe implementation.