Threats to systems supporting critical infrastructure — including the smart grid — are constantly “evolving and growing” and as a result have been termed “government-wide high-risk areas” by the U.S. Government Accountability Office (GAO). Testifying before the House Energy and Commerce Committee’s oversight and investigations panel, Gregory Wilshusen, director of the GAO’s Information Security Issues team, shared his concerns about the security of the infrastructure. The written testimony observes that smart meters are among those devices that have not been “designed with a strong security architecture and lack important security features.” Further, he remarked that utility companies are often unaware of imminent threats or incidents on their systems because some of that intelligence is classified and cannot be shared with them.

A new report by the Government Accountability Office (GAO) recommended that the Department of Homeland Security (DHS) should work with public and private sector partners to determine whether cybersecurity guidance should be added to sector-specific critical infrastructure plans. The GAO was asked to: 1) identify cybersecurity guidance within the seven critical infrastructure sectors; 2) determine the extent to which this cybersecurity guidance was enforced and promoted; and 3) find commonalities and differences between cybersecurity guidance for private sector entities versus federal government entities.
  Read more »

The GAO has released a new report that questions whether smart grid is sufficiently secure, because the (1) NIST cybersecurity guidelines have shortfalls and (2) that they are only voluntary guidelines and there is no coordination between state and federal policymakers to ensure these guidelines are being followed by the industry. The report, Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed, found first that the NIST cybersecurity guidelines “did not address an important element essential to securing smart grid systems that it had planned to include—addressing the risk of attacks that use both cyber and physical means.” In addition, the report found that there are “missing elements” that were not addressed in the cybersecurity guidelines, which creates “an increased risk that smart grid implementation will not be secure as otherwise possible.” Secondly, the report found that “while EISA gives FERC authority to adopt smart grid standards, it does not provide FERC with specific enforcement authority. This means that standards will remain voluntary unless regulators are able to use other authorities – such as the ability to oversee the rates electricity providers charge their customers – to enforce them.” Moreover, the report found that “FERC has not developed an approach coordinated with other regulators to monitor wither industry is following the voluntary smart grid standards that it adopts.” Read more »