The U.S. Government’s watchdog, the Government Accountability Office (GAO) has warned that the rapid adoption of so-called “smart grid” infrastructure in the U.S. electric industry is going forward without adequate planning for cybersecurity and the combined physical and cyber attacks that are likely to occur. In a new report, “Electricity Grid Modernization: Progress Being Made on Cyber Security Guidelines, but Key Challenges Remain to be Addressed” (GAO-11-117), the GAO warns that rapid adoption of smart grid technology may leave the U.S. vulnerable to crippling cyber attacks, unless the nation can find a way to address its fragmented and voluntary regulatory environment and a lack of proper planning for cyber security.
The report, issued this month, echoes warnings from private security researchers about the vulnerability of smart grid technology to tampering and hacking. It provides a sober assessment of the security implications as the U.S. looks to modernize its electricity generation and distribution network in the age of Stuxnet and other sophisticated cyber threats.
Smart grid technology holds promise for U.S. power generators and consumers alike, GAO finds. It enables smarter management of power generation and demand from generation thorough to homes and businesses. But the advantages of smart grid technology – which requires the creation of a massive, new IP-based infrastructure for monitoring power generation, distribution and consumption – also introduce considerable risks, especially in the arena of online attacks, GAO concludes.
A federal law, the 2007 Energy Independence and Security Act (EISA) formed the foundation of smart grid planning at the federal level and instructed the National Institute of Standards and Technology to coordinate development of IT standards for ensuring smart grid interoperability and security, including cyber security.
However, the report found that NIST’s Cyber Security guidelines for the smart grid are insufficient and unlikely to keep pace with a fast-moving cyber threat environment. Even today, the proposed standards fail to anticipate combined physical and cyber attacks. Beyond that, the GAO noted a host of areas likely to hamper smart grid security. They include a tangle of regulatory jurisdictions made up of Federal, state and local regulatory bodies that make it difficult to gain an industry-wide picture of compliance. A tradition of self-regulation in the electric industry also means that the standards developed by NIST can’t easily be enforced by the Federal Energy Regulatory Commission (FERC).
GAO reports that smart grid technologies such as the wireless smart meters that are deployed at homes and businesses were being developed and deployed without adequate attention to security features including thorough event logging and other forensic features. Important players in the electric generation and distribution network have no easy way of sharing information on cyber security issues or learning from each others’ mistakes and successes, power utilities are focusing more on compliance with industry regulations than with risk-based assessment and prioritization of security. And, finally, consumers aren’t being adequately informed of the security risks that accompany smart grid technology.
Presented with a complex distribution grid, competing federal, state, local and private sector interests and a patchwork of regulations, however, GAO could only recommend that the Chairman of FERC work on ways to coordinate federal and state regulation of utilities and manufacturers to force interoperability between smart grid products from different sources and to identify and address gaps in compliance with the NIST guidelines, and coordinate with local and cooperative utilities to make sure they are following the cyber security guidelines set out by larger players and state and federal regulators.
The discovery of the Stuxnet worm last summer focused the attention of federal officials on the security of critical infrastructure – especially the electricity distribution grid. Suggestions range from closer federal oversight of privately owned critical infrastructure to company-initiated red teaming and other tests that mimic large scale cyber attacks.