GAO Warns Of Cyber Insecurity on Smart Grid

The U.S. Government’s watchdog, the Government Accountability Office (GAO) has warned that the rapid adoption of so-called “smart grid” infrastructure in the U.S. electric industry is going forward without adequate planning for cybersecurity and the combined physical and cyber attacks that are likely to occur.

GAOThe U.S. Government’s watchdog, the Government Accountability Office (GAO) has warned that the rapid adoption of so-called “smart grid” infrastructure in the U.S. electric industry is going forward without adequate planning for cybersecurity and the combined physical and cyber attacks that are likely to occur. In a new report, “Electricity Grid Modernization: Progress Being Made on Cyber Security Guidelines, but Key Challenges Remain to be Addressed” (GAO-11-117), the GAO warns that rapid adoption of smart grid technology may leave the U.S. vulnerable to crippling cyber attacks, unless the nation can find a way to address its fragmented and voluntary regulatory environment and a lack of proper planning for cyber security.

The report, issued this month, echoes warnings from private security researchers about the vulnerability of smart grid technology to tampering and hacking. It provides a sober assessment of the security implications as the U.S. looks to modernize its electricity generation and distribution network in the age of Stuxnet and other sophisticated cyber threats.

Smart grid technology holds promise for U.S. power generators and consumers alike, GAO finds. It enables smarter management of power generation and demand from generation thorough to homes and businesses. But the advantages of smart grid technology – which requires the creation of a massive, new IP-based infrastructure for monitoring power generation, distribution and consumption – also introduce considerable risks, especially in the arena of online attacks, GAO concludes.

A federal law, the 2007 Energy Independence and Security Act (EISA) formed the foundation of smart grid planning at the federal level and instructed the National Institute of Standards and Technology to coordinate development of IT standards for ensuring smart grid interoperability and security, including cyber security.

However, the report found that NIST’s Cyber Security guidelines for the smart grid are insufficient and unlikely to keep pace with a fast-moving cyber threat environment. Even today, the proposed standards fail to anticipate combined physical and cyber attacks. Beyond that, the GAO noted a host of areas likely to hamper smart grid security. They include a tangle of regulatory jurisdictions made up of Federal, state and local regulatory bodies that make it difficult to gain an industry-wide picture of compliance. A tradition of self-regulation in the electric industry also means that the standards developed by NIST can’t easily be enforced by the Federal Energy Regulatory Commission (FERC).

GAO reports that smart grid technologies such as the wireless smart meters that are deployed at homes and businesses were being developed and deployed without adequate attention to security features including thorough event logging and other forensic features. Important players in the electric generation and distribution network have no easy way of sharing information on cyber security issues or learning from each others’ mistakes and successes, power utilities are focusing more on compliance with industry regulations than with risk-based assessment and prioritization of security. And, finally, consumers aren’t being adequately informed of the security risks that accompany smart grid technology.

Presented with a complex distribution grid, competing federal, state, local and private sector interests and a patchwork of regulations, however, GAO could only recommend that the Chairman of FERC work on ways to coordinate federal and state regulation of utilities and manufacturers to force interoperability between smart grid products from different sources and to identify and address gaps in compliance with the NIST guidelines, and coordinate with local and cooperative utilities to make sure they are following the cyber security guidelines set out by larger players and state and federal regulators.

The discovery of the Stuxnet worm last summer focused the attention of federal officials on the security of critical infrastructure – especially the electricity distribution grid. Suggestions range from closer federal oversight of privately owned critical infrastructure to company-initiated red teaming and other tests that mimic large scale cyber attacks.

Suggested articles

Discussion

  • Anonymous on

    Doesn't anyone see the paradox?  While the government hands out stimulus cash it attaches compressed timeline requirements (this is political) on grid projects, while all the while knowing that they are rushing headlong into a dangerous situation.  Politics trumps risk.

  • Bradford E. Black, CPP on

    If anyone follows the news, it has become apparent that nobody can successfully stop all available ip-based attacks 100% of the time.  Witness the nonstop loss of personal identification info from government agencies, medical institutions, univerisites, financial institutions, etc.  Also, it is apparent that equipment destruction can result, casuing massive outages and that cyberwarfare techniques are targeting this result, based on analysis of Stuxnet.  Wouldn't the "smart grid" be a primary target?  Wouldn't the smartest grid be the one that is not ON the grid?  Wasn't there a saying about people who live in glass houses....?   

  • Jack Warner on

    Recent Congressional testimony, the Stuxnet virus attack, and the little - publicized RSA hack are current reminders of the vulnerability of the U.S. electric power grid to digital attack and malicious shutdown.   With this as background, ValidTech is pleased to have completed its contract to install its VSSA user authentication product for the Israel Electric Corporation, the sole electric service provider for the State of Israel.   The government - owned IEC, which has considerable successful experience with operational security issues, selected VSSA after a worldwide search and investigation of user authentication alternatives.   

    From a U.S. perspective, it is instructive and somewhat disquieting to recognize the difference between the U.S. and Israeli approaches: nominally responsible U.S. public and industry officials talk; the Israeli’s act.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.