Washington, DC, U.S.A. — (METERING.COM) — January 17, 2011 – Progress is being made on the development of smart grid cybersecurity guidelines in the U.S. by the National Institute of Standards and Technology (NIST) and the Federal Energy Regulatory Commission (FERC), but several key challenges remain to be addressed, according to a report from the nation’s Government Accountability Office.
Until these missing elements are addressed, there is an increased risk that smart grid implementations will not be secure as otherwise possible, the report says.
The NIST released its first cybersecurity guidelines in September, following a 17-month development period and input from hundreds of industry participants, for utilities and other organizations to use in developing their cybersecurity strategies. The report says these largely addressed the key cybersecurity elements that had been planned, but an important element essential to securing smart grid systems – the risk of attacks that use both cyber and physical means – was not addressed, and nor were other key elements that surfaced during the development of the guidelines. While NIST officials have said they intend to update the guidelines to address the missing elements, the pan and schedule is still in draft form.
The report also reviews FERC’s approach for adopting and monitoring smart grid cybersecurity standards and finds that while the organization has begun a process to consider an initial set of smart grid interoperability and cybersecurity standards for adoption, it has not developed a coordinated approach to monitor the extent to which industry is following these standards. Further, while the Energy Independence and Security Act of 2007 (EISA) gives FERC authority to adopt smart grid standards, it does not provide a specific enforcement authority, so that standards will remain voluntary unless regulators are able to use other authorities – such as the ability to oversee the rates electricity providers charge customers – to enforce them. Adherence to standards is an important step toward achieving an interoperable and secure electricity system and establishing an approach for coordinating on standards adoption could help address gaps, if they arise, the report comments.
Specifically the report identifies six key challenges to securing smart grid systems:
- Aspects of the regulatory environment may make it difficult to ensure smart grid systems’ cybersecurity.
- Utilities are focusing on regulatory compliance instead of comprehensive security.
- The electric industry does not have an effective mechanism for sharing information on cybersecurity.
- Consumers are not adequately informed about the benefits, costs, and risks associated with smart grid systems.
- There is a lack of security features being built into certain smart grid systems.
- The electricity industry does not have metrics for evaluating cybersecurity.