Washington, DC, U.S.A. — (METERING.COM) — January 31, 2012 – A number of the smart grid projects being funded through the Smart Grid Investment Grant (SGIG) program of the American Recovery and Reinvestment Act of 2009 do not have adequate cybersecurity requirements, according to the Department of Energy’s inspector general.
In a new report on an audit of the program, the inspector general found that of the five cybersecurity plans reviewed, three were “incomplete, and did not always sufficiently describe security controls and how they were implemented.” Further a Department review had found that “36 of the 99 cybersecurity approaches submitted as part of the grant applications lacked one or more required elements.”
For example, one recipient’s cybersecurity plan provided only a summary description of its cyber security processes. Another contained only the minimal elements required by the Department and without sufficient detail regarding how these elements would be implemented in the recipient’s environment.
While security plans will evolve as systems are developed and implemented, the practice of approving incomplete security plans may be problematic in that any existing gaps in a recipient’s security environment could allow system compromise before controls are implemented, the inspector general wrote. Further, approved elements that were not well defined in the plan could leave the system susceptible to compromise even after the cybersecurity plan had been fully implemented.
Other findings of the audit were that one project received federal funding of 60 percent of the project cost when the maximum should be 50 percent, and that one recipient was reimbursed twice for the same costs related to transportation.
The inspector general commented that these issues were due, in part, to the accelerated planning, development, and deployment approach adopted by the Department for the SGIG program. However, without improvements, there remains a risk that the goals and objectives of the smart grid program may not be fully realized.
To this end, inter alia it is recommended that an effective methodology for monitoring the SGIG program is developed and implemented, and that technical project officers are adequately trained and certified to manage the grants under their purview.
Under the SGIG program a total of 99 recipients were awarded grants in value from $397,000 to $200 million totaling $3.5 billion.