.

By Andy Bochman

First came the Government Accountability Office (GAO) report – “Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed” – which highlighted security shortcomings in the 1.0 version NISTIR 7628. Much of what it reported was not new news to those of us in the community, as it pointed out what NIST had already revealed itself: that it hadn’t been able to address every topic it originally intended to by the Sept. 1, 2010 deadline, and was working now to remedy the situation. One of these topics included strategies to defend against combined cyber and physical attacks. It also critiqued FERC’s lack of authority to regulate grid security beyond large generation and transmission systems.

Later in January, the Department of Energy’s IG office issued its report – “Federal Energy Regulatory Commission's Monitoring of Power Grid Cyber Security.” It found FERC cyber security standards (as implemented by NERC) and the overall approach for regulating the national grid quite lacking, saying current standards "were not adequate to ensure that systems-related risks to the nation’s power grid were mitigated or addressed in a timely manner." The IG also gave FERC a bit of a break when it acknowledged, "We found that these problems existed, in part, because the Commission had only limited authority to ensure adequate cyber security over the bulk electric system." 

My take away? Both of these reports are telling us what we already know: The current Federal regulatory approach and authority over grid security matters is far from optimal, and that no one, especially Congress, is quite sure yet what to do about it. Meanwhile, as seen here at the mighty Distributech Conference in San Diego, the smart grid marches on just the same.

.

You might also be interested in …

Smart grid security webinar replays now available

NERC CIPs: Latest updates on V.4 & 5 (and sympathy for folks building them)