On January 12, 2011, the U.S. Government Accountability Office (“GAO”) released a report entitled “Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed” (the “Report”). This Report highlighted key issues which could cause concern for the smart grid system and identified regulatory problems affecting smart grid cybersecurity standards.
The objectives of the Report were to: (1) assess the extent to which National Institute of Standards and Technology (“NIST”) had developed smart grid cybersecurity guidelines; (2) evaluate the Federal Energy Regulatory Committee’s (“FERC” or the “Commission”) efforts to adopt smart grid cybersecurity and other standards and monitor their use by industry; and (3) identify challenges associated with ensuring the cybersecurity of the smart grid.
The Report found that NIST has developed and issued smart grid cybersecurity guidelines, but that there are some cybersecurity elements which were not addressed, such as the risk of a combined cyber-physical attack, cryptography issues, and vulnerabilities in the supply chain. Also, FERC has been reviewing initial smart grid standards, but has not come up with a coordinated plan to monitor the way in which the industry follows these voluntary standards. In addition, NIST and FERC processes face challenges given the “fragmented” nature of regulatory authority in the electricity industry. The Report recommended that FERC and NIST have an approach to updating the cybersecurity guidelines and monitoring whether voluntary standards are being followed by manufacturers and utilities.
The Report recommended that the Secretary of Commerce direct the NIST to finalize the plan for updating and maintaining the cybersecurity guidelines, incorporating missing elements as identified in the Report and adding milestones for completion. It was recommended that the FERC Chairman develop an approach to coordinate with state regulators to: (1) periodically evaluate the extent to which utilities and manufacturers are following voluntary interoperability and cybersecurity standards; and (2) develop strategies for addressing any gaps in compliance with standards identified through this evaluation. The Report indicated that if FERC lacks the authority to address gaps in compliance, the Chairman should report this to Congress, and FERC should coordinate with other regulators to help monitor compliance.
A copy of the GAO report is available here.