An Audit Report by the Department of Energy’s Inspector General found that, although the Federal Energy Regulatory Commission had taken steps to ensure Critical Infrastructure Protection (CIP) “cyber security standards were developed and approved, our testing revealed that such standards did not always include controls commonly recommended for protecting critical information systems. In addition, the CIP standards implementation approach and schedule approved by the Commission were not adequate to ensure that systems-related risks to the Nation’s power grid were mitigated or addressed in a timely manner.”
The IG “found that these problems existed, in part, because the Commission had only limited authority to ensure adequate cyber security over the bulk electric system. While the Energy Policy Act established the Commission’s authority to approve, remand, or direct changes to proposed reliability standards, the Commission did not have the authority to implement its own reliability standards or mandatory alerts in response to emerging threats or vulnerabilities.”
The Audit Report notes, however, that “even in situations where authority did exist, such as the authority to approve, remand, or direct changes to the CIP standards, the Commission had not always acted to ensure that cyber security standards were adequate. In addition, the Commission had not always effectively monitored how NERC [NorthAmerican Electric Reliability Corporation] and the regional entities assessed implementation of the cyber security standards.”
Attached below is the Audit Report on the “Federal Energy Regulatory Commission’s Monitoring of Power Grid Cyber Security”
Leave a Reply