Editor’s Note:  For more information about secure grid issues, including a copy of Gregory C. Wilshusen’s Senate testimony “Cybersecurity: Challenges in Securing the Electricity Grid” and the ENISA (European) smart grid security recommendations, please see FISMA Focus here

From: Government Computer News

By William Jackson

networked electric grid are hampered by a cumbersome regulatory process and a lack of enforcement, government and industry witnesses told a Senate panel.

Government is grappling with the need to secure a private-sector infrastructure that is critical to national security, but outside its direct control. The challenge to providing cybersecurity to the grid was the subject of a July 17 hearing before the Senate Energy and Natural Resources Committee.

Committee chairman Sen. Jeff Bingaman (D-N.M.) called the threat to the electric system real and dangerous and said although the power system is the only segment of the nation’s critical infrastructure with mandatory security requirements, seven years after the regulatory framework was put into place the system remains vulnerable to online attacks.

“When it comes to cyberattacks, I am concerned that the current system is not adequate,” he said.

Representatives from the Federal Energy Regulatory Commission and the North American Electric Reliability Corp. (NERC) described a system under which federal regulators lack the ability to establish standards and requirements, and the industry group creating the standards lacks the ability to enforce them.

All sides complained of a lack of useful information about cyber threats facing an electric grid that is becoming more integrated and tied into the Internet.

“Given the national security dimension to this threat, there may be a need to act quickly to protect the grid, to act in a manner where action is mandatory rather than voluntary, and to protect certain information from public disclosure,” said Joseph McClelland, director of FERC’s Office of Electric Reliability. “The commission’s current authority is not adequate to address cyber or other national security threats to the reliability of our transmission and power system.”

Although new smart-grid technology has the potential for making the system more reliable and secure, it also poses new threats, said Gregory C. Wilshusen, director of information security issues at the Government Accountability Office.

“The electricity grid’s reliance on IT systems and networks exposes it to potential and known cybersecurity vulnerabilities, which could be exploited by attackers,” Wilshusen said.

He outlined challenges to securing the grid, including:

  • A lack of a coordinated approach to monitor industry compliance.
  • A regulatory environment that makes it difficult to ensure the cybersecurity of smart grid systems.
  • A utility focus on regulatory compliance instead of comprehensive security.
  • A lack of security features consistently built into smart grid systems.
  • A lack of information sharing within the electricity industry.
  • A lack of metrics for evaluating cybersecurity.

“I am most concerned about coordinated physical and cyberattacks intended to disable elements of the power grid or deny electricity to specific targets, such as government or business centers, military installations or other infrastructures,” said NERC president and CEO Gerry Cauley.

The most immediate need for improving cybersecurity in the electric grid is legislation that would enable better information sharing within industry and with government, which would provide liability protection for companies that provide information about vulnerabilities and threats.

The current regulatory structure dates to the Energy Policy Act of 2005, which gave FERC responsibility for overseeing mandatory reliability standards, including cybersecurity, for the bulk power industry. Rather than establish standards itself, FERC designated an Electric Reliability Organization to create standards.

NERC was designated and submitted a set of Critical Infrastructure Protection standards in 2006. FERC could either approve or disapprove the standards, but could not modify them. They were approved in 2008, but NERC was told to address specific concerns by July 2009. Eventually, the fourth version of the standards was adopted in April 2012, and is set to go into effect in 2014. In the meantime, NERC has until April 2013 to address continuing problems.

“The currently effective [critical infrastructure protection] reliability standards allow utilities significant discretion to determine which of their facilities are ‘critical assets and the associated critical cyber assets,’ and therefore are subject to the requirements of the standards,” McClelland said.