August 15, 2019    |   back to news

The U.S. electric grid faces an increasing array of cybersecurity risks, as well as significant challenges to addressing those risks. A recent report from the U.S. Government Accountability Office (GAO) has found that, to their credit, federal agencies have performed a variety of critical infrastructure protection and regulatory activities aimed at addressing those risks. In particular, DOE has developed plans and an assessment aimed at implementing the federal strategy for confronting the cyber threats facing the grid. However, those documents do not fully address all of the key characteristics needed to implement a national strategy, including a full assessment of cybersecurity risks to the grid. Until DOE ensures it has a plan that does, the guidance the plan provides decision makers in allocating resources to address grid cybersecurity risks and challenges will likely be limited.

Additionally, FERC has approved mandatory cybersecurity standards for bulk power entities, but those standards address some but not all of the leading cybersecurity practices identified in NIST's Cybersecurity Framework. Without a full consideration of how the FERC-approved cybersecurity standards address NIST's Cybersecurity Framework, there is increased risk that bulk power entities will not fully implement leading cybersecurity practices needed to address current and projected risks. Finally, the threshold for which entities must comply with requirements in the full set of FERC-approved standards is based on the results of an analysis that did not evaluate the potential risk of a coordinated cyberattack on geographically distributed targets. Without information on the risk of such an attack - particularly one that might target low-impact systems that are subject to fewer requirements but in aggregate could affect the grid - FERC does not have assurance that its approved threshold for mandatory compliance adequately responds to that risk and sufficiently provides for the reliable operation of the electric grid.

The GAO report makes a total of three recommendations - one to DOE and two to FERC. Specifically:

• The Secretary of Energy, in coordination with DHS and other relevant stakeholders, should develop a plan aimed at implementing the federal cybersecurity strategy for the electric grid and ensure that the plan addresses the key characteristics of a national strategy, including a full assessment of cybersecurity risks to the grid. (Recommendation 1)
  
  
• FERC should consider our assessment and determine whether to direct NERC to adopt any changes to its cybersecurity standards to ensure those standards more fully address the NIST Cybersecurity framework and address current and projected risks. (Recommendation 2)
  
  
• FERC should (1) evaluate the potential risk of a coordinated cyberattack on geographically distributed targets and, (2) based on the results of that evaluation, determine whether to direct NERC to make any changes to the threshold for mandatory compliance with requirements in the full set of cybersecurity standards. (Recommendation 3)
  
  To view the full GAO report, click here Source: United States Government Accountability Office