Wednesday, February 2, 2011

January was a Rough Start for 2011 Smart Grid Security Regulation Report Cards

Hopefully the baby Smart Grid will do better in its security courses later this year and next, but it scored about a D average on its first two big US Federal tests of the year when results were reported last month.

First came the Government Accountability Office (GAO) report titled “Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed” which highlighted security shortcomings in the 1.0 version NISTIR 7628. Much of what it reported was not new news to those of us in the community, as it pointed out what NIST had already revealed itself: that it hadn’t been able to address every topic it originally intended by the 1 September 2010 deadline, and was working now to remedy the situation. One of these topics included strategies to defend against combined cyber and physical attacks. It also critiqued FERC’s lack of authority to regulate grid security beyond large generation and transmission systems.

Later in January, the Department of Energy’s IG office issued its report “Federal Energy Regulatory Commission's Monitoring of Power Grid Cyber Security” in which it found FERC cyber security standards (as implemented by NERC) and overall approach for the regulating the national grid quite lacking, saying current standards "were not adequate to ensure that systems-related risks to the nation’s power grid were mitigated or addressed in a timely manner." The IG also gave FERC a bit of a break when it acknowledged, "We found that these problems existed, in part, because the Commission had only limited authority to ensure adequate cyber security over the bulk electric system." 

My take away? Both of these reports are telling us what we already know: that the current Federal regulatory approach and authority over grid security matters is far from optimal, and that no one, especially Congress, is quite sure yet what to do about it. Meanwhile, as seen here at the mighty Distributech Conference in San Diego, the Smart Grid marches on just the same.

No comments: