The utility industry and US regulators need to boost computer-security standards to fend off a cyberattack on the power grid, says a tough new report from the Energy Department.
Michael Interisano/Design Pics/Newscom
America's power grid remains vulnerable to cyberattack, a result of sluggish implementation of weak computer security standards and insufficient federal oversight, says a tough new report from the US Department of Energy Inspector General.
The North American Electric Reliability Corp. (NERC), the lead grid-reliability organization for the power industry, has had approved standards in place since January 2008. Power companies were to have fully implemented those "critical infrastructure protection" (CIP) cyberstandards a year ago, but the standards still aren't doing an effective job, the inspector general's audit found.
"Our testing revealed that such standards did not always include controls commonly recommended for protecting critical information systems," including tough password and log-in protections, the report said. The plodding implementation is "not adequate to ensure that systems-related risks to the Nation's power grid were mitigated or addressed in a timely manner."
Among its other findings are the following:
• The new CIP standards set weaker requirements for password and log-in protections than is common for other types of critical infrastructure.
• The Federal Energy Regulatory Commission (FERC), which approved the security standards that NERC developed, is partly to blame. The commission ultimately "did not have authority to implement its own reliability standards or mandatory alerts in response to emerging threats or vulnerabilities," the report said. In instances where FERC did have authority to strengthen CIP standards, "the commission had not always acted to ensure that cyber security standards were adequate."