Even so, it is "difficult to make the business case" for cybersecurity investments because the probability of a devastating attack is so low. One problem: Regulations that mandate action often end up as a mere checklist for utilities – without actually improving security, because cyberthreats keep evolving.
Cybersecurity for the power grid is of concern to many. The Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corp. jointly oversee development of cybersecurity standards for power companies in the bulk power system. The National Institute of Standards and Technology is working on another set of standards. The Department of Homeland Security (DHS) and the Department of Energy (DOE) are weighing in, too.
In May, the White House offered its plan to put the grid in DHS hands. In July, a Senate bill proposed putting oversight authority with FERC and DOE. Action could come in the Senate as soon as January.
None of these portend a single body with national regulatory oversight of cybersecurity standards – and not just for bulk power that is transmitted long distances over high-voltage lines, but also for local distribution systems, the MIT report notes.
"The federal government should designate a single agency to have responsibility for working with industry and to have appropriate regulatory authority to enhance cybersecurity preparedness, response, and recovery across the electric power sector, including bulk power and distribution systems," the study recommended.
The report regards cyberattacks as inevitable. Therefore, the US needs another specialized entity to conduct forensic investigations – something akin to the National Transportation Safety Board (NTSB) that, in the transportation world, swoops in to analyze the causes of accidents and recommends action, the study says.