The electric industry is increasingly incorporating information technology (IT) systems into its operations as part of nationwide efforts--commonly referred to as smart grid--to improve reliability and efficiency. There is concern that if these efforts are not implemented securely, the electric grid could become more vulnerable to attacks and loss of services. To address this concern, the Energy Independence and Security Act of 2007 (EISA) provided the National Institute of Standards and Technology (NIST) and Federal Energy Regulatory Commission (FERC) with responsibilities related to coordinating the development and adoption of smart grid guidelines and standards. GAO was asked to (1) assess the extent to which NIST has developed smart grid cybersecurity guidelines; (2) evaluate FERC's approach for adopting and monitoring smart grid cybersecurity and other standards; and (3) identify challenges associated with smart grid cybersecurity. To do so, GAO analyzed agency documentation, interviewed responsible officials, and hosted an expert panel.
NIST has developed, and issued in August 2010, a first version of its smart grid cybersecurity guidelines. The agency developed the guidelines--for entities such as electric companies involved in implementing smart grid systems--to provide guidance on how to securely implement such systems. In doing this, NIST largely addressed key cybersecurity elements that it had planned to include in the guidelines, such as an assessment of the cybersecurity risks associated with smart grid systems and the identification of security requirements (i.e., controls) essential to securing such systems. This notwithstanding, NIST did not address an important element essential to securing smart grid systems that it had planned to include--addressing the risk of attacks that use both cyber and physical means. NIST also identified other key elements that surfaced during its development of the guidelines that need to be addressed in future guideline updates. NIST officials said that they intend to update the guidelines to address the missing elements, and have drafted a plan to do so. While a positive step, the plan and schedule are still in draft form. Until the missing elements are addressed, there is an increased risk that smart grid implementations will not be secure as otherwise possible. In 2010, FERC began a process to consider an initial set of smart grid interoperability and cybersecurity standards for adoption, but has not developed a coordinated approach to monitor the extent to which industry is following these standards. While EISA gives FERC authority to adopt smart grid standards, it does not provide FERC with specific enforcement authority. This means that standards will remain voluntary unless regulators are able to use other authorities--such as the ability to oversee the rates electricity providers charge customers--to enforce them. Additionally, although regulatory fragmentation--the divided regulation over aspects of the industry between federal, state, and local entities--complicates oversight of smart grid interoperability and cybersecurity, FERC has not developed an approach coordinated with other regulators to monitor whether industry is following the voluntary smart grid standards it adopts. FERC officials said they have not yet determined whether or how to do so. Nonetheless, adherence to standards is an important step toward achieving an interoperable and secure electricity system and establishing an approach for coordinating on standards adoption could help address gaps, if they arise. With respect to challenges to securing smart grid systems, GAO identified the following six key challenges: (1) Aspects of the regulatory environment may make it difficult to ensure smart grid systems' cybersecurity. (2) Utilities are focusing on regulatory compliance instead of comprehensive security. (3) The electric industry does not have an effective mechanism for sharing information on cybersecurity. (4) Consumers are not adequately informed about the benefits, costs, and risks associated with smart grid systems. (5) There is a lack of security features being built into certain smart grid systems. (6) The electricity industry does not have metrics for evaluating cybersecurity. GAO recommends that NIST finalize its plan and schedule for updating its cybersecurity guidelines to incorporate missing elements, and that FERC develop a coordinated approach to monitor voluntary standards and address any gaps in compliance. Both agencies agreed with these recommendations.
Recommendations for Executive Action
|Department of Commerce||1. To reduce the risk that NIST's smart grid cybersecurity guidelines will not be as effective as intended, the Secretary of Commerce should direct the Director of NIST to finalize the agency's plan for updating and maintaining the cybersecurity guidelines, including ensuring it incorporates (1) missing key elements identified in this report, and (2) specific milestones for when efforts are to be completed. Also, as a part of finalizing the plan, the Secretary of Commerce should direct the Director of NIST should assess whether any cybersecurity challenges identified in this report should be addressed in the guidelines.|
|Federal Energy Regulatory Commission||2. To improve coordination among regulators and help Congress better assess the effectiveness of the voluntary smart grid standards process, the Chairman of FERC, making use of existing smart grid information, should develop an approach to coordinate with state regulators to (1) periodically evaluate the extent to which utilities and manufacturers are following voluntary interoperability and cybersecurity standards and (2) develop strategies for addressing any gaps in compliance with standards that are identified as a result of this evaluation. To the extent that FERC determines it lacks authority to address any gaps in compliance that cannot be addressed through this coordinated approach with other regulators, the Chairman should report this information to Congress.|
|Federal Energy Regulatory Commission||3. To improve coordination among regulators and help Congress better assess the effectiveness of the voluntary smart grid standards process, the Chairman of FERC, making use of existing smart grid information, should develop an approach to coordinate with groups that represent utilities subject to less FERC and state regulation (such as municipal and cooperative utilities) to (1) periodically evaluate the extent to which utilities and manufacturers are following voluntary interoperability and cybersecurity standards and (2) develop strategies for addressing any gaps in compliance with standards that are identified as a result of this evaluation. To the extent that FERC determines it lacks authority to address any gaps in compliance that cannot be addressed through this coordinated approach, the Chairman should report this information to Congress.|
|Federal Energy Regulatory Commission||4. The Chairman of FERC, working with NERC as appropriate, should assess whether any cybersecurity challenges identified in this report should be addressed in commission cybersecurity efforts.|