Recommendation: The Secretary of Energy, in coordination with DHS and other relevant stakeholders, should develop a plan aimed at implementing the federal cybersecurity strategy for the electric grid and ensure that the plan addresses the key characteristics of a national strategy, including a full assessment of cybersecurity risks to the grid. (Recommendation 1)
Agency: Department of Energy
Status: Open
Priority recommendation
Comments: DOE agreed with our recommendation. In its response to our report, DOE stated that it was working through an interagency process to develop a National Cyber Strategy Implementation Plan that will consider DOE's Multiyear Plan for Energy Sector Cybersecurity. To fully address our recommendation, DOE should coordinate with DHS and other relevant stakeholders to develop a plan for implementing the federal cybersecurity strategy for the electric grid and ensure that the plan addresses the key characteristics of a national strategy.
Recommendation: FERC should consider our assessment and determine whether to direct the North American Electric Reliability Corporation (NERC) to adopt any changes to its cybersecurity standards to ensure those standards more fully address the NIST Cybersecurity framework and address current and projected risks. (Recommendation 2)
Agency: Federal Energy Regulatory Commission
Status: Open
Comments: In August 2020, FERC officials told GAO that the Commission assembled a team to conduct a technical analysis to develop a plan with appropriate next steps to address GAO's recommendations. As part of this effort, FERC issued two documents. In June 2020, FERC issued a Notice of Inquiry seeking comments on (1) whether NERC's cybersecurity standards adequately address certain NIST Cybersecurity Framework categories, and (2) whether modifications to the cybersecurity standards would be appropriate to address the potential risk of a coordinated cyberattack on geographically distributed targets. Additionally, in June 2020, FERC issued a white paper exploring a new framework for providing incentives to transmission facilities for cybersecurity investments that exceed the requirements of NERC's cybersecurity standards. The incentives are designed, in part, to incentivize cybersecurity investments by facilities that are not covered by NERC's cybersecurity standards, according to FERC officials. As of October 2020, this recommendation remains open.
Recommendation: FERC should (1) evaluate the potential risk of a coordinated cyberattack on geographically distributed targets and, (2) based on the results of that evaluation, determine whether to direct NERC to make any changes to the threshold for mandatory compliance with requirements in the full set of cybersecurity standards. (Recommendation 3)
Agency: Federal Energy Regulatory Commission
Status: Open
Comments: In August 2020, FERC officials told GAO that the Commission assembled a team to conduct a technical analysis to develop a plan with appropriate next steps to address GAO's recommendations. As part of this effort, FERC issued two documents. In June 2020, FERC issued a Notice of Inquiry seeking comments on (1) whether NERC's cybersecurity standards adequately address certain NIST Cybersecurity Framework categories, and (2) whether modifications to the cybersecurity standards would be appropriate to address the potential risk of a coordinated cyberattack on geographically distributed targets. Additionally, in June 2020, FERC issued a white paper exploring a new framework for providing incentives to transmission facilities for cybersecurity investments that exceed the requirements of NERC's cybersecurity standards. The incentives are designed, in part, to incentivize cybersecurity investments by facilities that are not covered by NERC's cybersecurity standards, according to FERC officials. As of October 2020, this recommendation remains open.
