GAO: Feds need to strengthen smart grid standards and oversight

Federal agencies need to strengthen cybersecurity guidelines and improve oversight of industry efforts to secure smart grid systems and networks, according to a new report from the Government Accountability Office.

While energy companies are using information technology to make the electricity grid more efficient and reliable, those technologies also are creating security vulnerabilities. Federal standards for identifying and mitigating security risks are inadequate, GAO said in a report released Wednesday.

The watchdog found that while the National Institute of Standards and Technology developed and issued cybersecurity guidelines as a result of the Energy Independence and Security Act of 2007, they do not deal with key issues, including the risk of attacks that involve both cyber and physical means. "Until the missing elements are addressed, there is an increased risk that smart grid implementations will not be secure as otherwise possible," GAO said.

GAO also found that the Federal Energy Regulatory Commission lacks the ability to enforce standards. "While EISA gives FERC authority to adopt smart grid standards, it does not provide FERC with specific enforcement authority," the report said. "As a result, any standards identified and developed through the NIST-led process are voluntary unless regulators use other authorities to directly compel utilities and manufacturers to follow them."

The fragmented nature of industry regulation further complicates enforcement, GAO found. Responsibility for oversight is divided among various federal, state and local regulators and historically FERC's authority is limited to certain parts of the grid, typically the transmission system. In conducting its audit, GAO interviewed electricity regulators in seven states from November 2009 to January 2011.

GAO recommended Commerce Department Secretary Gary Locke direct NIST to finalize the agency's plan for updating and maintaining cybersecutiy guidelines. GAO further said FERC should work with state regulators to determine gaps in compliance, and report to Congress the extent to which it lacks authority to address compliance gaps that cannot be addressed through a coordinated approach.

In a response to the report, Locke agreed NIST should finalize its plan and schedule, and FERC should develop an approach to address and gaps in compliance. FERC Chairman Jon Wellinghoff said he would direct his staff to explore possible approaches to implement the recommendations.