recommended reading

Billions in stimulus funding hasn’t made power grids safer, survey says


A majority of energy security practitioners do not believe economic stimulus-funded smart grid projects sufficiently protect the nation against cyberattacks, according to findings reported on Monday by an Energy Department-funded public-private partnership.

The 2009 American Recovery and Reinvestment Act has paid out $2.5 billion to modernize the U.S. electric system by digitizing the way power is distributed to consumers, according to Energy financial submissions. Program plans from June 2009 stated that one goal of the initiative, which will disburse $4.5 billion, was to “enhance security and reliability of the energy infrastructure.”

When asked if smart grid projects adequately addressed security, 67 percent of participants surveyed by the public-private group, EnergySec, said, no. The March 2012 survey questioned 104 energy security professionals.

EnergySec chief executive officer Patrick Miller speculated that security specialists and businesses may have different perceptions about the lasting effect of today’s security controls. “It’s not as if the vendor is approaching this irresponsibly,” he said. “What may have been implemented, though it could be considered good security, will it stand the test of time?”

Hackers are innovating as fast as smart grid suppliers. “There was a flood of government money that came in,” Miller said. “And innovation is a good thing. But it’s very hard to keep pace with security when you are innovating this fast.”

Energy officials said all recipients of smart grid investment grants were required to develop cybersecurity plans explaining how they would identify risks, resolve them and ensure a stable cybersecurity posture.

“The Energy Department takes very seriously the responsibility of managing and overseeing its smart grid grants to protect taxpayer funds and ensure that projects are moving forward effectively to modernize our nation’s electric grid,” Energy spokeswoman Keri Fulton said in a statement.

Officials added that the Obama administration has proposed cybersecurity legislation that would establish a rulebook for enhanced cooperation between the government and energy operators nationwide. “This will clarify ways in which government and industry can share information about cybersecurity threats more effectively and strengthen the criminal penalties for those who take action to disrupt the grid,” Fulton said.

The survey also found that most professionals -- 60 percent -- did not think the federal government should regulate the smart grid industry. Miller wrote in the report that in digital power delivery, which spans local, state and federal regulatory lines, “a federal one-size-fits-all approach may significantly slow down progress.” But he acknowledged “potential inconsistencies in regulatory approaches may introduce complexity and risk smart grid landscape. Either model, whether state or federally regulated, comes with pros and cons. I see the regulatory oversight of the smart grid as one of our biggest challenges with the least obvious solution."

Privacy invasions, energy theft and terrorist-induced power outages are a few of the concerns surrounding the new technology. Miller said, “I don’t think any of those are cataclysmic or catastrophic kinds of risks.” Manipulating widespread outages through the smart grid infrastructure would be enormously difficult to do, he added.

Most security experts surveyed, 53 percent, said the hype about invasions of privacy associated with smart meter consumer data is overblown. “I expect to the smart grid industry to struggle with several challenges around who ultimately owns customer data,” Miller wrote in the report. “There are several gray areas that impact how smart grid customer data will be used as the industry attempts to maximize revenue potential. Even seemingly innocuous customer data has significant value -- just ask Facebook or Google."

Cybersecurity compliance firm nCircle partnered with EnergySec on the survey.

Threatwatch Alert

Network intrusion / Spear-phishing

Researchers: Bank-Targeting Malware Sales Rise in Dark Web Markets

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.