America’s power grid remains vulnerable to cyberattack, a result of sluggish implementation of weak computer security standards and insufficient federal oversight, says a tough new report from the US Department of Energy Inspector General.
The North American Electric Reliability Corp. (NERC), the lead grid-reliability organization for the power industry, has had approved standards in place since January 2008. Power companies were to have fully implemented those “critical infrastructure protection” (CIP) cyberstandards a year ago, but the standards still aren’t doing an effective job, the inspector general’s audit found.
“Our testing revealed that such standards did not always include controls commonly recommended for protecting critical information systems,” including tough password and log-in protections, the report said. The plodding implementation is “not adequate to ensure that systems-related risks to the Nation’s power grid were mitigated or addressed in a timely manner.”
Among its other findings are the following:
• The new CIP standards set weaker requirements for password and log-in protections than is common for other types of critical infrastructure.
• The Federal Energy Regulatory Commission (FERC), which approved the security standards that NERC developed, is partly to blame. The commission ultimately “did not have authority to implement its own reliability standards or mandatory alerts in response to emerging threats or vulnerabilities,” the report said. In instances where FERC did have authority to strengthen CIP standards, “the commission had not always acted to ensure that cyber security standards were adequate.”
• The standards don’t “clearly define what constituted a critical asset or critical cyber asset,” the report found. Instead, utilities “were permitted to use their discretion when identifying critical assets and critical cyber assets….” As a result, “if an entity determined that no critical assets or critical cyber assets existed, it was exempt from the remaining original CIP standards,” the report said.
How to define “critical infrastructure” is a big part of the problem. “Lack of stringent requirements for defining critical assets contributed to a significant underreporting of these assets,” the IG found. Both the federal commission and NERC officials said power companies had probably undercounted their critical assets and associated critical cyberassets.
“Much of the problem stems from … lack of definition,” says Michael Assante, former chief security officer for NERC. “The concepts of what need to be protected have not been firmly established.”
Critical assets could include, for instance, control centers, transmission substations, and power generators. But on a compliance self-survey, only 29 percent of power generators and less than 63 percent of transmission owners identified one or more critical assets, NERC reported in April 2009.
The IG’s office also found that NERC and eight other regional electricity reliability organizations appear to have ignored federal demands to toughen the original CIP standards. One FERC official noted that 95 percent of the changes the commission requested of NERC had not been addressed, the IG said.
The result is that federal regulators have made little progress toward accurately assessing what needs protecting on the grid. The IG’s office recommends these fixes: that Congress give FERC greater authority to ensure grid cybersecurity; that tougher cybersecurity standards be adopted; that FERC intensify its oversight of NERC and other grid-reliability entities; that FERC adopt measurements to assess the performance of NERC and the other regional overseers.
“We found that these problems existed, in part, because [FERC] had only limited authority to ensure adequate cyber security over the bulk electric system,” the IG report states.
In a response to the IG’s report, FERC chairman Jon Wellinghoff agreed with most of its recommendations.
Mr. Assante, now president of the National Board of Information Security Examiners, a standards-setting body for cybersecurity experts, characterizes the CIP standards as only “a minimum set of sound security practices that reinforces the need for utilities to protect themselves and each other.”
Given the advent of cyberweapons that can destroy computer-controlled critical infrastructure, such as the Stuxnet worm that was aimed at Iran’s nuclear facilities, the IG’s report correctly identifies the issues needed to improve grid security, say grid cybersecurity experts.
“The standards have not been implemented with a strong sense of risk in mind,” Assante says. “The complexity of enacting a new regulatory regime has taken our collective eye off security and turned it toward administrative issues and compliance.”