A recent Audit report from U.S. Department of Energy entitled "Federal Energy Regulatory Commission's Monitoring of Power Grid Cyber Security". Click
here to obtain a full report.
So, what is the conclusion of the report? Do we have a secure power grid in the U.S.? In case, you wonder what the U.S. power grid looks like. Follow this
link for a visual representation of the power grid.
The answer is not really. The audit report found several problems with the security protection of the power grid. But before we go any further in details. Let's define a few terms and get some basics fact down.
- The Energy Policy Act of 2005 passed by Congress gave the Federal Energy Regulatory Commission the responsibility to oversee the bulk power system also known as the bulk electric system or power grid.
- What is the bulk electric system? It consists of roughly 1,600 entities operating at 100 kilovolts or higher.
- The Comission asked the North American Electric Reliability Corporation (NERC) to develop Critical Infrastructure Protection (CIP) cyber reliability standards for all entities to comply. These standards and their enforcement are the core of this audit report.
What are some of the (alarming) findings?
- The standards did not clearly define "a critical asset" that needs to be protected. Therefore, entities were given a discretion to choose what, according to them, are considered critical assets. The bottom line is they believe that these operators under-reported their critical assets.
- Some security practices prescribed in the standards are quite lax compared to the effective standard practices. For example, the CIP standards suggest that passwords be a minimum of 6 characters and changed at least annually. Compared this suggestion with the commission's internal policy: passwords to be at least 12 characters and changed every 60 days. Wait... That is not all. Other access controls that are commonly recommended were not addressed in the standards: limits on the number of unsuccessful login attempts and a session lock for inactivity, among others.
- The report also mentioned other problems related to delays in standard development, the inadequate monitoring of the performance of NERC and other regional entities resposible for the power grid.
What are some of the recommendations to improve the security of the power grid?
- Continue to work with Congress to obtain authority appropriate to ensure adequate cyber security over the bulk electric system
- Work with NERC to refine the CIP standards to include risk-based requirements and cyber security controls to help minimize vulnerabilities to the power grid
- Ensure timely development and approval of the CIP standards including communication with NERC and electric industry entities during the process
- Ensure the Commission adequately monitors the performance of NERC and the eight regional entities responsible for security over the bulk electric system
- Ensure that cyber security performance metrics for NERC and its regional entities are developed and utilized that enable the Commission to effectively monitor and assess program performance.
Perhaps, the Commission will benefit by looking at NIST's risk management framework to protect information assets below: