Report finds smart-grid security lacking

GAO report says smart meters lack strong security architecture and features for detecting and analyzing cyberattacks.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read
This illustration from the GAO report shows the topography of a smart grid.
This illustration from the GAO report shows the topography of a smart grid. GAO

Echoing concerns of security experts, a new report from the Government Accountability Office warns that smart-grid systems are being deployed without built-in security features.

Certain smart meters have not been designed with a strong security architecture and lack important security features like event logging and forensics capabilities used to detect and analyze cyberattacks, while smart-grid home area networks that manage electricity usage of appliances also lack adequate built-in security, according to the report (PDF) released last week by the GAO, the auditing and investigative arm of the U.S. Congress.

"Without securely designed smart-grid systems, utilities will be at risk of not having the capacity to detect and analyze attacks, which increases the risk that attacks will succeed and utilities will be unable to prevent them from recurring," said the report.

The report also took aim at the self-regulatory nature of the industry, saying utilities are focusing on complying with minimum regulatory requirements rather than having adequate security to prevent cyberattacks.

The National Institute of Standards and Technology "does not have a definitive plan and schedule, including specific milestones, for updating and maintaining its cybersecurity guidelines to address key missing elements," the report concluded. One of the important elements NIST has failed to address is the risk of attacks that use both cyber and physical means, the report said.

"Furthermore, Federal Energy Regulatory Commission has not established an approach coordinated with other regulators to monitor the extent to which industry is following the smart-grid standards it adopts," the report said. "The voluntary standards and guidelines developed through the NIST and FERC processes offer promise. However, a voluntary approach poses some risks when applied to smart-grid investments, particularly given the fragmented nature of regulatory authority over the electricity industry."

In comments on the report that were included as an appendix, the Department of Commerce--which oversees NIST--says NIST "agrees that the risk of combined cyber-physical attacks on the smart grid is an area that needs to be more fully explored in the future."

Meanwhile, FERC Chairman Jon Wellinghoff said in comments included in an appendix to the report that he will ask his staff to evaluate ways to improve coordination among regulators and assess whether challenges identified in the report should be addressed in FERC's cybersecurity efforts, but will need to work within the commission's statutory authority.

The goal of the smart grid is to improve reliability and efficiency by incorporating information technology systems into power lines and customer meters for monitoring power distribution and usage without having to send operators into the field.

A FERC spokesperson provided this comment in response to an e-mail request from CNET: "FERC is doing the task assigned by Congress: determining whether sufficient consensus was reached on the standards recently identified by NIST and, if so, whether to adopt those standards. As stated in the report, we will also work with others on seeking to monitor voluntary compliance. But, ultimately, additional legislation may be needed if Congress intends compliance to be mandatory."

(Via Threatpost)

Updated January 20 at 10:05 a.m. PDT with FERC e-mail comment.