A report by the Department of Energy (DOE) Inspector General, released yesterday, revealed gaps in the way the Federal Energy Regulatory Commission (FERC) is implementing cyber security standards for the United States’ power grid.
The audit revealed a number of issues with both the standards and their implementation.
The implementation approach and schedule for critical infrastructure protection (CIP) cyber security standards didn’t ensure that systems-related risks to the national power grid were mitigated or addressed quickly. Combined with the inherent slowness of the regulatory process, these extra delays could put the power grid at more risk.
Implementation of technical controls related to system access, patch management, and malware prevention were delayed while documentation requirements were given priority. Though the paperwork will need to be done eventually, it shouldn’t be prioritized over implementation.
The standards didn’t include a number of security controls commonly recommended for government and industry systems. For example, the standards lacked essential security requirements, a definition of “critical asset” and any implementation of logical access controls.
All entities were not required to comply with the CIP standards at the same time even though they may have encountered similar threats. A security breach at a facility that doesn’t comply with standards could affect the entire power grid.
Authored by Lindley Ashline