The Government Accountability Office identified major challenges to ensuring the cybersecurity of an intelligent, interconnected power grid.
Jurisdictional cracks. The existing regulatory environment makes it difficult to ensure the cybersecurity of smart-grid systems.
Jurisdictional issues and the difficulties of responding to continually evolving threats are a major regulatory challenge. There is a lack of clarity in the division of responsibility between federal and state regulators because smart-grid technology can blur the traditional lines between transmission and distributions systems. And there are concerns about the ability of regulatory bodies to respond to rapidly evolving cybersecurity threats. Panel members also expressed concerns about future regulations that could be overly specific, including requiring the use of a particular product or technology.
Lack of consumer education. Consumers are not adequately informed about the benefits, costs and risks associated with smart-grid systems. That lack of awareness might make consumers unwilling to pay for secure systems, and regulators could be reluctant to approve rate increases associated with cybersecurity. Until consumers know more about smart grids, utilities might not invest in or get approval for comprehensive security.
Least common denominator for compliance. Utilities are focusing on regulatory compliance instead of comprehensive security. The existing federal and state regulatory environment creates a culture of compliance. Experts said utilities focus on achieving minimum regulatory requirements rather than designing a comprehensive approach to system security. Because security requirements are inherently incomplete, that could leave organizations vulnerable to attack.
Insecure components. Smart-grid systems don't have adequate security features. For example, some currently available smart meters don't have a strong security architecture and lack features such as event logging and forensics capabilities, and many home networks — used for managing electricity usage in homes — do not have adequate security built in. That could leave utilities unable to detect and analyze attacks, which increases the risk that attacks will succeed.
Industry opaqueness. The electricity industry does not have an effective mechanism for sharing information on cybersecurity and other issues. Although the electricity industry has an information sharing center, it does not fully address information on vulnerabilities, incidents, threats and best practices. President Barack Obama’s cyberspace policy review also identified challenges related to cybersecurity information sharing in critical infrastructure sectors. Information regarding incidents, including unsuccessful and successful attacks, must be shared securely to allow industry to analyze practices and approaches.
No measure, no progress. The electricity industry does not have metrics for evaluating cybersecurity. That makes it difficult to measure improvements from investments in cybersecurity. Although the metrics are difficult to develop, they could help compare the effectiveness of competing solutions and determine what mix of solutions combine to form the most secure system. Metrics also could help utilities develop a business case for cybersecurity by demonstrating the return on investments.
NEXT STORY: The promise and perils of a smart grid