Addressing cybersecurity guidelines and standards being considered by NIST and FERC, the U.S. Government Accountability Office, the nonpartisan investigative arm of Congress, pointed out key challenges to securing smart grid systems in a recently released report. Chief among them were that NIST’s cybersecurity guidelines did not address the risk of attacks that use both cyber and physical means and that FERC has not developed a coordinated approach to enforce the adoption of its cybersecurity standards.
The report further identified the following concerns:
- Aspects of the regulatory environment may make it difficult to ensure smart grid system’s cybersecurity
- Utilities are focusing on regulatory compliance rather than comprehensive security
- The electric industry does not have an effective mechanism for sharing information on cybersecurity
- The electric industry does not have metrics for evaluating cybersecurity
- Consumers are not adequately informed about the benefits, costs, and risks associated with smart grid systems
In response, both NIST and FERC agreed the report made useful findings. NIST, however, emphasized that it did not forget to address the key risk as the GAO accused, but that its guidelines addressing that risk weren’t ready for publication in 2010. FERC agreed that a more coordinated approach to enforcement may be desirable, but it pointed out that Congress made the adoption of smart grid standards by utilities and manufacturers voluntary, not mandatory.
Although the GAO report makes useful suggestions, some of its generalizations and assumptions may be a bit unfair or premature. For example, despite the overbroad conclusion that consumers are inadequately informed about the benefits, costs and risks of smart grid systems, some smart meter projects have been successfully executed and well-received by informed consumers. Austin Energy in Texas, for example, credits its smart meter success (installing 400,000 residential smart meters with wide customer acceptance) with extensive education and outreach to consumers. Also an innovative smart grid pilot for commercial customers in Charlotte, North Carolina, called “Envision: Charlotte” appears to enjoy the support of informed customers. And since sharing information is a new project that is at the core of Smart Grid, it seems premature to accuse the electric industry for not already having an effective data-sharing mechanism.
Everyone agrees that we need a Smart Grid that is secure. How best to achieve that goal needs further discussion.