Cybersecurity plans submitted as part of the U.S. Department of Energy's (DOE) Smart Grid Investment Grant (SGIG) program were, in some cases, incomplete or insufficient, according to an internal investigation. Audits of the SGIG program, performed by the DOE's Office of Audits and Inspections (OAI), were prompted by two reports - the OAI's "Federal Energy Regulatory Commission's Monitoring of Power Grid Cyber Security" and the U.S. Government Accountability Office's "Electricity Grid Modernization" - that identified weaknesses in cybersecurity guidelines.report states. "In particular, the [DOE] had not always ensured that certain elements of the SGIG program were adequately monitored." The OAI report stated that although the DOE has taken positive steps, there is still room for improvement in administering the SGIG program.
Grant recipients were obligated to submit security plans that supported the strategy they outlined in their grant application. Recipients had to describe a minimum set of security elements, such as risk assessment and system security incident responses. Approximately 36%, or 36 out of 99 plans, did not include one or more of the required cybersecurity elements, according to the OAI. One grant recipient provided just a summary of its cybersecurity plan, which did not reveal enough details regarding risk assessment or mitigation processes. "For instance, the recipient's approach to detecting, preventing and communicating system security incidents was not adequately described," the report states. "In particular, the plan stated that the recipient used monitoring, logging and alerting technologies to detect incidents and exploits, but did not detail how these systems worked in its specific environment. Also, no detail was provided to explain how detected incidents were contained." Another recipient's cybersecurity plan was based on the National Institute of Standards and Technology's guidelines and contained only the minimum requirements. Although this recipient included risks and mitigation strategies in its application, a formal risk assessment had not been performed.
"There was no assurance that the [DOE's] grant monitoring methodology was completely effective," the report says. "Furthermore, officials approved cybersecurity plans for smart grid projects, even though some of the plans contained shortcomings that could result in poorly implemented controls. We also found that the [DOE] was so focused on quickly disbursing Recovery Act funds that it had not ensured personnel received adequate grants management training." The OAI report recognizes that recipients were given the three-year timeline to implement cybersecurity controls.
"We acknowledge that the security plans will evolve as systems are developed and implemented," the report reads. "However, this practice may be problematic in that any existing gaps in a recipient's security environment could allow system compromise before controls are implemented." The DOE notes that in the absence of federal or state cybersecurity standards and regulations, it required each grant recipient to develop a security plant that was then signed by a corporate officer. Cybersecurity experts at the DOE reviewed the plans, which were then approved by an individual's technical project officer. The OAI report also acknowledges that there are no cybersecurity standards.
"However, awards were granted to recipients with control over all aspects of the nation's electric grid, to include both transmission and distribution systems," the report states. "Therefore, we believe that the SGIG program provided the [DOE] a unique opportunity to promote strong cybersecurity programs among its recipients - an area which, based on the issues identified during our audit, could have been more thoroughly explored." The OAI report recommends that the assistant secretary at the DOE's Office of Electricity Delivery and Energy Reliability ensure that recipients' cybersecurity plans are complete and include thorough descriptions of risk and related mitigation. The DOE should also train and certify technical project officers in order to effectively manage grants.
In 2009, President Obama announced a $3.4 billion investment through the American Recovery and Reinvestment Act to modernize the nation's grid. A large number of private companies, utilities, manufacturers, cities and other partners received awards to install smart meters, automated substations, in-home displays to provide consumers with tools to reduce electricity consumption. Grant recipients were required to submit cybersecurity plans. The OAI contends that a rush to get funds dispersed might have been a factor in the problems. "The issues we found were due, in part, to the accelerated planning, development, and deployment approach adopted by the [DOE] for the SGIG program," the
Grant recipients were obligated to submit security plans that supported the strategy they outlined in their grant application. Recipients had to describe a minimum set of security elements, such as risk assessment and system security incident responses. Approximately 36%, or 36 out of 99 plans, did not include one or more of the required cybersecurity elements, according to the OAI. One grant recipient provided just a summary of its cybersecurity plan, which did not reveal enough details regarding risk assessment or mitigation processes. "For instance, the recipient's approach to detecting, preventing and communicating system security incidents was not adequately described," the report states. "In particular, the plan stated that the recipient used monitoring, logging and alerting technologies to detect incidents and exploits, but did not detail how these systems worked in its specific environment. Also, no detail was provided to explain how detected incidents were contained." Another recipient's cybersecurity plan was based on the National Institute of Standards and Technology's guidelines and contained only the minimum requirements. Although this recipient included risks and mitigation strategies in its application, a formal risk assessment had not been performed.
"There was no assurance that the [DOE's] grant monitoring methodology was completely effective," the report says. "Furthermore, officials approved cybersecurity plans for smart grid projects, even though some of the plans contained shortcomings that could result in poorly implemented controls. We also found that the [DOE] was so focused on quickly disbursing Recovery Act funds that it had not ensured personnel received adequate grants management training." The OAI report recognizes that recipients were given the three-year timeline to implement cybersecurity controls.
"We acknowledge that the security plans will evolve as systems are developed and implemented," the report reads. "However, this practice may be problematic in that any existing gaps in a recipient's security environment could allow system compromise before controls are implemented." The DOE notes that in the absence of federal or state cybersecurity standards and regulations, it required each grant recipient to develop a security plant that was then signed by a corporate officer. Cybersecurity experts at the DOE reviewed the plans, which were then approved by an individual's technical project officer. The OAI report also acknowledges that there are no cybersecurity standards.
"However, awards were granted to recipients with control over all aspects of the nation's electric grid, to include both transmission and distribution systems," the report states. "Therefore, we believe that the SGIG program provided the [DOE] a unique opportunity to promote strong cybersecurity programs among its recipients - an area which, based on the issues identified during our audit, could have been more thoroughly explored." The OAI report recommends that the assistant secretary at the DOE's Office of Electricity Delivery and Energy Reliability ensure that recipients' cybersecurity plans are complete and include thorough descriptions of risk and related mitigation. The DOE should also train and certify technical project officers in order to effectively manage grants.
In 2009, President Obama announced a $3.4 billion investment through the American Recovery and Reinvestment Act to modernize the nation's grid. A large number of private companies, utilities, manufacturers, cities and other partners received awards to install smart meters, automated substations, in-home displays to provide consumers with tools to reduce electricity consumption. Grant recipients were required to submit cybersecurity plans. The OAI contends that a rush to get funds dispersed might have been a factor in the problems. "The issues we found were due, in part, to the accelerated planning, development, and deployment approach adopted by the [DOE] for the SGIG program," the
No comments:
Post a Comment