Washington, Feb.4 (ANI): America's power grid remains vulnerable to a cyber attack, a result of sluggish implementation of weak computer security standards and insufficient federal oversight, says a tough new report from the US Department of Energy Inspector General.
According to the North American Electric Reliability Corp. (NERC), the lead grid-reliability organization for the power industry, power companies were to have fully implemented those "critical infrastructure protection" (CIP) cyber standards a year ago, but the standards still aren't doing an effective job, the inspector general's audit found.
"Our testing revealed that such standards did not always include controls commonly recommended for protecting critical information systems," including tough password and log-in protections, the report said.
The plodding implementation is "not adequate to ensure that systems-related risks to the Nation's power grid were mitigated or addressed in a timely manner," the Christian Science Monitor (CSM) quotes the report, as saying.
Among its other findings are the following:
The new CIP standards set weaker requirements for password and log-in protections than is common for other types of critical infrastructure.
The Federal Energy Regulatory Commission (FERC), which approved the security standards that NERC developed, is partly to blame. The commission ultimately "did not have authority to implement its own reliability standards or mandatory alerts in response to emerging threats or vulnerabilities," the report said. In instances where FERC did have authority to strengthen CIP standards, "the commission had not always acted to ensure that cyber security standards were adequate."
The standards don't "clearly define what constituted a critical asset or critical cyber asset," the report found. Instead, utilities "were permitted to use their discretion when identifying critical assets and critical cyber assets...."
As a result, "if an entity determined that no critical assets or critical cyber assets existed, it was exempt from the remaining original CIP standards," the report said.
How to define "critical infrastructure" is a big part of the problem. "Lack of stringent requirements for defining critical assets contributed to a significant underreporting of these assets," the IG found. Both the federal commission and NERC officials said power companies had probably undercounted their critical assets and associated critical cyberassets.
"Much of the problem stems from ... lack of definition," says Michael Assante, former chief security officer for NERC.
He added: "The concepts of what need to be protected have not been firmly established."
Given the advent of cyberweapons that can destroy computer-controlled critical infrastructure, such as the Stuxnet worm that was aimed at Iran's nuclear facilities, the IG's report correctly identifies the issues needed to improve grid security, say grid cyber security experts. (ANI)