Audit Report, Federal Energy Regulatory Commission’s Monitoring of Power Grid Cyber Security

Citation
U.S. Department of Energy, Office of Inspector General, Audit Report, Federal Energy Regulatory Commission’ s Monitoring of Power Grid Cyber Security (Jan. 2011) (full-text).

Overview
This was an audit report of FERC’s monitoring of Smart Grid cybersecurity, with regard to the Commission’s responsibilities under the Energy Policy Act of 2005. The report found that CIP cybersecurity standards developed “did not include a number of security controls commonly recommended for government and industry systems,” and criticized FERC’s oversight of the process for developing these standards, citing a need for FERC to use its existing authority to ensure timely standards development to address emerging security threats.

The report also said that FERC’s implementation approach and schedule for CIP standards did not adequately consider risks to information systems, since FERC was focusing on documentation of Security controls rather than implementation of those controls. FERC was advised to revise its focus to ensure that controls to address higher threat risks are given priority. The report noted that these problems existed, in part, because the Commission had “only limited authority” to ensure cybersecurity over the bulk electric system, and could not implement its own reliability standards or issue alerts. However, the report went on to conclude that even “when such authority did exist,” FERC did not always act “to ensure that cybersecurity standards were adequate.”