DOE Power Grid Cyber-Security Audit Highlights Challenges of Risk-Based Security
The DOE's recent audit of power grid security contends that many power plants are slacking when it comes to identifying critical assets-underscoring a key challenge facing risk-based security approaches.A recent audit from the office of the U.S. Department of Energy's Inspector General painted a not-so-rosy picture of efforts to secure the nation's power grid. But it also highlighted something of a conundrum in the world of compliance-how to take a truly risk-based approach when organizations have an incentive to underreport risk. Inside the report (PDF), the department states its audit, which was conducted between October 2009 and November 2010, found existing CIP (critical infrastructure protection) standards do not always include controls commonly recommended for protecting critical information systems. But another problem was much more basic-the standards did not include a clear definition of what constitutes a critical asset.
"When outlining what attributes should be considered when proposing reliability standards, the (Federal Energy Regulatory Commission) noted in Order 672...that CIP reliability standards should be clear and unambiguous regarding what is required and who is required to comply," the report states. "The Commission noted that such clarity was necessary because users, owners and operators of the bulk electric system must know what they are required to do to maintain reliability. Despite this guidance, both Commission and NERC (Nuclear Energy Regulatory Commission) officials stated that they believed entities were under-reporting the number of critical assets and associated critical cyber assets."