Electricity Grid Moderization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed

United States Government Accountability Office (GAO) Report to Congressional Requesters, 2011
What GAO Found

NIST has developed, and issued in August 2010, a first version of its smart grid cybersecurity guidelines. The agency developed the guidelines—for entities such as electric companies involved in implementing smart grid systems—to provide guidance on how to securely implement such systems. In doing this, NIST largely addressed key cybersecurity elements that it had planned to include in the guidelines, such as an assessment of the cybersecurity risks associated with smart grid systems and the identification of security requirements (i.e., controls) essential to securing such systems. This notwithstanding, NIST did not address an important element essential to securing smart grid systems that it had planned to include—addressing the risk of attacks that use both cyber and physical means. NIST also identified other key elements that surfaced during its development of the guidelines that need to be addressed in future guideline updates. NIST officials said that they intend to update the guidelines to address the missing elements, and have drafted a plan to do so. While a positive step, the plan and schedule are still in draft form. Until the missing elements are addressed, there is an increased risk that smart grid implementations will not be secure as otherwise possible.