A new report details how in The Department of Energy’s haste to hand out taxpayer money in the form of stimulus to upgrade the power grid, to what is known as a Smart grid, some firm’s plans were approved even though they lacked certain safeguards from cyber attacks, according to an inspector general’s report.
“Officials approved cyber security plans for Smart Grid projects even though some of the plans contained shortcomings that could result in poorly implemented controls,” states the report. “We also found that the Department was so focused on quickly disbursing Recovery Act funds that it had not ensured personnel received adequate grants management training.”
According to the report, 36 percent of the grant applications submitted were lacking one or more elements in their cybersecurity plans. Three out of the five cybersecurity plans reviewed were incomplete, and often didn’t address weaknesses previously identified by the Energy Department.
“We acknowledge that the security plans will evolve as systems are developed and implemented. However, this practice may be problematic in that any existing gaps in a recipient’s security environment could allow system compromise before controls are implemented,” the report states.
“Likewise, approved elements that were not well-defined in the plan could leave the system susceptible to compromise even after the cyber security plan had been fully implemented.”
The IG recommended the Energy Department ensure those that receive grants have complete cybersecurity plans that contain thorough descriptions of potential risks and mitigation strategies.
The Energy Department generally concurred with the report’s recommendations, but noted “that there are currently no federal or state standards or regulations that mandate cyber security processes or practices for electric distribution systems.”
The Senate is expected to take up legislation this week that would establish federal cybersecurity regulations for electric grid providers and other industrial sectors deemed part of the nation’s critical infrastructure.
That Energy Department statement bears repeating ”there are currently no federal or state standards or regulations that mandate cyber security processes or practices for electric distribution systems.”
Since there is no federal or state standards or regulations that mandate cyber security processes or practices for electric distribution systems, maybe just maybe the Obama administration should hold off on giving millions of our tax dollars to private companies to build a smart grid that’s vulnerable to cyber attacks?