As noted in Spectrum's Energywise blog last year, cyber attacks against electric grids have been sharply rising, which makes the latest news from Inspector General of the US Department of Energy a bit worrisome (especially when combined with the findings of other recent cyber security reports).
Late last month, the Inspector General released an audit report of the Energy Department's smart grid investment grant program (pdf). The audit found that in the Department's rush to push $3.5 billion in smart grid stimulus grant money out to US utilities, they didn't do such a good job of ensuring that effective cyber security controls were in place. As a result, smart grids may now be vulnerable to cyber attacks, according to a Washington Post story.
Grant recipients were supposed to have developed cyber security plans that, at a minimum, were to "describe the recipients' approaches to detecting, preventing, and communicating with regard to, responding to, and recovering from system security incidents. Further, cyber security plans were required to contain detailed descriptions of the recipients' risk assessment processes, risk mitigation strategies, and other elements of their cyber security programs."
However, the audit found that of five grant recipients it sampled, the cyber security plans from three were "incomplete, and did not always sufficiently describe security controls and how they were implemented." One of the plans they looked at "provided only a summary description of its cyber security processes." The problem wasn't limited to a few bad apples; an Energy Department review "revealed that 36 of 99 cyber security approaches submitted as part of the grant application lacked one or more required elements."
Even worse, government officials approved cyber security plans for smart grid projects even with these known weaknesses present. According to the report, the Energy Department "was so focused on quickly disbursing Recovery Act funds that it had not ensured personnel received adequate grants management training." That's a polite way of saying that many of the Energy Department folks who approved the smart grid stimulus grants had no business doing so.
The Inspector General also indicated another reason for the low priority of cyber security. Apparently, the Energy Department's smart grid grant recipients "were given the 3-year duration of the award to implement agreed-upon cyber security controls." He went on to say:
"We acknowledge that the security plans will evolve as systems are developed and implemented. However, this practice may be problematic in that any existing gaps in a recipient's security environment could allow system compromise before controls are implemented. Likewise, approved elements that were not well defined in the plan could leave the system susceptible to compromise even after the cyber security plan had been fully implemented. For example, without a well-defined risk management process, potential risks may go unidentified and related mitigating controls may not be implemented."
The Energy Department is now addressing the risk by "requiring that Technical Project Officers (TPO) and subject matter experts review the cyber security posture and recommend updates to cyber security policies when they perform their annual site visits to grant recipients."
That makes me feel so much better.
The audit didn't specify if there will be penalties for utilities that don't implement effective cyber security. Will they have to pay back the grant?
It's worth noting that short-changing cyber security in a sprint to spend government money has also happened with electronic health records (pdf). Maybe someday the government will learn that you can't shoehorn security into an IT system after it has been deployed.