US Govt probes infosec gaps in power grid

The US Energy and Homeland Security departments will team up to assess information security weakness in the nation's power grid.

The Electric Sector Cybersecurity Risk Management Maturity project is a federal program to find and contain gaps in the cyber security defenses protecting the nation's electric grid.

The program originated from a proposal from the White House.

Establishing a comprehensive cyber security approach will give utility companies and grid operators another important tool to improve the grid's ability to respond to cybersecurity risks,” Energy Secretary Steven Chu said.

The US-based National Electric Sector Cybersecurity Organisation CEO, Patrick Miller, said the Department of Energy (DOE) is the right choice to assess how the grid will behave, should there be an attack.

But the major issue asset owners still face is whom to contact for response when an attack occurs.

The DOE has limited regulatory authority and is more focused on research, he says.

Currently, the Federal Energy Regulatory Commission oversees the majority of system security standards, while the Department of Homeland Security (DHS), DOE and National Security Agency also have oversight responsibilities.

In addition to the federal agencies with enforcement and reporting responsibilities, Miller said states also exert cyber security responsibility over infrastructure operations, including the power grid.

Fusion centers, facilities funded by the DHS and manned by both state and federal emergency response officials but ultimately managed by the states, also have jurisdiction if attacks are made on infrastructure assets, he said.

Miller said the DOE initiative is a good first or second step in determining how to protect the power grid, but a critical issue that has yet to be addressed is response.

“If an (infrastructure) owner is under attack, who do you call?” he said.

The DOE plans to hold a series of workshops with the private sector representatives over the coming months to draft the maturity model.

More than a dozen electric utilities and grid operators are expected to participate in the pilot project, the DOE said.

The announcement follows the release of a report from the Massachusetts Institute of Technology that suggests that the US power grid could not be fully protected from cyber attacks and recommended that a single federal agency be put in charge for all cyber security.

This article originally appeared at scmagazineus.com