The electric grid's "reliance on IT systems and networks exposes it to potential and known cybersecurity vulnerabilities, which could be exploited by attackers," Gregory Wilshusen, director of information security issues at the U.S. Government Accountability Office, said Tuesday in testimony to the U.S. Senate Committee on Energy and Natural Resources, according to a report.
The use of IT in the power grid can provide many benefits, such as greater efficiency and lower costs to consumers, but they also introduce new security risks, Wilshusen said. Industrial control systems that were originally designed to operate in isolation are increasingly being connected to the internet and IT networks, making them more vulnerable.
Embedded systems security has a "checkered history," Hugh Thompson, program committee chairman for the RSA Conference, told SCMagazine.com on Wednesday.
Even though industrial control systems were not designed to be online, decisions to move them in that direction were made in the context of productivity, scalability, and efficiency, Thompson said. But the security implications were not clear until they were examined holistically.
To improve power grid security, the North American Electric Reliability Corp. (NERC) has adopted mandatory cybersecurity standards. However, to date, there is no system in place to monitor or enforce compliance with the standards, Wilshusen said.
He said there was a "bifurcation of responsibility," but no one had clear oversight. The federal government has standards covering the systems used for generating and transmitting power, but state laws generally regulate local operations and actual delivery to customers.
There is a "lack of a coordinated approach to monitor whether industry follows voluntary standards," he said.
The electricity industry also lacks an effective mechanism for collaborating on threat information, Wilshusen said. The government must share data and defense intelligence with the private sector, but the operators themselves have to also report when there is an incident, he said.
Operators are often reluctant to publicize breaches and attacks because they are worried about loss of reputation or being held liable, Wilshusen said. Recipients in an information sharing framework have to be clearly defined, and the information must be anonymized in such a manner to protect the organization.