Audit Report, Federal Energy Regulatory Commission’s Monitoring of Power Grid Cyber Security, DOE/IG-0846, January 2011
“Despite their importance to protecting the power grid, the CIP [Critical Infrastructure Protection] standards did not include a number of security controls commonly recommended for government and industry systems, including both administrative and mission-related systems. For instance, the standards did not include essential security requirements and effective practices such as defining what constituted critical assets and implementation of strong logical access controls. In certain cases, Commission officials noted that the lack of stringent requirements for defining critical assets contributed to significant under reporting of these assets. In addition, while we recognize that there are inherent delays associated with the current regulatory structure, we found that the timeliness of the standards development and approval process was also impacted because the Commission did not take advantage of existing authority. Delays ultimately limited the standards’ usefulness in facilitating responses to emerging threats. Without increased efficiency in this area, the Commission and the entities under its purview may not be able to develop and implement future standards in a timely manner to address emerging security threats..”
Sorry, comments are closed for this post.