It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
The official government cybersecurity standards for the electric power grid fall far short of even the most basic security standards observed by noncritical industries, according to a new audit.
The standards have also been implemented spottily and in illogical ways, concludes a Jan. 26 report from the Department of Energy’s inspector general (.pdf). And even if the standards had been implemented properly, they “were not adequate to ensure that systems-related risks to the nation’s power grid were mitigated or addressed in a timely manner.”
At issue is how well the Federal Energy Regulatory Commission, or FERC, has performed in developing standards for securing the power grid, and ensuring that the industry complies with those standards. Congress gave FERC jurisdiction in 2005 over the security of producers of bulk electricity — that is, the approximately 1,600 entities across the country that operate at 100 kilovolts or higher. In 2006, FERC then assigned the North American Electric Reliability Corporation (NERC), an industry group, the job of developing the standards.
The result, according to the report, is deeply flawed.
The standards, for example, fail to call for secure access controls — such as requiring strong administrative passwords that are changed frequently. or placing limits on the number of unsuccessful login attempts before an account is locked. The latter is a security issue that even Twitter was compelled to address after a hacker gained administrative access to its system using a password cracker.