Audit Report: Federal Energy Regulatory Commission's Monitoring of Power Grid Cyber Security [open pdf - 490KB]
"Congress passed the Energy Policy Act of 2005 (Energy Policy Act), giving the Federal Energy Regulatory Commission (Commission) jurisdiction to conduct oversight of the bulk power system, commonly referred to as the bulk electric system or power grid, including the approval of mandatory cyber security reliability standards. The bulk electric system consists of approximately 1,600 entities operating at 100 kilovolts or higher. The system does not, however, include distribution to end-users, as that function remains under the jurisdiction of state public utility commissions. In July 2006, the Commission, as authorized in the Energy Policy Act, designated the North American Electric Reliability Corporation (NERC) as the Electric Reliability Organization (ERO). As the ERO, NERC has the sole authority to propose reliability standards for the power grid to the Commission for approval. […] Security over the Nation's power grid remains a critical area of concern. Recent testimony before Congress disclosed various issues, including the existence of significant vulnerabilities in the power grid's infrastructure and many utilities that were not in compliance with the standards. Because of the importance of its efforts to secure the bulk electric system, we initiated this audit to determine whether the Commission adequately monitored cyber security over the Nation's power grid. […] Although the Commission had taken steps to ensure CIP [Critical Infrastructure Protection] cyber security standards were developed and approved, our testing revealed that such standards did not always include controls commonly recommended for protecting critical information systems. In addition, the CIP standards implementation approach and schedule approved by the Commission were not adequate to ensure that systems-related risks to the Nation's power grid were mitigated or addressed in a timely manner."
Department of Energy, Office of Inspector General, Report No. DOE/IG-0846
Department of Energy, Office of Inspector General: http://energy.gov/ig/