NIST Readies Grid Physical-Cyber Security PlanGAO: Existing Guidance Lacks Physical Security Component
In August, NIST - part of the Commerce Department - issued the first version of its smart grid cybersecurity guidelines, and a Government Accountability Office audit released Wednesday credited NIST for largely addressing key cybersecurity elements in its guidelines, such as an assessment of the cybersecurity risks associated with smart grid systems and the identification of security requirements such as controls that are essential to securing such systems.
But GAO said in the 50-page report (see Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed) the guidelines failed to address the risk of a combined physical security-cybersecurity attack. NIST also identified other key elements such as cryptography and supply chains vulnerabilities that need to be added to the guidance.
"Until the missing elements are addressed," the GAO audit said, "there is an increased risk that smart grid implementations will not be secure as otherwise possible."
Commerce Secretary Gary Locke, in a written response, said he generally agreed with the GAO's findings, adding that such physical-cyber guidance is being developed.