A report released on Wednesday by the US Government Accountability Office (GAO) which found that the Department of Energy (DOE) has not done enough to protect the electrical grid against increasing cyber attack attempts The same day a Senate committee approved legislation intended to bolster DOE’s work on grid security.
This report reveals to government what industry has long known — compliance is not security and the federal government is limited in its capacity and authority to protect America\’s electric grids which are privately owned and operated. Part of the problem is bureaucratic in nature, specifically the ongoing institutional turf battle between DoE and DHS with respect to energy sector cybersecurity. From the private sector\’s perspective, the roles and responsibilities of these two agencies seem in limbo. In addition, the GAO report focuses on the proliferation of IoT devices and their impact on grid security. Indeed IoT devices expand the potential attack surface and lower barriers to entry for a range of malicious cyber actors. At the same time, they also contribute to a more safe, reliable, and efficient grid — and they\’re only going to increase in volume and functionality. The key to mitigating this risk, therefore, is security monitoring — something that is commonplace on nearly every critical IT network but nearly absent when it comes to operational technology or OT networks.