The U.S. government should give a single federal agency responsibility for cyber security preparedness, response and recovery across the electricity sector, researchers at the Massachusetts Institute of Technology (MIT) recommended in a new report.
While a number of entities have a stake in maintaining the cyber security of the U.S. power grid, no single organization is currently responsible for overseeing security across all aspects of grid operations, according to the report, released Monday. For example, while bulk power systems must comply with reliability standards issued by the North American Electric Reliability Corp. (NERC), there is no oversight of compliance for the distribution system, or the portion of the electric power system that carries power to consumers.
“This lack of a single operational entity with responsibility for grid cyber security preparedness, as well as response and recovery, creates a security vulnerability in a highly interconnected electric power system comprising generation, transmission and distribution,” the report states.
The researchers said they “do not feel qualified” to recommend which agency should take responsibility for overseeing cyber security, but noted that the U.S. Homeland Security and Energy departments, and the Federal Energy Regulatory Commission, which oversees the development of bulk power system security standards, are all options. A White House legislative proposal, issued in May, would make the DHS responsible for working with industry to enhance critical infrastructure security.
The MIT report's authors said it would be impossible to fully protect the grid from cyber attacks, and even compliance with cyber security standards will not necessarily make the grid completely secure.
Plus, the cost will be high. Making a business case for investing in security is difficult since the probability of a serious event is low and the implications are difficult to quantify.
Ultimately, however, as cyber threats rapidly evolve, the government and industry must find a way to improve the electric grid's resilience to attacks, while balancing cost, the researchers said.