[UPDATE 6/9/2023: I concur with the Cyberspace Solarium report issued June 7 2023 that NERC's E-ISAC has been an impediment to information sharing]
I've been advocating for changes to cybersecurity policies and practices to protect the entire electric grid and this report from the GAO, click Read More Button below, echoes my beliefs. We cannot win the cybersecurity war against hackers AND protect the entire electric grid without putting our best cybersecurity players on the field, which includes NIST, CISA and the DOE working collaboratively with critical infrastructure operators to implement best cybersecurity practices (CISA CPG's) and share timely information, based on methodical analytic methods, such as DOE's ETAC. That's what it takes to win AND secure the ENTIRE electric grid.
FERC and the DOE could address cybersecurity risks across the entire electric grid by relinquishing NERC from its cybersecurity responsibilities allowing it to focus on what it does best, system planning and operational standards for grid reliability. This would have multiple benefits:
- Relieve the burden that NERC CIP imposes on FERC jurisdictional entities today with little if any loss in cybersecurity protections
- Remove the barrier, known as the "Doctrine of Auditor Independence" that prevents NERC regional entities from assisting utilities and grid operators with cybersecurity best practices; the IESO Lighthouse program is an example of the cooperation and collaboration that would be possible with removal of this barrier.
- Save electricity consumers $38 million dollars now allocated to cybersecurity within NERC
- Cover the entire electric grid with modern cybersecurity best practices defined by NIST, our Nations cybersecurity experts and DHS CISA. Did you know that NERC CIP does not require MFA - which is considered a best practice and recommendation by CISA to prevent unauthorized access to privileged accounts. NERC CIP is inferior to current best practices for cybersecurity, recommended by NIST and CISA. (NERC CIP only requires MFA on interactive remote sessions - not on all admin/priv user logins, for best practice).
- Enable greater alignment with State based cybersecurity resources, such as MS-ISAC
- Enable DOE's national labs to assist grid operators with cybersecurity practices, i.e. C2M2 and NIST CSF
- Remove the competition for limited cybersecurity skills/expertise that E-ISAC represents, making these limited, skilled resources available to CISA and NIST for application across all critical infrastructure.
- Streamline cyber incident reporting to CISA following CIRCIA.
- Enable the NERC regional entities to serve in collaboration with State and Federal entities working on baseline cybersecurity practices across all critical infrastructure. This would align baseline cybersecurity practices on critical infrastructure operators that are inter-dependent, i.e., many critical functions depend on reliable electricity and electric grid operators rely heavily on communications critical infrastructure; a set of baseline cybersecurity practices would ensure that each segment is applying best practices recommended by our Nations Cybersecurity Experts at NIST and DHS CISA.
The GAO report describes the situation clearly and accurately, especially now that more generating resources are being deployed on the distribution grid:
In 2019, we recommended that FERC consider adopting changes to its approved standards to more fully address federal guidance and evaluate the potential risks of a coordinated attack. These recommendations have not been implemented yet, leaving the grid vulnerable.
Finally, in March 2021, we found that the federal government does not have a good understanding of the scale of the potential impacts from attacks facing the component of the grid that is generally not subject to FERC’s standards: distribution systems. After identifying this vulnerability, we recommended the Department of Energy (DOE)—in coordination with the Department of Homeland Security, state, and industry partners—address risks to the distribution systems.