Key cybersecurity standards for the smart grid are as yet undeveloped, but even so, split authority over the nation's electrical grid will make uniform regulation difficult, says a Government Accountability Office report.

The report, dated Jan. 12, finds that while the National Institute of Standards and Technology has developed five key standards for smart grid cybersecurity, it has left unaddressed how to deal with several risks, including a combined cyber and physical attack. Also unaddressed are design issues, such as managing supply chain vulnerabilities, cryptography issues, and synchrophasor security--synchrophasor systems being high-speed monitors of grid voltage, current and frequency.

NIST officials told GAO report authors they intend to update smart grid cybersecurity guidelines to address such issues and didn't do so already in order not to have missed by very much a previous June 2010 deadline for issuing the first set of guidelines.

The five standards that NIST did come up with in August 2010 are under review by the Federal Energy Regulatory Commission, but FERC staff told GAO auditors they're uncertain when an initial set of standards might be adopted.

FERC officials also pointed out that while they have legislative authority for adopting smart grid standards, they don't have power to specifically enforce them. FERC could require utilities subject to its regulation to use standards-based smart grid devices as a condition of allowing the utilities to recover the costs of smart grid investments, but when it comes to the bulk power system, FERC depends on  non-governmental organization North American Electric Reliability Corporation to adopt and enforce standards affecting grid reliability.

But, FERC can't force NERC to adopt standards and without NERC, FERC is here powerless to act, FERC officials told GAO auditors, the report says. Were FERC to turn to NERC to adopt cybersecurity standards under the reliability rubric, it's possible that NERC, which consults heavily with industry, would chose a voluntary adoption path, FERC officials added.

The electrical industry has historically been guided by voluntary standards, but some stakeholders who report authors interviewed said gaps could nonetheless emerge with smart grid cybersecurity, particularly if the standards are expensive to implement.

In any case, FERC's authority is generally limited to the transmission system, meaning that states and other regulatory bodies with authority over the distribution system will play a key role in overseeing the extent to which cybersecurity standards are followed, says the report. Such regulatory bodies run to the thousands, the report adds.

Energy system stakeholders told report authors that determining who exactly has authority over what could be compounded by the nature of the smart grid. Smart meters, for example, deployed on parts of the grid traditionally subject to state jurisdiction could, in the aggregate, have an impact on reliability, which is a NERC and FERC (i.e., a federal) responsibility.

For more:
- download the report, GAO-11-117 (.pdf)

Related Articles:
Smart grid cybersecurity encompasses IT and the power grid itself 
DOE: Smart grid deployment must not outpace public education on privacy 
SPIDERS JCTD microgrid baseline will be up to 10 megawatts