Part of Grid Network »

The Grid Professionals Group covers electric current from its transmission step down to each customer's home. 


CRITICAL INFRASTRUCTURE PROTECTION - Agencies Need to Assess Adoption of Cybersecurity Guidance (GAO-22-105103)

Dan Wagner's picture
Digital Transformation Professional Retired

An Information Security and Risk Management Professional with extensive experience in highly visible positions providing innovative solutions for Digital Transformation, Cloud Security, Privacy...

  • Member since 2021
  • 5 items added with 827 views
  • Feb 23, 2022
  • 351 views - February 2022

More guidance for adopting frameworks like NIST.

I would suggest reading the recent GAO report 'GAO-22-105103' in concert with GAO-19-332.  Both make certain assertions that are even more significant given the USA's admission of increasing cyber risks, or wait until resources you are responsible have been compromised, then use these documents to justify the cost of fixing issues.

Your choice.

Dan Wagner's picture
Thank Dan for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Matt Chester's picture
Matt Chester on Feb 23, 2022

Who are the laggards at this point who aren't taking this seriously, and is it just a lack of understanding or an unwillingness to make these investments? 

Dan Wagner's picture
Dan Wagner on Feb 24, 2022

Quoting the report:  

"What GAO Found
Federal agencies with a lead role to assist and protect one or more of the nation's 16 critical infrastructures are referred to as sector risk management agencies (SRMAs). The SRMAs for three of the 16 have determined the extent of their sector's adoption of the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity (framework). In doing so, lead agencies took actions such as developing sector surveys and conducting technical assessments mapped to framework elements. SRMAs for four sectors have taken initial steps to determine adoption (see figure). However, lead agencies for nine sectors have not taken steps to determine framework adoption."
Again, from the report (GAO-22-105103): "SRMAs for four sectors have taken initial steps to determine adoption (see figure). However, lead agencies for nine sectors have not taken steps to determine framework adoption".
The following is identified in the report by adoption status:
DETERMINED ADOPTION: defense industrial base; government facilities; water and wastewater systems
HAVE TAKEN STEPS TO DETERMINE ADOPTION: energy; food and agriculture; information technology; transportation systems
HAVE NOT TAKEN STEPS TO DETERMINE ADOPTION: chemical; commercial facilities; communications; critical manufacturing; dams; emergency services; financial services; health care and public health; nuclear reactors, materials and waste.

The above are graded in the report as GREEN/YELLOW/RED. Energy is associated as yellow for the following reasons indicated in the report on page 38.

The energy sector Had Taken Initial Steps, but Had Not Yet Determined Framework Adoption because of challenges (which were addressed in NERC's 'Assessing and Reducing Risk - NERC Security Working Group'.

Challenge 1: Voluntary nature of the framework
Challenge 2: Difficulty in measuring the direct impact of using the framework

Other sectors included the following challenges.

Challenge 3: Developing precise measurements of improvement
Challenge 4: No centralized information sharing mechanism
Challenge 5: Lack of cybersecurity culture and capacity

Specific laggards can are pointed out in the report.

Matt Chester's picture
Matt Chester on Feb 24, 2022

Thanks for the follow up, Dan!

Audra Drazga's picture
Audra Drazga on Feb 25, 2022

Dan thanks for sharing.  One the of key topics in the news over the last few days, with the invasion of Ukraine, is if Russia will start pushing Cyberattacks.  Are we ready and is our Grid protected? 

Dan Wagner's picture
Dan Wagner on Feb 27, 2022

Compliance to standards, in my opinion is a low bar when assessing Cyber Security.  Cyber attacks today are capable of taking advantage of up to the minute vulnerabilities, hence I am of the opinion that the grid is vulnerable and requires our daily attention to ensure resilience and recovery capabilities are realistic.

Given the GAO assessments that have recommended improving cyber-security through the use of NIST Frameworks, there are strong suggestions to execute specific improvements required by the energy sector.  The same old business focus on 'revenue over risk and controls' is a losing plan, I believe energy industries know what to do, however many entities have a long way to go which provides the attackers the upper hand right now (IMHO).

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »