In an effort to jumpstart a struggling domestic economy and modernize the national infrastructure, the American Recovery and Reinvestment Act (ARRA) allocated $3.5 billion to the Department of Energy (DOE) to fund smart gird initiatives. But in the rush to approve contractor bids and commence operations, a new report is suggesting the cybersecurity considerations may have been overlooked along the way.
According to a recent audit from the DOE's Office of Inspector General (OIG), the department used its ARRA grants to fund 99 contracts worth between $397,000 and $200 million. These investments were viewed as a crucial means of bolstering grid reliability and decreasing overall energy-consumption rates with the assistance of technological innovations. On the heels of separate government agency audits exposing energy grid data security vulnerabilities, each contractor was required to outline its defense strategies within its original proposal.
However, the latest OIG audit revealed that policy did not always align with practice in the review and authorization of contract proposals. In a random assessment of five cybersecurity plans provided by grantees, three were found to be incomplete. Regulators pointed to an insufficient explanation in which security controls would be utilized and how they would be implemented.
Upon further investigation, auditors learned that 36 of the 99 accepted proposals lacked one or more of the baseline requirements, such as data security risk assessments and incident response protocols. These discrepancies were, in part, attributed to the Energy Department's "accelerated planning, development and deployment" approach that often lacked proper monitoring precautions.
"Officials approved cybersecurity plans for smart grid projects even though some of the plans contained shortcomings that could result in poorly implemented controls," report authors explained. "We also found that the department was so focused on quickly disbursing Recovery Act funds that it had not ensured personnel received adequate grants management training."
Patricia Hoffman, head of the DOE's Office of Electricity Delivery and Energy Reliability, responded to these findings in an interview with InfoSecurity. The DOE official defended her team's review process and asserted that the current lack of federal and state standards defining cybersecurity practices of smart grid applications may be to blame for unexpected shortcomings.
"The intent of the [department's] requirement for recipients to develop [cybersecurity plans] is to document cybersecurity methodologies and approaches in sufficient detail to understand the overall approach but retain flexibility to meet the unique aspects of each project," she explained in the interview.
Regardless of the source, officials suggested that the fundamental goals of the smart grid initiative could be compromised if data security loopholes are left unaddressed. To bring operations back on track, a number of concrete recommendations were included in the report.
First, the OIG called for retroactive completion of all grantees' cybersecurity plans. Baseline requirements such as detailed descriptions of potential threats and associated resolution strategies should also be tailored to the project's specific scope and function. Once contractor plans are reviewed and operations allowed to continue, auditors recommend the implementation of a revised monitoring framework from DoE officials.
To keep projects on schedule and under budget, auditors suggested that special attention be paid to cost reimbursement strategies. Several observed cases included discrepancies between the expense reports submitted by contractors and the figures outlined in the terms of original agreements. Auditors recommended a standardized method of calculating indirect costs that could be agreed upon by all parties.
Finally, the report called for more thorough and comprehensive training of technical project officers tasked with managing each grant. By understanding both the technology underlying the smart grid improvements and administrative frameworks in which they would be completed, the initiative stands a much greater chance of accomplishing data security and energy-efficiency goals in the most cost-effective method possible.
Security News from SimplySecurity.com by Trend Micro