“Without a formal risk assessment and associated mitigation strategy, threats and weaknesses may go unidentified and expose the . . . systems to an unacceptable level of risk,” Friedman wrote in an audit released in January.
Energy officials knew of these weaknesses but approved plans for the projects anyway, auditors said: “The initial weaknesses had not always been fully addressed, and did not include a number of security practices commonly recommended for federal government and industry systems.”
Of 99 grants awarded to utilities — ranging from $400,000 to $200 million — 36 recipients did not take all the required security steps to ward off a cyberattack, auditors found. Even though Energy Department officials told the utilities to update their plans, many did not.
The agency got $3.5 billion in the 2009 stimulus package for “smart grid” projects. In recent years, utilities have taken steps to update their transmission and distribution systems with new computer systems that can give customers real-time information about fluctuation in electricity prices and add reliability to the grid. The goals are fewer outages and lower bills for consumers if they use less electricity during times of peak demand.
But the complex computer systems have caused concern about cyberattacks by hackers looking to grab personal information from utility accounts — or even shut down the nation’s power grid.
Energy officials, responding to auditors, pledged to address the weaknesses by bringing in more experts to review the cybersecurity plans and make changes.
In a November letter to the inspector general’s office, Assistant Energy Secretary Patricia Hoffman said that her office wants to “ensure that recipients do not place the power system at risk.”
But she said there are no federal or state standards or regulations that define cybersecurity processes or practices for electricity-distribution systems.
The audit does not reveal the names of the power companies or specify where they ran afoul of security guidelines. But their cybersecurity plans are supposed to show how the companies would prevent, detect and respond to cyberattacks.
Three of the five plans that auditors reviewed were “incomplete” and did not always explain how security controls would be carried out, auditors found. One power company never did a formal assessment of cybersecurity risks; without it, “threats and weaknesses may go unidentified and expose the recipient’s systems to an unacceptable level of risk,” the report says.
Another project was missing a formal assessment of the risks of new technology being used to update the grid, creating a chance that a cyberthreat would go unnoticed.
Auditors blamed the weak cybersecurity on the rush to grant the stimulus money.
“The issues identified were due, in part, to the accelerated planning, development and deployment approach,” auditors wrote.
Another shortcoming: The Energy Department was so focused on giving out money, it did not ensure that its staff had adequate training to oversee the projects.