The Washington Post

Power grid updates left system vulnerable to cyberattacks, auditors say

A rush by the Energy Department to use stimulus money to modernize the country’s power grid has left the system vulnerable to cyberattacks, the agency’s internal watchdog found.

Inspector General Gregory H. Friedman found “shortcomings” in the cybersecurity plans of more than a third of the utility companies that got federal funding for “smart grid” projects — from incomplete strategies to prevent an attack to vague steps for stopping one if it started.

“Without a formal risk assessment and associated mitigation strategy, threats and weaknesses may go unidentified and expose the . . . systems to an unacceptable level of risk,” Friedman wrote in an audit released in January.

Energy officials knew of these weaknesses but approved plans for the projects anyway, auditors said: “The initial weaknesses had not always been fully addressed, and did not include a number of security practices commonly recommended for federal government and industry systems.”

Of 99 grants awarded to utilities — ranging from $400,000 to $200 million — 36 recipients did not take all the required security steps to ward off a cyberattack, auditors found. Even though Energy Department officials told the utilities to update their plans, many did not.

The agency got $3.5 billion in the 2009 stimulus package for “smart grid” projects. In recent years, utilities have taken steps to update their transmission and distribution systems with new computer systems that can give customers real-time information about fluctuation in electricity prices and add reliability to the grid. The goals are fewer outages and lower bills for consumers if they use less electricity during times of peak demand.

But the complex computer systems have caused concern about cyberattacks by hackers looking to grab personal information from utility accounts — or even shut down the nation’s power grid.

Energy officials, responding to auditors, pledged to address the weaknesses by bringing in more experts to review the cybersecurity plans and make changes.

In a November letter to the inspector general’s office, Assistant Energy Secretary Patricia Hoffman said that her office wants to “ensure that recipients do not place the power system at risk.”

But she said there are no federal or state standards or regulations that define cybersecurity processes or practices for electricity-distribution systems.

The audit does not reveal the names of the power companies or specify where they ran afoul of security guidelines. But their cybersecurity plans are supposed to show how the companies would prevent, detect and respond to cyberattacks.

Three of the five plans that auditors reviewed were “incomplete” and did not always explain how security controls would be carried out, auditors found. One power company never did a formal assessment of cybersecurity risks; without it, “threats and weaknesses may go unidentified and expose the recipient’s systems to an unacceptable level of risk,” the report says.

Another project was missing a formal assessment of the risks of new technology being used to update the grid, creating a chance that a cyberthreat would go unnoticed.

Auditors blamed the weak cybersecurity on the rush to grant the stimulus money.

“The issues identified were due, in part, to the accelerated planning, development and deployment approach,” auditors wrote.

Another shortcoming: The Energy Department was so focused on giving out money, it did not ensure that its staff had adequate training to oversee the projects.

Lisa Rein covers the federal workforce and issues that concern the management of government.

The Freddie Gray case

Please provide a valid email address.

You’re all set!

Campaign 2016 Email Updates

Please provide a valid email address.

You’re all set!

Get Zika news by email

Please provide a valid email address.

You’re all set!
Show Comments
Republicans debated Saturday night. The South Carolina GOP primary and the Nevada Democratic caucuses are next on Feb. 20. Get caught up on the race.
The Post's Dan Balz says...
Rarely has the division between Trump and party elites been more apparent. Trump trashed one of the most revered families in Republican politics and made a bet that standing his ground is better than backing down. Drawing boos from the audience, Trump did not flinch. But whether he will be punished or rewarded by voters was the unanswerable question.
GOP candidates react to Justice Scalia's death
I don't know how he knows what I said on Univision because he doesn't speak Spanish.
Sen. Marco Rubio, attacking Sen. Ted Cruz in Saturday night's very heated GOP debate in South Carolina. Soon after, Cruz went on a tirade in Spanish.
The Fix asks The State's political reporter where the most important region of the state is.
The State's Andy Shain says he could talk about Charleston, which represents a little bit of everything the state has to offer from evangelicals to libertarians, and where Ted Cruz is raising more money than anywhere else. In a twist, Marco Rubio is drawing strong financial support from more socially conservative Upstate. That said, Donald Trump is bursting all the conventional wisdom in the state. So maybe the better answer to this question is, "Wherever Trump is."
Past South Carolina GOP primary winners
South Carolina polling averages
Donald Trump leads in the first state in the South to vote, where he faces rivals Ted Cruz and Marco Rubio.
South Carolina polling averages
The S.C. Democratic primary is Feb. 27. Clinton has a significant lead in the state, whose primary falls one week after the party's Nevada caucuses.
62% 33%
The complicated upcoming voting schedule
Feb. 20

Democrats caucus in Nevada; Republicans hold a primary in South Carolina.

Feb. 23

Republicans caucus in Nevada.

Feb. 27

Democrats hold a primary in South Carolina.

Upcoming debates
Feb 25: GOP debate

on CNN, in Houston, Texas

March 3: GOP debate

on Fox News, in Detroit, Mich.

March 6: Democratic debate

on CNN, in Flint, Mich.

Campaign 2016
Where the race stands
Most Read


Success! Check your inbox for details.

See all newsletters

Close video player
Now Playing

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.