The MIT Report on the Electric Grid: Control Systems Were Not Adequately Addressed

Dec. 12, 2011
MIT issued the report, "The Future of the Electric Grid – An Interdisciplinary MIT Study." Chapter 9 is "Data Communications, Cybersecurity, and Information Privacy." According to the report, the U.S. should implement standards to reduce the risk of cyber attacks on the electricity grid and should designate one agency responsible for overseeing grid cybersecurity. I had an opportunity to both read Chapter 9 and discuss the section with the author Jerrold Gorchow.
MIT issued the report, "The Future of the Electric Grid – An Interdisciplinary MIT Study." Chapter 9 is "Data Communications, Cybersecurity, and Information Privacy." According to the report, the U.S. should implement standards to reduce the risk of cyber attacks on the electricity grid and should designate one agency responsible for overseeing grid cybersecurity. I had an opportunity to both read Chapter 9 and discuss the section with the author Jerrold Gorchow.The MIT report draws heavily from the NISTR on smart grid cybersecurity. The MIT report makes some inappropriate assumptions about the cybersecurity of the electric grid:-    The NISTR does not adequately address CONTROL SYSTEM cybersecurity. Its focus is smart meters.-    Power plants are excluded. How can you have a grid without power plants?-    The report focuses on the electric industry to the exclusion of all other industries, even though other industries use the same control systems with the same vulnerabilities.  Stuxnet demonstrated how all industries can be at risk from a generic control system cyber vulnerability.-    It assumes control system cybersecurity forensics exist. They do not.-    It assumes that the NERC CIPs are technically adequate to address the cybersecurity of the electric grid.  They are not.-    It identifies the problem with multiple government organization involvement, but makes no recommendations as to which should be the lead.-    It states the grid is not in any imminent danger from cyber threats. It ignores the number of control system cyber incidents that have ALREADY affected the electric grid and the multiplicity of control system metasploit tools currently available on the web for free.Chapter 9 should be revised to adequately address control systems and provide a specific recommendation as to which government organization should be responsible for the cybersecurity of the electric grid. My recommendation would be FERC.Joe Weiss