In this report, GAO found that NIST has largely addressed “key cybersecurity elements” such as the cybersecurity risks of Smart Grid systems and had identified security controls essential to such systems. GAO also found that NIST had not addressed the risks of attacks on Smart Grid systems using both cyber- and physical means. GAO recommended that NIST finalize its plan and schedule for updating its cybersecurity guidelines to include these elements.
GAO also pointed out that while the EISA had given FERC authority to adopt Smart Grid standards, it did not give FERC specific enforcement authority over the implementation of standards. GAO recognized that a regulatory divide exists between federal, state, and local entities on various aspects of Smart Grid interoperability and cybersecurity. As such, GAO stated that such standards will remain voluntary unless regulators use other authorities to enforce standards compliance. GAO recommended that FERC develop a coordinated approach (with other regulatory jurisdictions) to monitor voluntary standards and address any gaps in compliance.