A multibillion-dollar stimulus push to modernize the nation's power grid is raising cybersecurity concerns, as the Department of Energy's official watchdog reports that dozens of grant recipients came to the table with inadequate security plans.
The finding comes amid new warnings about cybersecurity threats, and a rash of international cyber attacks.
The power grid program in question is in the Energy Department, and received a $3.5 billion infusion in the 2009 stimulus package. That money was awarded to 99 recipients, with individual grants ranging up to $200 million.
In a January report, the inspector general for the Energy Department found "shortcomings" in those recipients' cybersecurity plans.
Though the projects are still being developed, the report noted that "existing gaps ... could allow system compromise before controls are implemented."
In one instance, the report said an unnamed recipient had never conducted a "formal risk assessment" -- without which, "threats and weaknesses may go unidentified and expose the recipient's systems to an unacceptable level of risk."
The IG report said 36 of the 99 cybersecurity plans were "lacking" in at least one area. Though the Energy Department told the recipients to update their plans, the report found "the initial weaknesses had not always been addressed."
The report did not detail where exactly each company ran afoul of the guidelines, but said the cybersecurity plans are supposed to show how the recipients would prevent, detect and respond to security problems. The inspector general's office found three of the five cybersecurity plans it reviewed were "incomplete" and did not always explain how their security controls would be carried out.
The office blamed that and other concerns in part on the rush to implement the program.
"The issues we found were due, in part, to the accelerated planning, development, and deployment approach adopted by the Department for the SGIG program," the report said. "We also found that the Department was so focused on quickly disbursing Recovery Act funds that it had not ensured personnel received adequate grants management training."
The Energy Department has vowed to address the problem, in part by having experts review the cyber plans and recommend changes after making annual site visits.
In a November letter to the inspector general's office, Energy Assistant Secretary Patricia Hoffman said the grid office wants to "ensure that recipients do not place the power system at risk."
She said the office would make sure cybersecurity plans "are complete and are being implemented properly," and said grant recipients will be required to update their plans no later than April 30.