Security Lapses at Electricity Supplier

Wednesday, April 4, 2012 @ 02:04 PM gHale


There are serious cyber security gaps at the Bonneville Power Administration, which supplies wholesale electric power to regional utilities in the Pacific Northwest, Department of Energy (DoE) officials said.

An audit found Bonneville had not implemented controls designed to address known IT system vulnerabilities, said the DoE’s Office of the Inspector General (OIG).

RELATED STORIES
Secure Grid from Turbine to Toaster
Utility Cyber Security Trends
Study: Integrated Need for Security
Grid Ripe for Cyber Attacks

“Specifically, technical vulnerability scanning conducted on nine applications used to support business functions such as financial management, human resources and security management identified a significant number of high-risk weaknesses in the areas of access controls, patch management and validation of user input”, the audit said.

In addition, OIG testing of five operational security control systems identified issues with configuration management, access controls, and contingency and security planning.

IT system development efforts have suffered from cost, scope, and schedule overruns due to weaknesses in project planning and management.

“For example, we noted that one project was completed more than 16 months behind schedule and approximately $7 million over the initial budget at the time the development effort was approved, even though the scope of the effort had been significantly reduced”, the report noted.

Bonneville did not procure its IT software in a coordinated manner, resulting in increased security risks.

“Without improvements, Bonneville’s systems and information may be exposed to a higher than necessary level of risk of compromise, loss, modification and nonavailability. Many of the security weaknesses we identified could allow an individual with malicious intent, particularly an insider, to compromise systems and obtain unauthorized access to potentially sensitive information”, the OIG warned.

The Bonneville Power Administration said the OIG’s report contained a number of “erroneous assertions.” Officials said its information security program “follows a continuous improvement process and uses the agency’s balanced scorecard to measure progress.”



Leave a Reply

You must be logged in to post a comment.