IG: FERC needs tighter cybersecurity

Federal Energy Regulatory Commission officials need to audit and monitor their systems at regular periods and better identify significant cybersecurity weaknesses to address them, according to the Energy Department’s inspector general.

In a report released last week on FERC’s unclassified cybersecurity program, Gregory Friedman, DOE’s IG, said the commission, which spends $720,000 annually on protecting its information systems, has generally made “significant strides” in improving the program. Specifically, FERC improved its continuity of operations plan and disaster recovery plans for specific systems and published a manual to ensure information technology systems supported federal mandates.

But Friedman noted several problems including improperly implemented access controls, configuration management problems and lack of detail about cybersecurity weaknesses in one of the commission’s tracking reports.

“The problems we observed placed the commission at risk of unauthorized access, use, disclosure, modification or disruption of its information, operations and assets,” he wrote in his report.

For example, Friedman wrote that “easily guessed, blank or default passwords existed on a few of the commission's systems.” This was contrary to FERC policy that indicated passwords must be unique, difficult and a minimum length. Commission officials said the vast majority of accounts were compliant with policy, but they agreed the scope of the noncompliant passwords was limited to nondomain accounts and would address the issue, according to the report.

The report also noted several systems were not properly configured and could be exploited. For example, vulnerability scanning revealed outdated versions of software with known security vulnerabilities that were not properly updated.

“These tests also revealed that improperly configured system servers provided higher-level privileges to users than was necessary for them to perform their duties,” Friedman wrote. “As noted in guidance developed by the National Institute of Standards and Technology, individuals should generally be provided with the least privileged access consistent with their assigned duties to help minimize the risk of unauthorized or malicious use.”

Additionally, Friedman noted cybersecurity employees didn’t examine systems at regular intervals to determine whether they were compliant, and FERC officials have not paid enough attention to potential threats from insiders. When informed about this, officials took “immediate corrective action,” according to the report.

Furthermore, cybersecurity weaknesses were also not easily identifiable in FERC’s “Plan of Action and Milestones” (POA&M) report. For example, in January 2004, FERC reported a major application lacked a comprehensive disaster plan, according to Friedman’s report. However, “this weakness was assigned a low risk and was grouped together with other weaknesses into a summary entry” in the POA&M report, Freidman wrote.

FERC officials said identified risks are tracked in the POA&M report and details of weaknesses could be in that report or in other supporting documentation. Although Friedman noted the POA&M report was used appropriately, he wrote the lack of detail involved problems with all five of the commission’s major application systems and the general support system.

“The omission of details from tracking reports could have affected the commission’s ability to ensure appropriate visibility over these risks,” he wrote.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.