IG: FERC needs tighter cybersecurity

Federal Energy Regulatory Commission officials need to audit and monitor their systems at regular periods and better identify significant cybersecurity weaknesses to address them, according to the Energy Department’s inspector general.

In a report released last week on FERC’s unclassified cybersecurity program, Gregory Friedman, DOE’s IG, said the commission, which spends $720,000 annually on protecting its information systems, has generally made “significant strides” in improving the program. Specifically, FERC improved its continuity of operations plan and disaster recovery plans for specific systems and published a manual to ensure information technology systems supported federal mandates.

But Friedman noted several problems including improperly implemented access controls, configuration management problems and lack of detail about cybersecurity weaknesses in one of the commission’s tracking reports.

“The problems we observed placed the commission at risk of unauthorized access, use, disclosure, modification or disruption of its information, operations and assets,” he wrote in his report.

For example, Friedman wrote that “easily guessed, blank or default passwords existed on a few of the commission's systems.” This was contrary to FERC policy that indicated passwords must be unique, difficult and a minimum length. Commission officials said the vast majority of accounts were compliant with policy, but they agreed the scope of the noncompliant passwords was limited to nondomain accounts and would address the issue, according to the report.

The report also noted several systems were not properly configured and could be exploited. For example, vulnerability scanning revealed outdated versions of software with known security vulnerabilities that were not properly updated.

“These tests also revealed that improperly configured system servers provided higher-level privileges to users than was necessary for them to perform their duties,” Friedman wrote. “As noted in guidance developed by the National Institute of Standards and Technology, individuals should generally be provided with the least privileged access consistent with their assigned duties to help minimize the risk of unauthorized or malicious use.”

Additionally, Friedman noted cybersecurity employees didn’t examine systems at regular intervals to determine whether they were compliant, and FERC officials have not paid enough attention to potential threats from insiders. When informed about this, officials took “immediate corrective action,” according to the report.

Furthermore, cybersecurity weaknesses were also not easily identifiable in FERC’s “Plan of Action and Milestones” (POA&M) report. For example, in January 2004, FERC reported a major application lacked a comprehensive disaster plan, according to Friedman’s report. However, “this weakness was assigned a low risk and was grouped together with other weaknesses into a summary entry” in the POA&M report, Freidman wrote.

FERC officials said identified risks are tracked in the POA&M report and details of weaknesses could be in that report or in other supporting documentation. Although Friedman noted the POA&M report was used appropriately, he wrote the lack of detail involved problems with all five of the commission’s major application systems and the general support system.

“The omission of details from tracking reports could have affected the commission’s ability to ensure appropriate visibility over these risks,” he wrote.


    pentagon cloud

    Court orders temporary block on JEDI

    JEDI, the Defense Department’s multi-billion-dollar cloud procurement, is officially on hold, according to a federal court announcement Feb. 13.

  • Defense
    mock-up of the shore-based Aegis Combat Information Center

    Pentagon focuses on research, cyber in 2021 budget request

    The Defense Department wants to significantly increase funds for research, cyber, and cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.