IG: FERC needs tighter cybersecurity

Federal Energy Regulatory Commission officials need to audit and monitor their systems at regular periods and better identify significant cybersecurity weaknesses to address them, according to the Energy Department’s inspector general.

In a report released last week on FERC’s unclassified cybersecurity program, Gregory Friedman, DOE’s IG, said the commission, which spends $720,000 annually on protecting its information systems, has generally made “significant strides” in improving the program. Specifically, FERC improved its continuity of operations plan and disaster recovery plans for specific systems and published a manual to ensure information technology systems supported federal mandates.

But Friedman noted several problems including improperly implemented access controls, configuration management problems and lack of detail about cybersecurity weaknesses in one of the commission’s tracking reports.

“The problems we observed placed the commission at risk of unauthorized access, use, disclosure, modification or disruption of its information, operations and assets,” he wrote in his report.

For example, Friedman wrote that “easily guessed, blank or default passwords existed on a few of the commission's systems.” This was contrary to FERC policy that indicated passwords must be unique, difficult and a minimum length. Commission officials said the vast majority of accounts were compliant with policy, but they agreed the scope of the noncompliant passwords was limited to nondomain accounts and would address the issue, according to the report.

The report also noted several systems were not properly configured and could be exploited. For example, vulnerability scanning revealed outdated versions of software with known security vulnerabilities that were not properly updated.

“These tests also revealed that improperly configured system servers provided higher-level privileges to users than was necessary for them to perform their duties,” Friedman wrote. “As noted in guidance developed by the National Institute of Standards and Technology, individuals should generally be provided with the least privileged access consistent with their assigned duties to help minimize the risk of unauthorized or malicious use.”

Additionally, Friedman noted cybersecurity employees didn’t examine systems at regular intervals to determine whether they were compliant, and FERC officials have not paid enough attention to potential threats from insiders. When informed about this, officials took “immediate corrective action,” according to the report.

Furthermore, cybersecurity weaknesses were also not easily identifiable in FERC’s “Plan of Action and Milestones” (POA&M) report. For example, in January 2004, FERC reported a major application lacked a comprehensive disaster plan, according to Friedman’s report. However, “this weakness was assigned a low risk and was grouped together with other weaknesses into a summary entry” in the POA&M report, Freidman wrote.

FERC officials said identified risks are tracked in the POA&M report and details of weaknesses could be in that report or in other supporting documentation. Although Friedman noted the POA&M report was used appropriately, he wrote the lack of detail involved problems with all five of the commission’s major application systems and the general support system.

“The omission of details from tracking reports could have affected the commission’s ability to ensure appropriate visibility over these risks,” he wrote.