An audit by DOE’s Office of the Inspector General (OIG) found that Bonneville had not implemented controls designed to address known IT system vulnerabilities.
“Specifically, technical vulnerability scanning conducted on nine applications used to support business functions such as financial management, human resources and security management identified a significant number of high-risk weaknesses in the areas of access controls, patch management and validation of user input”, according to the audit.
In addition, OIG testing of five operational security control systems identified issues with configuration management, access controls, and contingency and security planning.
A number of IT system development efforts have suffered from cost, scope, and schedule overruns due to weaknesses in project planning and management.
“For example, we noted that one project was completed more than 16 months behind schedule and approximately $7 million over the initial budget at the time the development effort was approved, even though the scope of the effort had been significantly reduced”, the report noted.
Finally, Bonneville’s IT software was not procured in a coordinated manner, resulting in increased security risks.
“Without improvements, Bonneville's systems and information may be exposed to a higher than necessary level of risk of compromise, loss, modification and nonavailability. Many of the security weaknesses we identified could allow an individual with malicious intent, particularly an insider, to compromise systems and obtain unauthorized access to potentially sensitive information”, the OIG warned.
In its response, the Bonneville Power Administration said that the OIG’s report contained a number of “erroneous assertions.” It stressed that its information security program “follows a continuous improvement process and uses the agency’s balanced scorecard to measure progress.”
03 April 2012
Taken out of context the IG report findings may lead people to believe there are vulnerabilities that do not exist. The report covers critical business systems separate from those used for BPA's real-time operation of the grid. None of the identified vulnerabilities can result in blackouts or other transmission system disruptions. We were also already aware of the weaknesses included in the report and had efforts underway or planned to address them.
Doug Johnson, BPA spokesperson
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.