Top 5 Stories


Serious cybersecurity lapses found at Pacific Northwest electricity supplier

30 March 2012

The Department of Energy (DOE) has identified serious cybersecurity gaps at the Bonneville Power Administration, which supplies wholesale electric power to regional utilities in the Pacific Northwest.

An audit by DOE’s Office of the Inspector General (OIG) found that Bonneville had not implemented controls designed to address known IT system vulnerabilities.

“Specifically, technical vulnerability scanning conducted on nine applications used to support business functions such as financial management, human resources and security management identified a significant number of high-risk weaknesses in the areas of access controls, patch management and validation of user input”, according to the audit.

In addition, OIG testing of five operational security control systems identified issues with configuration management, access controls, and contingency and security planning.

A number of IT system development efforts have suffered from cost, scope, and schedule overruns due to weaknesses in project planning and management.

“For example, we noted that one project was completed more than 16 months behind schedule and approximately $7 million over the initial budget at the time the development effort was approved, even though the scope of the effort had been significantly reduced”, the report noted.

Finally, Bonneville’s IT software was not procured in a coordinated manner, resulting in increased security risks.

“Without improvements, Bonneville's systems and information may be exposed to a higher than necessary level of risk of compromise, loss, modification and nonavailability. Many of the security weaknesses we identified could allow an individual with malicious intent, particularly an insider, to compromise systems and obtain unauthorized access to potentially sensitive information”, the OIG warned.

In its response, the Bonneville Power Administration said that the OIG’s report contained a number of “erroneous assertions.” It stressed that its information security program “follows a continuous improvement process and uses the agency’s balanced scorecard to measure progress.”

This article is featured in:
Business Continuity and Disaster Recovery  •  Compliance and Policy  •  Internet and Network Security  •  Public Sector



DougJohnsonBPA says:

03 April 2012
Taken out of context the IG report findings may lead people to believe there are vulnerabilities that do not exist. The report covers critical business systems separate from those used for BPA's real-time operation of the grid. None of the identified vulnerabilities can result in blackouts or other transmission system disruptions. We were also already aware of the weaknesses included in the report and had efforts underway or planned to address them.

Doug Johnson, BPA spokesperson

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×