An audit by DOE’s Office of the Inspector General (OIG) found that Bonneville had not implemented controls designed to address known IT system vulnerabilities.
“Specifically, technical vulnerability scanning conducted on nine applications used to support business functions such as financial management, human resources and security management identified a significant number of high-risk weaknesses in the areas of access controls, patch management and validation of user input”, according to the audit.
In addition, OIG testing of five operational security control systems identified issues with configuration management, access controls, and contingency and security planning.
A number of IT system development efforts have suffered from cost, scope, and schedule overruns due to weaknesses in project planning and management.
“For example, we noted that one project was completed more than 16 months behind schedule and approximately $7 million over the initial budget at the time the development effort was approved, even though the scope of the effort had been significantly reduced”, the report noted.
Finally, Bonneville’s IT software was not procured in a coordinated manner, resulting in increased security risks.
“Without improvements, Bonneville's systems and information may be exposed to a higher than necessary level of risk of compromise, loss, modification and nonavailability. Many of the security weaknesses we identified could allow an individual with malicious intent, particularly an insider, to compromise systems and obtain unauthorized access to potentially sensitive information”, the OIG warned.
In its response, the Bonneville Power Administration said that the OIG’s report contained a number of “erroneous assertions.” It stressed that its information security program “follows a continuous improvement process and uses the agency’s balanced scorecard to measure progress.”