Security audit finds BPA vulnerable to cyber threats

By Eric Florip, Columbian Transportation & Environment Reporter



A recent federal audit found significant weaknesses in the Bonneville Power Administration’s information technology and cyber security systems, but it indicated the agency has taken steps to fix possible holes.

The report, completed last month by the U.S. Department of Energy, pointed to several shortcomings in BPA’s electronic systems — among them weak server passwords, outdated or unprotected software, and over-budget development projects. The audit did not test the vulnerability of BPA’s transmission operations — that is, the system that moves and delivers electricity across the Northwest’s power grids. But it did raise concerns with BPA’s day-to-day functions.

“Without improvements, Bonneville’s systems and information may be exposed to a higher than necessary level of risk of compromise, loss, modification and nonavailability,” the audit read. “Many of the security weaknesses we identified could allow an individual with malicious intent, particularly an insider, to compromise systems and obtain unauthorized access to potentially sensitive information.”

BPA officials agreed with some of the audit’s findings, and pledged to correct weaknesses. Federal auditors also noted that the agency has made security improvements since earlier reviews took place.

Security standards have changed drastically over the years as information systems — and cyber threats — grow increasingly complex, said BPA spokesman Doug Johnson. Among the requirements the federal power marketing agency works under are those developed by the North American Electric Reliability Corp., he said.

“It’s very serious now, and we’ve got a really robust -effort here,” Johnson said. “We take that very seriously.”

As for BPA’s system development projects, efforts that changed in scope and schedule were vetted and altered for valid reasons, Johnson said. But the federal audit cited “management weaknesses” as one cause for the changes, and indicated BPA may spend more than it needs to on valuable IT resources.

Specifically, the audit highlighted several vulnerabilities that federal reviewers felt could pose a risk to BPA’s business and security operations. Among the findings:

o BPA used 11 servers that were set with “weak” passwords.

o Software patches to protect against known vulnerabilities were not updated in a timely manner. Some known risks had been identified as long ago as 2007 or earlier, but weren’t addressed, according to the audit.

o Auditors identified nearly a dozen cases in which employees were given “privileged access” to servers when they didn’t need such permission.

o Multiple projects carried out by BPA’s Project Management Office suffered from cost, scope and schedule issues before they were completed, according to the audit. The report noted one effort that began in 2009 with an estimated cost of $4.5 million, but finished with a price tag of $11.5 million in July 2011 — about 16 months behind schedule. BPA disputed this finding, noting the project was approved at a budget of $8.3 million once planning was complete. Changes were properly scrutinized along the way, according to BPA.

In many cases, BPA officials said corrective actions were already under way before the audit was completed. Johnson stressed that the weaknesses outlined in the report aren’t related to real-time operations of the power grid and pose no threat of blackouts or other system disruptions.

Auditors conducted the review between October 2010 and March 2012, at BPA’s Portland headquarters. BPA completed its own response late last month.

A U.S. Department of Energy representative could not immediately be reached Tuesday.

Eric Florip: 360-735-4541;;

Don't Do Stupid Stuff Mugs