The Bonneville Power Administration (Bonneville) provides about 30 percent of wholesale electric power to regional utilities that service homes, hospitals, financial institutions, commercial entities and military installations in the Pacific Northwest. Bonneville makes extensive use of various information systems in its daily operations, including electricity transmission systems, systems that enable the marketing and transferring of electrical power, as well as administrative and financial systems. Should any of these information systems be compromised or otherwise rendered inoperable, the impact on Bonneville's customers could be significant.
Bonneville had taken steps to address the cyber security concerns raised in our prior review. However, our current review identified concerns in the areas of cyber security, project management and procurement of IT resources. In particular, Bonneville had not implemented controls designed to address known system vulnerabilities; operational security controls designed to protect Bonneville's systems had not always been fully implemented; several system development efforts suffered from cost, scope and schedule issues, due in part to weaknesses in project planning and management; and, Bonneville's IT software was not always procured in a coordinated manner, resulting in increased security risks.