August 16, 2017

Followup on Bonneville Power Administration’s Cybersecurity Program
 

The Bonneville Power Administration (Bonneville) was established in 1937 as a Federal nonprofit power marketing administration and provides approximately 28 percent of the electric power used across 300,000 square miles in the Pacific Northwest. Although Bonneville is part of the Department of Energy, it is self-funded and covers its costs by selling products and services such as wholesale electrical power from 31 Federal hydroelectric projects in the Northwest and operating and maintaining about three-fourths of the high-voltage transmission in its service territory. With an overall budget of $4.3 billion, Bonneville utilizes numerous information systems to conduct business and electricity-related operations, including financial and administrative systems. In fiscal year 2017, Bonneville budgeted more than $7 million for its cybersecurity program to protect systems that, if compromised, could have a significant impact on Bonneville and its customers.

Prior reviews have identified weaknesses related to Bonneville’s cybersecurity program. For example, our report on the Management of Bonneville Power Administration’s Information Technology Program (DOE/IG-0861, March 2012) identified cybersecurity weaknesses in areas such as access control, vulnerability management, configuration management, least privilege, and contingency and security planning. More recently, the Office of Inspector General received two allegations – one that alleged Bonneville officials had required nearly all teams to stop patching its systems and another that officials did not ensure systems stayed up-to-date on security controls. We initiated this followup audit to determine whether Bonneville effectively implemented its cybersecurity program over financial and administrative systems and to evaluate the circumstances surrounding the allegations.

While we did not substantiate all information included in the allegations, we did identify various weaknesses related to vulnerability management similar to those included in the allegations. Specifically, we were unable to substantiate that Bonneville required officials to stop patching systems. However, we did note that officials had not ensured all systems contained up-to-date security controls. Notably, Bonneville made efforts to improve its cybersecurity program since our prior review such as elevating the Chief Information Officer position for greater visibility, accountability, and oversight. However, we found that Bonneville had not implemented a fully effective cybersecurity program and continued to identify weaknesses in the areas of access controls, vulnerability and configuration management, and contingency planning. We also noted weaknesses related to risk management. In particular, we identified the following:

  • Bonneville had not fully implemented effective logical access controls.
  • We also found that physical access to Bonneville’s data centers was not properly monitored.
  • Similar to the findings from our prior report on Management of Bonneville Power Administration’s Information Technology Program, a number of configuration management vulnerabilities existed on systems reviewed that weakened Bonneville’s security posture.
  • Contingency planning and testing issues continued to exist at Bonneville.

The issues identified occurred, at least in part, because officials had not ensured that Federal and Bonneville requirements were updated and/or fully implemented. In addition, even when policies existed related to access control, configuration management, and vulnerability management, Bonneville officials had not taken appropriate actions to ensure that the policies were fully implemented. We also determined that, contrary to Federal requirements, Bonneville had not implemented an effective continuous monitoring program. For instance, Bonneville lacked separation of duties related to the individuals that designed security controls and tested those controls. Moreover, Bonneville did not effectively utilize plans of action and milestones, a critical component of an effective continuous monitoring program. In many instances, Bonneville did not track weaknesses through plans of action and milestones or did not correct weaknesses in a timely manner. Notably, Bonneville had created a distinct remediation team dedicated to monitoring identified weaknesses, focusing on those with the highest risk.

Notably, Bonneville had taken action to enhance access controls by significantly reducing the number of local system administrators with elevated privileges since our prior review. However, without improvements to its cybersecurity program, Bonneville may continue to operate systems at a higher than necessary risk of compromise, loss, modification, and non-availability. For instance, certain vulnerabilities identified could have permitted an attacker or malicious user to make unauthorized changes to data, disclose sensitive information, or deny legitimate users access to systems supporting business operations and other general support systems. In addition, unaddressed weaknesses related to risk management and continuous monitoring will continue to contribute to vulnerable systems being approved to operate by the authorizing official. In light of the weaknesses identified, we made several recommendations that, if fully implemented, should aid officials in improving Bonneville’s cybersecurity posture.

Management generally concurred with the report’s recommendations and indicated that corrective actions had been initiated or were planned to address issues identified in the report.

Management did not concur with a portion of one recommendation concerning separation of duties, asserting that Bonneville’s organizational structure sufficiently mitigated risk.

Topic: National Security & Safety