Audit: DOE agency's systems vulnerable to cyberattacks

The information systems used by the Federal Energy Regulatory Commission (FERC), an agency of the Department of Energy (DOE), are vulnerable to cyberattacks because cybersecurity programs now in place do not meet federal guidelines, according to a report (PDF) by the Office of the Inspector General (OIG) for the Energy Department.

Although the agency has strengthened its cybersecurity program, testing by the OIG's office revealed continued problems with default, blank or easily-guessed passwords and user account controls. In addition, security assessments done in connection with system certification and annual reviews were not done properly or not documented for each of the four systems the inspector general's office looked at.

"These vulnerabilities existed because the commission had not ensured that certain aspects of its cybersecurity program conformed to either federal or commission requirements or guidelines," according to the report. "Weaknesses such as the ones we discovered detract from the overall effectiveness of the commission's cybersecurity program and potentially expose its information technology resources and data to compromise."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The information systems used by the Federal Energy Regulatory Commission (FERC), an agency of the Department of Energy (DOE), are vulnerable to cyberattacks because cybersecurity programs now in place do not meet federal guidelines, according to a report (PDF) by the Office of the Inspector General (OIG) for the Energy Department.

Although the agency has strengthened its cybersecurity program, testing by the OIG's office revealed continued problems with default, blank or easily-guessed passwords and user account controls. In addition, security assessments done in connection with system certification and annual reviews were not done properly or not documented for each of the four systems the inspector general's office looked at.

"These vulnerabilities existed because the commission had not ensured that certain aspects of its cybersecurity program conformed to either federal or commission requirements or guidelines," according to the report. "Weaknesses such as the ones we discovered detract from the overall effectiveness of the commission's cybersecurity program and potentially expose its information technology resources and data to compromise."

According to the OIG, the agency needed to do more to ensure that its information and systems are properly protected from unauthorized or malicious access by insiders. In particular, the inspector general recommended that the FERC better secure its systems by banning the use of passwords that do not adhere to federal guidelines and by properly configuring the security settings for various network services.

The IG also said the commission should review and update how it handles unused network accounts. Specifically, the FERC needs to identify and remove inactive accounts in a timely manner and ensure that annual security reviews -- which are used to support the certification and accreditation of systems -- thoroughly meet critical federal requirements.

In a written response to the report, Thomas Herlihy, the executive director of the FERC, concurred with the IG's recommendations, but sought to offer his own explanation about what the IG found.

For example, Herlihy confirmed that there were nine accounts that had blank or weak passwords. But he said they were local accounts without network access and stressed that only two allowed elevated privileges to the computer. He also noted that only a small percentage of the commission's passwords had vulnerabilities.

But the IG's office disagreed, saying that even a small number of accounts with passwords that don't meet federal regulations could be a security issue.

Last week the IG also released a report saying the DOE still hasn't done enough to strengthen its cybersecurity protections, exposing critical systems to compromise and putting data at risk.

In his annual report on the status of the agency's cybersecurity efforts, Inspector General Gregory Friedman did note that the DOE has taken steps to strengthen internal security processes. However, the audit also found that key vulnerabilities persist, even though they have already been highlighted by the OIG and a congressional committee.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.