recommended reading

Weak passwords render major power supplier vulnerable to hackers, audit finds

A federal utility in the Pacific Northwest that powers 30 percent of the region, including key military installations, is vulnerable to computer breaches, according to an internal Energy Department audit. But the weaknesses highlighted are typical of many critical government and industry systems, say some cybersecurity experts.

Eleven servers at the Bonneville Power Administration in Portland, Ore., used weak passwords, "an issue that could have allowed a knowledgeable attacker to obtain complete access to the system," Energy Inspector General Gregory H. Friedman said in a March 26 report. BPA distributes roughly one-third of the electricity regional utilities provide to homes, hospitals, banks, commercial firms and Defense Department facilities.

Bonneville depends largely on computer systems for transferring electricity, as wells as for administrative and business tasks. "Should any of these information systems be compromised or otherwise rendered inoperable, the impact on Bonneville's customers could be significant," Friedman wrote. "Although management stated that its passwords met industry standards, we found at least one administrative account with a default password" that had not been set.

The utility's troubles, however, are not unusual compared to other similar enterprises, say some computer security researchers.

Testers did not inspect the computers managed by Bonneville's transmission operations office, and the report does not disclose those computers' reliance on the systems under review, likely because the details are sensitive. "The reality is all those systems are there for a reason. The question is will there be catastrophic impacts to the grid," if those back-end systems are disrupted, said Patrick Miller, principal investigator for the National Electric Sector Cybersecurity Organization, a public-private partnership partly funded by Energy and governed by the nonprofit Energy Sector Security Consortium. "In most cases, a compromise of a business system would not have a direct impact on the grid."

Many large agencies have fared much worse than Bonneville during security inspections, he noted. An IG review of Energy's department-level cybersecurity posture documented a 60 percent increase in vulnerabilities between 2010 and 2011. At more than 10 locations, including the department's headquarters, evaluators found lax controls for computer access, including weak passwords and poor monitoring of user activity.

Miller, whose office is near Bonneville's facilities, noted some manufacturers do not allow for complex passwords in their machines. The IG report does not specify whether that was the reason the organization did not use stronger codes.

During the audit, evaluators also found that Bonneville neglected to fix 400 known vulnerabilities. Agency officials disputed the high count, according to the report. The security problems flagged mostly stem from underfunding and misplaced executive powers, Friedman wrote. For example, although Bonneville's chief information officer tests system protections and runs vulnerability scans, the CIO cannot make Bonneville offices fix security gaps found. Nor does the CIO oversee information technology for transmission operations.

"Lines of authority in its IT program adversely affected Bonneville's cyber security posture," Friedman stated.

In response to a draft report, Bonneville officials said they would correct the weaknesses detected. In addition, they will add transmission operations to the CIO's portfolio. But Bonneville officials disagreed with the observation that resources are inadequate.

They pointed out that some advances in security are absent from the report, including the establishment of system security plans and security assessment reviews. Bonneville also now lets the chief operating officer weigh in on whether a new system is too risky to be deployed.

"While we appreciate the value of external audits to assess our improvement efforts, we are concerned that this assessment does not completely reflect the effectiveness and efficiencies of Bonneville's IT program," wrote Stephen Wright, the agency's administrator and chief executive officer.

The findings were not placed in context with the security of the entire organization, said Miller, who saw the inner workings of the agency when he previously served as a private auditor. He considers Bonneville a highly reliable outfit. "Some of the BPA facilities require you to go through many physical systems, up to and including, a mantrap," Miller said.

The inspector general's findings regarding security holes do not alarm him. "The vulnerabilities were somewhat pedestrian," he said. "I wouldn't say this makes them an immediate, near-time target for a terrorist attack more than anyone else."

That said, the utility should try to mend the technological flaws as money allows, Miller added. Older technology at many industrial concerns, including Bonneville, is very expensive to adjust. Applying a simple fix similar to a Microsoft patch can cost between $50,000 and $250,000 at an energy company, he said. "It's not a small undertaking to upgrade these systems," Miller said. "It's not like you can just reboot it when you want." And pausing for an update could affect customers.

This is not the first time the electricity supplier has garnered criticism from federal auditors. In December 2008, the inspector general found that Bonneville's IT staff failed to plan for potential outages at its critical systems and did not retest security controls regularly. The new IG report states that Bonneville has taken steps to address those concerns.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.