Cybersecurity regulator for energy has its own vulnerabilities

The computer networks operated by the commission that enforces cybersecurity standards for most of the nation's power plants are themselves vulnerable to cyberattacks, because it failed to comply with federal information security requirements, according to a report the Energy Department's inspector general released on Tuesday.

The Federal Energy Regulatory Commission -- which regulates significant portions of the U.S. energy industry, including deployment of security standards at power plants -- did not document information that could be deemed sensitive and how that data should be protected, according to an inspector general audit.

The failure to do so violates National Institute of Standards and Technology requirements and the 2002 Federal Information Security Management Act to ensure such security controls are in place to protect sensitive information.

The IG's review showed that the commission had not developed procedures and technologies to protect sensitive data for three major computer systems or the General Support System that sustains network processing and communication capabilities.

Each of these systems contains potentially sensitive information and was rated as a moderate risk level according to the NIST federal information-processing standard. The report did not include specific information about the identified vulnerabilities.

In addition, "The commission's process for identifying, tracking and correcting cybersecurity weaknesses still did not fully satisfy federal information security requirements," the IG said in the report. For example, the commission's plans for addressing information security weaknesses didn't contain required data such as the severity of the weaknesses it had found, the estimated funding needed to fix the holes, or when the weaknesses would be resolved.

The plans also did not provide enough details on how security weaknesses were being addressed. For example, although the target completion date for one security vulnerability had slipped by 22 months because the process to fix the problem took longer than expected, no milestones were added to the plans to assist in tracking the progress. Officials also did not estimate how much it would cost to complete the task.

"Detailed information such as this is necessary for management to adequately assess progress, prioritize remediation activities, tie remediation to budgeting and capital planning and investment activities, and help ensure timely completion of activities," the IG said.

The report also noted that the commission did not conduct periodic reviews of user accounts or ensure access was terminated for individuals who no longer had a need to view certain sensitive information. The commission also failed to log changes to access authorizations, "thereby eliminating the ability of management to review them for appropriateness," a violation of federal requirements, the IG said.

"Absent controls such as these, an authorized individual may be able to gain or elevate levels of access to the commission's systems without detection," the report noted.

The commission agreed with the recommendations to address all issues identified in the report, revise and update cybersecurity policies and procedures to ensure consistency with federal cybersecurity requirements, and ensure that reported plans and milestones include all required information to properly identify, track and monitor activities.