Weaknesses in the Bonneville Power Administration Cybersecurity Program

A self-funded agency under the Department of Energy, the Bonneville Power Administration is responsible for providing part of the electric power utilized across the Pacific Northwest. Its functions include wholesale of electrical power from 31 Federal hydroelectric projects and the operation and maintenance of 75% of the high-voltage transmission in the Northwest region. Bonneville runs various information systems, including financial and administrative, to conduct business and electricity-related operations. The agency was previously cited by the Office of Inspector General (OIG) for numerous weaknesses in the cybersecurity program for these systems, particularly in the management of Bonneville’s IT program in areas of access control as well as vulnerability and configuration management.

Since then, the agency has made some improvements to its cybersecurity program, particularly in elevating the Chief Information Officer to a position with greater oversight and accountability. Nonetheless, a recent OIG report identified continued and new weaknesses to Bonneville’s cyber structure. The OIG uncovered problematic issues in areas of vulnerability and configuration management, access controls, contingency planning and risk management. Also among its findings, the report found a lack of physical security at Bonneville’s seven data centers used to support financial and administrative duties.  If left unmitigated, the electrical power source faces a higher risk in loss, compromise and non-availability of information and services. These weaknesses potentially permit attackers or unauthorized users to make “changes to data, disclose sensitive information, or deny legitimate users access to systems supporting business operations and other general support systems,” according to the report.

Vulnerability and Configuration Management

The investigation found a high number of missing patches for information systems and uncovered several servers, workstations and applications missing security patches or containing other significant vulnerabilities. The review determined that almost 480 commercial of-the-shelf products were missing patches for critical or high risk vulnerabilities, with some devices running outdated software to potentially allow an attacker to bypass controls and access privileged functions. A scan done for the report revealed almost 40 unsupported software applications in more than 600 network devices used to support both business and cybersecurity functions at the agency. For example, one server application utilized by the agency had not been supported by the vendor since 2009! Furthermore, the OIG found six specific weaknesses that left 1,400 servers prone to an attacker’s ability to alter communication between two parties that think they are directly communicating with one another.

Access Controls

Logical access controls over information systems at the agency have not been fully implemented. In one instance, the OIG found that an inventory management application did not effectively protect sensitive information and user information and improperly sent credentials on the network without the use of encryption. User account passwords have also been inefficiently enforced in requiring the passwords to be changed within the time frames outlined in the agency’s cyber security program plan and allowing weak passwords to continue to exist in Bonneville’s business systems. For example, six web management interfaces employed devices that used default passwords, gaining easy accessibility into those devices and leaving multiple servers and access to the system extremely vulnerable.

Risk Management

Despite the release of several federal requirements from NIST directing government to transition from a compliance-based information system certification and accreditation process to a risk-based approval process, Bonneville has not implemented such risk management measures into its cyber process. For example, officials at the agency had not incorporated more than 40 controls and enhancements such as authentication controls and configuration management into system security plans. Additionally, the agency’s system ownership and accountability is not well defined for implementation of the different controls, leading to different groups pointing fingers at each other. Moreover, Bonneville security assessment reports did not identify all control weaknesses for an authorizing official to consider, leading to weaknesses not considered in decisions centered on support operations of systems.

Recommendations

The OIG provided the following five recommendations to the agency in which Bonneville management generally concurred:

1. Correct, through the implementation of appropriate controls, the cybersecurity weaknesses identified during our review
2. Using the weaknesses identified in this report as well as results from our vulnerability testing, review Bonneville’s remaining systems to identify and correct similar areas of concern
3. Ensure that policies and procedures are updated and implemented consistent with Federal and internal requirements
4. Establish an effective continuous monitoring program that includes separation of duties, implementing corrective actions to remediate POA&Ms, and strengthening data center physical security reviews
5. Review data center access lists to determine whether access granted is still required

Implications

While a majority of the issues in Bonneville’s cybersecurity program lies in updating and upholding its own as well as Federal cyber requirements, several other weaknesses remain in protecting the agency’s devices, systems and software applications. Moreover, Bonneville is in need of effective cyber planning and consulting to stand up a process and management model needed to consistently update and test the security of its IT infrastructure. According to the report, Bonneville’s business-type budget consisted of $4.3B in FY 2017, with more than $7M budgeted for its cybersecurity program. In FY 2015, the agency spent $667K in obligations related to information security. However, due to the somewhat inconsistent method that Bonneville reports its obligations to FPDS-NG, spending on cyber-related products and services out of the agency are likely more.