Auditors uncover routine security vulnerabilities at Bonneville Power Administration


Business system computers at the Bonneville Power Administration contained a plethora of security vulnerabilities of a fairly common type, according to a March 26 report from the Energy Department office of inspector general.

The report (.pdf) notes that Bonneville supplies about 30 percent of wholesale electric power to regional utilities in the Pacific Northwest. The report does not address SCADA systems, although it says that a compromise rendering inoperable systems that enable the marketing and transferring of electrical power, as well as administrative or financial systems, would have a significant impact on customers. There are several key military installations in the Pacific Northwest, as well as hospitals, traffic light systems, banks, elementary schools, Starbucks cafes, soda vending machines, online publications and general infrastructure that depend on a constant supply of electricity.

Specific vulnerabilities uncovered by auditors include 11 servers configured with weak passwords, including one that hosted an administrative account with a default password.  

The weak passwords “could have allowed a knowledgeable attacker to obtain complete access to the system,” the report says.

In addition, scanning turned up more than 400--by the auditors’ count--unpatched high-risk vulnerabilities. Of those, 34 percent were more than 18 months old, including 33 specific vulnerabilities associated with exploits identified in 2007 or earlier. Three servers ran software no longer supported by the manufacturer.

The report also criticizes the power administration for not following the Government Configuration Baseline (formerly known as the Federal Desktop Core Configuration) on only two of its four server operating systems.

It also notes violations of the least privilege principle, since 12 regular users had administrative privileges to servers based on group membership rather than individual job responsibility.

In a response to the report, Stephen Wright, Bonneville administrator and chief executive officer, says the power administration already has underway a more robust patch management program, and said the number of vulnerabilities uncovered by auditors are an exaggeration. Power administration officials also told auditors they’ve implemented new password controls.  

For more:
download the report, DOE/IG-0861 (.pdf)

Related Articles:
DOE proposes cybersecurity risk management process for electric energy industry
DOE configuration management lacking, says OIG
IG: Cybersecurity weaknesses dog DOE