The Federal Energy Regulatory Commission has not fully implemented cybersecurity policies and procedures due to budget and resource constraints, FERC officials told auditors performing a fiscal 2011 cybersecurity audit (.pdf). The commission estimated it spent approximately $3.8 million to secure its information technology assets during fiscal 2011, write authors of an Energy Department inspector general audit dated Nov. 15. 

Policy shortfalls made software vulnerability remediation late or incomplete--leading to noncompliance with the Federal Information Security Management Act of 2002, they add.

Still, auditors found the commission had significantly reduced the number of "high risk" vulnerabilities in its IT systems compared to the 2010 audit, and the commission's Executive Director Charles Schneider said FERC's Vulnerability Management Program "greatly matured" over 2011.

Auditors recommend FERC increase efforts to patch vulnerabilities. Thirty-two of 70 identified vulnerabilities were rated "high risk" by the software provider or the Homeland Security Department's National Vulnerability Database. "All of the 'high risk' vulnerabilities identified were more than 30 days old, including 18 that were missing patches more than 1 year old," write report authors.

Many of the vulnerabilities were associated with third-party productivity and internet-based applications, according to the audit. Some programs were used by FERC employees with access to financial applications and system administrators with privileged levels of access to financial systems and general support systems.

The report does not identify specific vulnerabilities due to security considerations, but FERC was provided with more detailed vulnerability information. Cybersecurity program management concurred with the IG's recommendations and said it had initiated corrective action to resolve all unpatched vulnerabilities before the end of calendar year 2011.

For more:
- see the DOE IG report (.pdf)

Related Articles:
DoE unveils roadmap for making the power grid resistant to cyber threats
CRS: Smart grid cybersecurity standards potentially subject to conflict of interest
Smart grid cybersecurity standards still lacking, says GAO
Smart grid cybersecurity encompasses IT and the power grid itself