Western Area Power Administration desktops have high risk vulnerabilities, say auditors

Administration officials say it's normal for them to be a year behind patches

Auditors say nearly every computer tested for vulnerabilities at the Energy Department's Western Area Power Administration contained at least one high-risk vulnerability related to software updates or patches.

In a report (.pdf) dated Oct. 22, auditors say they ran scans on 105 workstations at offices of the DOE hydroelectric power marketing and transmitting agency for 15 states. They found 19 applications not configured with the latest version or that lacked security updates more than 3 months old.

Administration officials say what auditors call a high risk vulnerability is actually a documented and accepted risk made necessary by the need to operate on a baseline that ensures a patch applied by one vendor doesn't disrupt other vendors' applications. In the official response to the audit, Acting Administrator Anita Decker says it's normal for the administration to be as much as a year behind current application releases. "This is a business risk," she says.

Auditors nonetheless say that as a result, a knowledgeable individual could obtain unauthorized access to Western workstations through the public Internet.

Western's authentication management also comes in for criticism by auditors, who say the administration manually manages account access whereas the National Institute of Standards and Technology recommends automated mechanisms that deactivate accounts after a predetermined period of inactivity. Auditors say they found five active accounts of former employees, four of which had permission to access Western's power maintenance system.

But fully automatic management may not be in the administration's future. Western has a number of systems that use dissimilar authentication methods, meaning that NIST recommendations "Cannot always be implemented easily," Decker says.

"To the extent that it is technically possible, it has been done," she adds.

For more:
- download the report, DOE/IG-0873 (.pdf)

Related Articles:
DOE offers guidance for cybersecurity maturity, risk assessment
FERC official decries lack of mandatory power for emergencies
ICS-CERT issues search engine and exploit tool alert to critical infrastructure operators