Weak passwords render major power supplier vulnerable to hackers, audit finds

A federal utility in the Pacific Northwest that powers 30 percent of the region, including key military installations, is vulnerable to computer breaches, according to an internal Energy Department audit. But the weaknesses highlighted are typical of many critical government and industry systems, say some cybersecurity experts.

Eleven servers at the Bonneville Power Administration in Portland, Ore., used weak passwords, "an issue that could have allowed a knowledgeable attacker to obtain complete access to the system," Energy Inspector General Gregory H. Friedman said in a March 26 report. BPA distributes roughly one-third of the electricity regional utilities provide to homes, hospitals, banks, commercial firms and Defense Department facilities.

Bonneville depends largely on computer systems for transferring electricity, as wells as for administrative and business tasks. "Should any of these information systems be compromised or otherwise rendered inoperable, the impact on Bonneville's customers could be significant," Friedman wrote. "Although management stated that its passwords met industry standards, we found at least one administrative account with a default password" that had not been set.

The utility's troubles, however, are not unusual compared to other similar enterprises, say some computer security researchers.

Testers did not inspect the computers managed by Bonneville's transmission operations office, and the report does not disclose those computers' reliance on the systems under review, likely because the details are sensitive. "The reality is all those systems are there for a reason. The question is will there be catastrophic impacts to the grid," if those back-end systems are disrupted, said Patrick Miller, principal investigator for the National Electric Sector Cybersecurity Organization, a public-private partnership partly funded by Energy and governed by the nonprofit Energy Sector Security Consortium. "In most cases, a compromise of a business system would not have a direct impact on the grid."

Many large agencies have fared much worse than Bonneville during security inspections, he noted. An IG review of Energy's department-level cybersecurity posture documented a 60 percent increase in vulnerabilities between 2010 and 2011. At more than 10 locations, including the department's headquarters, evaluators found lax controls for computer access, including weak passwords and poor monitoring of user activity.

Miller, whose office is near Bonneville's facilities, noted some manufacturers do not allow for complex passwords in their machines. The IG report does not specify whether that was the reason the organization did not use stronger codes.

During the audit, evaluators also found that Bonneville neglected to fix 400 known vulnerabilities. Agency officials disputed the high count, according to the report. The security problems flagged mostly stem from underfunding and misplaced executive powers, Friedman wrote. For example, although Bonneville's chief information officer tests system protections and runs vulnerability scans, the CIO cannot make Bonneville offices fix security gaps found. Nor does the CIO oversee information technology for transmission operations.

"Lines of authority in its IT program adversely affected Bonneville's cyber security posture," Friedman stated.

In response to a draft report, Bonneville officials said they would correct the weaknesses detected. In addition, they will add transmission operations to the CIO's portfolio. But Bonneville officials disagreed with the observation that resources are inadequate.

They pointed out that some advances in security are absent from the report, including the establishment of system security plans and security assessment reviews. Bonneville also now lets the chief operating officer weigh in on whether a new system is too risky to be deployed.

"While we appreciate the value of external audits to assess our improvement efforts, we are concerned that this assessment does not completely reflect the effectiveness and efficiencies of Bonneville's IT program," wrote Stephen Wright, the agency's administrator and chief executive officer.

The findings were not placed in context with the security of the entire organization, said Miller, who saw the inner workings of the agency when he previously served as a private auditor. He considers Bonneville a highly reliable outfit. "Some of the BPA facilities require you to go through many physical systems, up to and including, a mantrap," Miller said.

The inspector general's findings regarding security holes do not alarm him. "The vulnerabilities were somewhat pedestrian," he said. "I wouldn't say this makes them an immediate, near-time target for a terrorist attack more than anyone else."

That said, the utility should try to mend the technological flaws as money allows, Miller added. Older technology at many industrial concerns, including Bonneville, is very expensive to adjust. Applying a simple fix similar to a Microsoft patch can cost between $50,000 and $250,000 at an energy company, he said. "It's not a small undertaking to upgrade these systems," Miller said. "It's not like you can just reboot it when you want." And pausing for an update could affect customers.

This is not the first time the electricity supplier has garnered criticism from federal auditors. In December 2008, the inspector general found that Bonneville's IT staff failed to plan for potential outages at its critical systems and did not retest security controls regularly. The new IG report states that Bonneville has taken steps to address those concerns.