Cyber security at the US government’s largest renewable power transmission agency has been found wanting by an Energy Department inspector general.
The Western Area Power Administration (WAPA), which sells and transmits power through 17,000 miles of lines and 296 substations, depends on information technology systems to manage its massive electrical power complex and finances, said US reports.
But the agency used a default password to protect its electricity scheduling database and regularly failed to update security software, according to a report by energy inspector general Gregory Friedman.
Commenting on the use of a default user name and password, the report said: “This high-risk vulnerability could have been exploited by an attacker from any internet connection to obtain unauthorised access to the internal database supporting the electricity scheduling system.”
Intruders could also have accessed other computer stations at Western’s offices and its customers' offices through the same vulnerability, the report said.
According to Friedman, nearly all of the 105 workstations that investigators evaluated had at least one high-risk vulnerability involving software security updates.
Read more about critical infrastructure security
- McAfee to help secure nuclear plants
- Electrical power grids prime targets for cyber attack, says McAfee
- Critical infrastructure providers are less engaged with government cyber protection
- Is UK critical national infrastructure properly protected?
- Germany opens cyber defence centre in response to critical infrastructure attacks
One network server that was running outdated software “could disrupt normal business operations,” if attacked using "remote code execution" to manipulate the server from afar, the report said.
The report also criticises WAPA’s poor control of access to its IT systems, citing at least five cases in which the agency had failed to withdraw access rights to key systems of people who had left the agency.
“Failure to implement these access security controls could result in a knowledgeable individual using information technology resources for unauthorised, and sometimes malicious purposes, that may be detrimental to WAPA's operations,” said Friedman.
Most of the security gaps exposed at WAPA were the result of neglecting to follow policies and procedures that could have avoided such vulnerabilities, he said.
Investigators did not probe any supervisory control and data acquisition, or supervisory control and data acquisition (SCADA) systems that control electricity flow “because of concerns over the potential impact to operations,” the report said.
WAPA officials have agreed to carry out improvements recommended by Friedman.
The report comes just ahead of an event in Washington on 31 October, at which officials form the Energy and Homeland Security department will describe activities aimed at helping public and private sector utilities prioritise cyber security network investments.