Cyber security at US energy agency found wanting

Cyber security at the US government’s largest renewable power transmission agency is failing, says Energy Department inspector

Cyber security at the US government’s largest renewable power transmission agency has been found wanting by an Energy Department inspector general.

The Western Area Power Administration (WAPA), which sells and transmits power through 17,000 miles of lines and 296 substations, depends on information technology systems to manage its massive electrical power complex and finances, said US reports.

But the agency used a default password to protect its electricity scheduling database and regularly failed to update security software, according to a report by energy inspector general Gregory Friedman.

Commenting on the use of a default user name and password, the report said: “This high-risk vulnerability could have been exploited by an attacker from any internet connection to obtain unauthorised access to the internal database supporting the electricity scheduling system.”

Intruders could also have accessed other computer stations at Western’s offices and its customers' offices through the same vulnerability, the report said.

According to Friedman, nearly all of the 105 workstations that investigators evaluated had at least one high-risk vulnerability involving software security updates.

One network server that was running outdated software “could disrupt normal business operations,” if attacked using "remote code execution" to manipulate the server from afar, the report said.

The report also criticises WAPA’s poor control of access to its IT systems, citing at least five cases in which the agency had failed to withdraw access rights to key systems of people who had left the agency.

“Failure to implement these access security controls could result in a knowledgeable individual using information technology resources for unauthorised, and sometimes malicious purposes, that may be detrimental to WAPA's operations,” said Friedman.

Most of the security gaps exposed at WAPA were the result of neglecting to follow policies and procedures that could have avoided such vulnerabilities, he said.

Investigators did not probe any supervisory control and data acquisition, or supervisory control and data acquisition (SCADA) systems that control electricity flow “because of concerns over the potential impact to operations,” the report said.

WAPA officials have agreed to carry out improvements recommended by Friedman.

The report comes just ahead of an event in Washington on 31 October, at which officials form the Energy and Homeland Security department will describe activities aimed at helping public and private sector utilities prioritise cyber security network investments.



Read more on Privacy and data protection

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

I feel sorry for Gregory Friedman. He is so screwed and he does not realize it yet. Gregory Friedman's problem is that he is becoming too good at identifying risk.

Twenty years ago I reported the same issues and was told I would never work again. Consultants managing financial systems at a nuclear power plant, in order to save money, had connected the nuclear power plant control systems to the internet. The control systems had no internal security so anyone on the internet could connect to them without a password and do anything they wanted to do to the reactor. When I told the consultant about the issue I was told that if I reported it I would never work again. I reported the issue anyway and have experienced significant retaliation by people that worked at the consulting company. (The consulting company is now out of business because of their complicity in several large frauds and I still experience retaliation.) Later I found another nuclear power plant on the internet. When I notified management I was threatened. After 9/11 I wrote a letter to the FBI about nuclear power plants being connected to the internet. The FBI found that 80% of nuclear power plants were connected to the internet and the Chinese had installed back doors in many of them. I wanted to talk to someone about necessary controls to prevent the problems from ever happening again but was labeled a trouble maker.

Same S#!^ different day.