Report points to flaws in regulatory agency's IT security

The information security program at the federal commission governing the natural gas industry, oil pipelines and hydroelectric projects fails to meet federal requirements, leaving the agency at risk to cyberattacks, auditors concluded in a recent report.

The Federal Energy Regulatory Commission has taken steps to strengthen its cybersecurity program, the Energy Department's inspector general found in the report (OAS-M-06-10). But passwords to access the agency's information technology systems remain easy to guess, blank or set by default, the report stated, even though this deficiency had been identified before.

The review, released Monday, also concluded that the agency failed to properly execute or adequately document security assessments and annual security reviews on four systems. The review focused solely on the unclassified portions of the commission's cybersecurity program.

Thomas Herlihy, executive director of the regulatory commission, agreed with the IG's recommended fixes for these weaknesses. But in a response to the report, he argued that the password problem was insignificant since it affected less than a quarter of 1 percent of all accounts.

He also said the agency has corrected all blank and easy-to-guess passwords, and noted that it has been highly successful at training employees on security awareness.

The IG's office disagreed. Rickey Hass, assistant inspector general for financial, technology and corporate audits, said in the report that even a small number of weak passwords could allow a user to compromise the agency's system by installing malicious programs that could open a path to obtaining unauthorized information.

Procedures intended to discover and suspend inactive network user accounts were not always effective, the report stated. The commission's policy requires that accounts unused for 90 days must be disabled to reduce the risk of unauthorized systems access, but the IG found that 20 accounts remained active even though they had not been used for nearly a year.

Agency IT management officials told the IG office that, rather than conforming to Office of Management and Budget requirements for annual systems security review processes, they chose to adopt their own approach that was "better suited to the size and systems available" at their organization.

The commission's $27 million IT program is protected with about $1 million worth of security, an increase from $720,000 reported a year ago. An October 2005 IG report found that despite improved policies, commission staff did not always comply.

Overall, the Energy Department has received an F grade for several years in a row on the Federal Computer Security Scorecard, compiled annually by the House Government Reform Committee. FERC is an independent agency but is grouped under the Energy Department for budgetary purposes. The rating process, which is based on agencies' compliance with the 2002 Federal Information Security Management Act, has been criticized by some security experts as ineffective at measuring actual IT security levels.

In June, the Energy Department's National Nuclear Security Administration revealed that in September 2005, a "sophisticated" hacker compromised 1,500 personnel records.