[ISN] Energy Department auditors cite cybersecurity flaws at FERC

InfoSec News isn at c4i.org
Wed Oct 12 00:08:41 EDT 2005


http://www.gcn.com/vol1_no1/daily-updates/37284-1.html

By Wilson P. Dizard III 
GCN Staff
10/11/05

The Energy Department's inspector general has found fault with
cybersecurity procedures in the Federal Energy Regulatory Commission's
unclassified cybersecurity program.

In a report [1] issued today, the IG noted that FERC officials have
continued to improve their cybersecurity program, and cited
improvements since a previous review in 2002.

However, the IG staff found several areas in which FERC was deficient,
including:

* Access controls had in some cases not been implemented via strong
  password management 

* Some software with known security flaws was not replaced, and some 
  users were at times provided access at higher levels than their 
  duties required 

* Not all cybersecurity weaknesses were traced and resolved.

Auditors said FERC had overlooked the problems because officials had
failed to complete compliance evaluations required by general federal
requirements and agency-specific rules.

The report, however, omitted information on specific vulnerabilities
and how they might be fixed. FERC management said that it generally
concurred with the IG's findings and recommendations.

[1] http://www.ig.doe.gov/pdf/ig-0704.pdf





More information about the ISN mailing list