Energy Department auditors cite cybersecurity flaws at FERC
- By Wilson P. Dizard III
- Oct 11, 2005
The Energy Department's inspector general has found fault with cybersecurity procedures in the Federal Energy Regulatory Commission's unclassified cybersecurity program.
In a report
issued today, the IG noted that FERC officials have continued to improve their cybersecurity program, and cited improvements since a previous review in 2002.
However, the IG staff found several areas in which FERC was deficient, including:
- Access controls had in some cases not been implemented via strong password management
- Some software with known security flaws was not replaced, and some users were at times provided access at higher levels than their duties required
- Not all cybersecurity weaknesses were traced and resolved.
Auditors said FERC had overlooked the problems because officials had failed to complete compliance evaluations required by general federal requirements and agency-specific rules.
The report, however, omitted information on specific vulnerabilities and how they might be fixed. FERC management said that it generally concurred with the IG's findings and recommendations.