On October 23, 2013, the Inspector General of the Department of Energy (“DOE IG”) released an audit report evaluating FERC’s Unclassified Cyber Security Program.  In the audit, the DOE IG concluded that despite FERC’s progress in improving its internal processes related to cyber security, FERC needs to take additional actions to improve its cyber security systems.

The Federal Information Security Management Act of 2002 requires that Federal agencies work to protect their information technology resources.  Under the statute, the DOE IG is tasked with conducting independent evaluations of FERC’s unclassified cyber security program in order to determine the effectiveness of the program and whether it adequately protects FERC’s data and information systems.

In the report, the DOE IG noted that the vulnerabilities identified in the current report are very similar to the vulnerabilities identified in the DOE IG’s last audit of FERC’s systems in FY 2012.  While acknowledging that FERC has made some progress in improving its cyber security regime, the DOE IG determined that FERC needed to take additional actions.  The DOE IG recommended that FERC work to update its existing procedures to focus on identifying and addressing security vulnerabilities in a timelier manner.  The DOE IG stressed that proactively protecting an information system by reducing system vulnerabilities “involves considerably less time than responding to exploitation of vulnerabilities.”  Information related to specific vulnerabilities was not included in the report for security purposes, but the DOE IG did explain that multiple work stations and servers were using vulnerable software or had utilized vulnerable web browser applications and that these vulnerabilities were determined to be high risk.

FERC responded to the draft report, submitting comments dated October 17, 2013, explaining that FERC is in the process of reviewing and updating all existing policies, procedures, and security program documentation surrounding its cyber security vulnerabilities.  FERC is increasing the frequency of staff trainings related to the cyber security program, and upgrading its software.  FERC has also applied to become an early adopter of the Department of Homeland Security Continuous Diagnostic Monitoring Program, a program that is intended to allow agencies to procure more effective technologies through external appropriations.  Further, FERC’s IT staff is actively working to stay informed of all newly discovered critical vulnerabilities.

To view the audit, click here.