FOR IMMEDIATE RELEASE: September 7, 2001
CONTACT: Carolyn Hinkley, 720-962-7054, hinkly@wapa.gov
LAKEWOOD, Colo--When evaluating computer network security, sometimes the best advice comes from your peers. That's what two power marketing administrations learned during a peer review of network vulnerabilities in July. The first review was held July 9 to 13 at Western Area Power Administration's dispatch facility in Loveland, Colo., and the second was held July 16 to 20 at Bonneville Power Administration's Vancouver, Wash., facility.
The peer review was conducted to comply with the Government Information Security Reform Act and DOE's unclassified cyber security program, which aim to protect vital government information. To ensure compliance with these regulations, Congress asked DOE's Inspector General to review BPA's and Western's mission-critical communication (Supervisory Control and Data Acquisition and Automatic Generation Control) and financial networks for any possible vulnerabilities to computer hackers.
"Today, more than ever, our system is integrated with our business partners and is open to the Internet. As we get into more complex systems, there are more avenues for attacks. These are our business-critical systems, so we need to identify all possible security vulnerabilities and correct them before they can be exploited," said Jim May, Western's Information Technology manager.
The IG asked the PMAs to pay for an outside auditor to conduct the required review. Instead, Western and BPA proposed a PMA peer review format. In this approach, technical experts from both agencies would test each other's systems while the IG staff observed or participated as required. DOE's Acting CIO endorsed the idea, and the IG agreed to proceed with this in-house review, saving the PMAs about $225,000.
"The PMA Peer Review was so successful because we had highly technical experts who understood the mission-critical systems. It's very rare to have that expertise during an audit, and it led to more credible audit results," said Western's Chief Information Officer J. Eun Moredock.
Twenty-one people participated on the Peer Review Team, including Moredock and BPA's chief information officer; SCADA managers; Cyber Security program managers; technical SCADA/AGC and operations experts; IG auditors and a technical advisor from the DOE Computer Incident Advisory Capability function.
"Bringing in industry experts from BPA who understood issues specific to a power marketing agency added a lot to the process," said Dave Ambrose, Western's Rocky Mountain Region SCADA/EMS systems manager. "We knew what rocks to look under, and the IG provided a good, third-party perspective."
To ensure the most secure system, the team reviewed the following areas for vulnerabilities:
They agreed on some ground rules, such as which tools they would use, and resolved not to actually break into the systems. "We wanted a very controlled audit so there were no impacts to our mission-critical systems. If we saw any impact to operations, we could stop the process at any time," said Ambrose. Western's Cyber Security Program Manager Laurent Webber added, "You don't want SCADA to break down in the summer. When the system is loaded to capacity, you don't want any chance of compromising it," he said.
Compromises include everything from acts of simple curiosity to terrorist attacks, said Webber. "Those who have discovered scanning tools are like folks rattling door knobs. Even if they don't intend to break in, they are curious. It goes beyond those people to folks who actually break into a system to change Web pages or make serious terrorist attacks," he said.
While the team found no major vulnerabilities, it is now working on enhancing existing cyber security tools, plans and procedures. Because of the team's success, future peer reviews are planned.
Moredock was pleased at the way the unique peer approach accomplished so many different objectives. "This creative, alternative audit process helped us avoid significant costs and allowed us to identify critical security impacts that Western needs to implement," she said. "This approach solidified the already close working relationship between the PMAs, and through partnering with the Inspector General, it strengthened the Department's cyber security program and protected critical assets.
"I want to thank the Peer Review Team, BPA's CIO and Peer Review Team and DOE's Acting CIO and the IG's technology director for supporting the nontraditional approach. A win-win situation was created for the Department and the PMAs," Moredock concluded.
-30-
Serving the West with Federal Hydropower