BPA Response to IG Report

of 7
10 views
PDF
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Document Description
Bonneville Power Administration response to a report byby a federal auditor that found major shortcomings with regards to its cyber security and computer systems.
Document Share
Document Tags
Document Transcript
  Response to IG Draft Report - Appendix.docx Page 13/27/20122/22/2012  Bonneville’s Responses to the IG ’s Draft Audit Report This appendix supports Bonneville’s response to the Inspector General’s Draft Audit report: Management of Bonneville Power Administration’s Information Technology Program . It is intended tocorrect several erroneous assertions made in the report and provide interested parties with additional information regarding the effectiveness and efficiency of BPA’s IT program. Our program follows a continuous improvement process an d uses the agency’s balanced scorecard to measure progress. We believe the material provided below will provide a broader sense of the quality of our program, as werespond to specific statements made in the draft OIG’s report.  The items below are list ed in the order in which they were mentioned in the OIG’s draft report.  _____________________________________________________________________________________  Statement: Testing identified 11 servers that were configured with weak passwords BPA Position: Agree  – A standard password complexity policy will be developed. Pertinent Facts: The Administrative account in question used a password that met industry establishedlevels of complexity on the specified servers. This is the default password the server team uses to buildthe system from scripts. The issue here is not in the strength of the password but rather that thepassword was not changed prior to moving into production. Bonneville agrees a policy must be put intoplace to address a standard password complexity and related processes for bringing servers into theproduction environment. _____________________________________________________________________________________ Statement: Patches to address known vulnerabilities had not been applied to software in a timelymanner. Our testing identified more than 400 vulnerabilities that were designated as high risk in theNational Vulnerability Database, which is sponsored by the Department of Homeland Security. BPA Position: Agree  – But, further clarification needed (see below); Pertinent Facts: The 400 number is duplicative, and actually indicates 103 unique vulnerabilities, withthe largest majority being outdated versions of the HP System Management application. The remaining11 vulnerabilities have been remediated. _____________________________________________________________________________________ Statement: … three servers that were running software that was no longer supported by themanufacturer, a condition which increased the risk of exploit on those servers as patches were no longerbeing issued when vulnerabilities were identified. Bonneville told us that it was aware of the outdatedsoftware issue and that efforts were underway prior to the audit to migrate the servers to a currentsoftware version. We noted, however, that a plan to do so had not been completed by the end of ourfieldwork. BPA Position: This effort, where applicable, was already underway prior to audit. Pertinent Facts: A number of the applications running on these systems require an old Windows 2000platform and have no capability to be migrated to a current operating system. This is simply a fact of lifefor some of the older applications in our production environment.  Response to IG Draft Report - Appendix.docx Page 23/27/20122/22/2012  _____________________________________________________________________________________ Statement: …   we found that Bonneville had developed and implemented standard configurations foronly two of its four server operating systems.   BPA Position: This effort was already underway prior to audit. Pertinent Facts: Bonneville agrees with this finding, however, the two operating systems (WIN2003 andWIN2008) utilizing standard configurations constitute over 96% of all our server operating systems.Additionally, since the IG audit we have developed and implemented a standard for the Linux OS. Thisleaves only the Solaris OS as the one outstanding OS without an established standard, a shortcomingthat will be resolved by the end of Q3 FY12. _____________________________________________________________________________________ Statement: … 12 instances where regular users had been assigned administrative privileges to serversbased on group membership.   BPA Position: Agree  – Privileges will be removed; Pertinent Facts: This refers to a list of users whose accounts had administrative privileges throughgroup membership. Whether or not the users needed these privileges is opinion, but that opinion isbased on the table of information provided to the OIG by BPA, based on those descriptions, we concludethat only 3 of the 12 should have administrative privileges. _____________________________________________________________________________________ Statement: …   only two of six systems had contingency plans that were documented and tested foreffectiveness. BPA Position: This effort was already underway prior to audit. Pertinent Facts: Asset Management and Engineering (AME) is a system of systems as is the InformationTechnology Infrastructure (ITI) system. These two collections of system meet the definition for generalsupport system described in government regulations and are groupings used for governance andcompliance under the Federal Information Security Act (FISMA) they are not systems that would have amonolithic plan for contingencies. Some of the subsystems in AME, do not require detailed contingencyplans as they are already distributed systems with automatic failover or simply are not of high enoughcategorization to be of concern. The ITI is the infrastructure itself, which includes an alternate datacenter.AME and ITI then are large groupings of individual applications and infrastructure, ProjectWise is asubsystem within AME and GRC is a Software as a Service system. Although formal contingency plansdo not currently exist BPA IT has processes in place that have been tested for the business andadministrative infrastructure (the ITI) on which the majority of BPA IT systems rely including AME; tapeback-ups and off-site storage provide a common strategy for contingencies which nearly all of thesesystem inherit. BPA IT is committed to getting formal contingency plans in place for the infrastructureand business systems as resources allow. _____________________________________________________________________________________ Statement: … we identified project planning issues with the Transmission Asset System (TAS) and notedthat the system underwent significant modifications to its cost, scope and schedule after the businesscase was initially approved. Cost estimates for project completion had been modified at least twice andwere considerably higher than srcinally planned. Specifically, while the TAS project was approved for  Response to IG Draft Report - Appendix.docx Page 33/27/20122/22/2012 development in 2009 at an estimated cost of $4.5 million, the cost to complete the project rose toapproximately $7.4 million a short time later when it entered the execution phase. Subsequently, theestimated cost of the project increased again to more than $12 million even though its functionality hadbeen significantly reduced. Officials told us that preliminary planning costs were only rough estimatesand that the planned cost was actually $8.3 million. We found, however, that that the decision toproceed with the project was based, in part, on the original estimate of $4.5 million. Officials reportedthat the project was ultimately completed for $11.5 million in July 2011, 16 months later than srcinallyplanned. BPA Position: Agree  – but, further clarification needed (see below); Pertinent Facts: Cost figures contained in the report are misleading. The $4.5m figure was an initialprojection at project inception. The Planning Stage forecast was $7.4M. After final vendor selection andnegotiations, and completion of planning activities, the approved cost was $8.3M.The project was successfully delivered, consistent with the CAB-approved (Capital Allocation Board)business case.The delta in project costs ($8.3m at the end of planning and $11.5m provided as final costs) wereapproved by executive sponsors and formal project oversight committees  – once approved the projectwas managed and delivered according to the approved values. _____________________________________________________________________________________ Statement: …Bonneville officials reported that the Governance, Risk, and Compliance (GRC) Resolver project also exceeded its estimated cost and schedule even though the initial scope was reduced.Although officials initially documented the need for the project, we found that planning documentationwas high-level and did not adequately consider activities related to cost-benefit analyses, projectschedule, or user requirements. For instance, while srcinally intended for use by multiple programoffices at Bonneville, the scope of the project was reduced so that only one office had access to and wasutilizing the system. The remainder of the project's scope is now proposed to be completed as separateprojects at additional cost. Bonneville was unable to provide documentation to support various phasesof the project life-cycle, including both planning and execution. Even with a decreased scope, the projectexceeded its initial budget by almost $160,000. BPA Position: Agree - But, further clarification needed (see below); Pertinent Facts: The fact that ‘ only one office had access to and was utilizing the system. ’ was based on Bonneville's decision to focus on the compliance aspects of the software package in support of theNERC-CIP certification process over the Internal Audit and A123 aspects as it was deemed a higherbusiness priority. _____________________________________________________________________________________ Statement: … we also identified problems with the Dispatch Logging System managed by theTransmission Operations organization. Specifically, we found that over the life of the project, the budgethad increased by approximately $650,000 to $3.2 million. In addition, while initially scheduled forcompletion in May 2005, the project was not completed until late in 2010  – approximately five yearslater. As with the other projects reviewed, the Dispatch Logging System's scope had been modified toinclude functions that were not identified or included as part of the srcinal project planning process.Specifically, initial planning documentation did not include relevant information related to all  Response to IG Draft Report - Appendix.docx Page 43/27/20122/22/2012 components of the project, training costs, and detailed schedule with dates, milestones and resourceneeds. BPA Position: Disagree Pertinent Facts:Project delay - Resources were reallocated cau sing a delay in the project based upon management’s decisions to allow the DLS project to idle while more critical projects were completed, including theWECC No Sanctions, WECC EIDE Interface, and NERC CIP implementation. In addition, the srcinalproject scope was expanded to include 2 system replacements (DLS and COMPASS) rather than just one.Scope changes-Changes to project scope, schedule and budget are made only by project sponsors, and are based on riskand cost benefit decisions. The changes to scope in this project were approved by the project sponsors(managers and executives within the System Operations organization) representing the end users andautomation support staff. _____________________________________________________________________________________ Statement: … Bonneville had purchased several types of software over the past three years that hadnot been properly tested by cyber security and included on an approved software list to ensure that itwould not conflict with Bonneville's operating environment . BPA Position: Agree - But, further clarification needed (see below); Pertinent Facts: Bonneville’s Approved Software List contains titles that are app roved for installation into the Agency’s production environment. It is not a list of software approved for purchase. This is an important distinction in understanding the OIG’s report.  Some software titles identified in the report, as not being on the Approved Software List, are justvariations of titles (e.g. Hummingbird Exceed vs. Exceed). It’s important to note that v endors normally sell only the current version of a given software license.This means, to ensure license compliance, we must buy the currently available version, yet install theprevious (approved) compatible version for the client. _____________________________________________________________________________________ Statement: …about 50 percent of software purchased by TO was not o n approved software list,compared with only 7 percent for the rest of BPA BPA Position: Agree  – Effort will be undertaken; Pertinent Facts: We generally agree that the Approved SW List maintained by the CIO’s office, does not include software unique to Grid Operations IT. Bonneville will work to incorporate Grid Ops softwaretitles into the Approved SW List, so that one composite standards list governs production softwareacross all Bonneville.Transmission Operations (TO) purchases software via the standard supply chain purchasing processesthrough the use of a TRR (Technology Resource Request) form. Some software purchases are done viathe contracting office as a standard contract agreement. The TRR process has stopped or changed somesoftware requests that were not on the approved software list. There are a few times when TO needs asoftware product not on the approved list, but is allowed to purchase since the product is only to beused in the control center environment. TO does keep its own list of software it uses in the controlcenter environment.
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x