The commission seeking greater authority over the cybersecurity of the nation’s electric grid has security problems of its own. A recently released audit of Federal Energy Regulatory Commission’s (FERC) unclassified cybersecurity program by the Inspector General (IG) of the Department of Energy (DOE) has revealed much room for improvement. While acknowledging that the commission has improved since DOE’s FY2010 evaluation, the audit cited continued weaknesses related to timely remediation of software vulnerabilities, and failure to implement FERC’s own Vulnerability Management Program (VMP) as the reasons for its findings. 

The audit stated that “specifically, we noted that 32 of 70 vulnerabilities we identified were rated "high risk" by the vendor and/or the National Vulnerability Database sponsored by the Department of Homeland Security's National Cyber Security Division.” Nine of the issues identified impacted a  significant number of the 45 servers and/or 236 workstations tested, and were primarily associated with third-party productivity and internet applications.  “All of the "high risk" vulnerabilities identified were more than 30 days old, including 18 that were missing patches more than 1 year old. Furthermore, we identified several instances where the Commission was using software that was no longer supported by the vendor.”

While FERC budgeted approximately $3.8 million during fiscal 2011 to secure its information technology assets, FERC cited “budget and resource constraints” as the reason for not following its own VMP. In addition, FERC said that some patches were not instituted because of adverse operational impacts.