WASHINGTON ― The Department of Energy’s Office of the Inspector General has revealed the results of its evaluation of the Federal Energy Regulatory Commission (FERC). The OIG found that the FERC, for the most part, had properly incorporated elements required by the Office of Management and Budget, Department of Homeland Security and National Institute of Standards and Technology into its cybersecurity program.
The FERC is responsible for regulating the interstate transmission/transportation of the United States’ natural gas, oil, and electricity and assisting consumers in receiving effective energy services. The OIG collaborated with KPMG LLP, a firm specializing in audit, tax and advisory services, to conduct an evaluation of the commission’s cyber posture, as required under FISMA.
KPMG LLP and the OIG found that FERC’s cybersecurity was within appropriate perimeters with regard to abiding by federal standards. The OIG’s report specifically showcased how FERC had effectively incorporated IT security controls for configuration and risk management, and security training.
Nonetheless, the OIG showcased a recent security incident involving FERC’s cybersecurity program as a cause for concern. While the commission identified the cause of the incident, determined its impact and utilized corrective actions to alleviate it, the OIG was worried that certain controls might not have been implemented to prevent said incident in the first place. As of the OIG’s evaluation, FERC is still analyzing the incident’s impact.
The OIG ultimately recommended to FERC’s executive director to ensure the timely completion of the cyber incident analysis and to “appropriately prioritize” preventative controls so that a similar incident does not occur again.
