report

Information Systems Audit Report 2019

Advanced Metering Infrastructure

Introduction

Our audit focused on the applications within the Advanced Metering Infrastructure used by the Regional Power Corporation, trading as Horizon Power (Horizon), to record, monitor and bill for the consumption of electricity. The applications store personal and sensitive client information such as customer name, address, date of birth and locations where electricity meters are installed.

Conclusion

The AMI system achieves its purpose. It collects and stores electricity consumption data and communicates the information to other Horizon business systems.

However, the integrity and confidentiality of the system and information it holds is at risk due to inadequate background checks and contractor access management. Improved network and database security controls would also strengthen system integrity.

Background

Horizon, is a state government-owned corporation that generates, procures and distributes electricity to residential, industrial and commercial customers in regional towns and remote communities. Currently it provides electricity to over 100,000 residents and 10,000 businesses.

Horizon has a suite of applications to manage electricity consumption and billing. Together, they are referred to as Advanced Metering Infrastructure (AMI). These include the MV90, Velocity, MDR, MData21 and SSN systems. Our audit focused on the MV90 commercial metering system, and associated applications including the ‘My Account’ portal.

The following figure (Figure 5) shows an overview of information flow across the different parts of the AMI system.

In October 2016, more than 47,000 ageing electricity meters across regional WA were replaced with advanced meters. These meters allow Horizon to use the MV90 and other systems to collect electricity consumption data over the network without staff having to physically visit customer sites.

Audit findings

There are appropriate processes to detect and remedy consumption errors before bills are issued, but the value of errors is high

Horizon has good processes to detect and remedy data errors in consumption readings. Consumption readings occur daily for all advanced meters with network access. The Velocity system reports significant billing variances for early corrective action where required, and account managers review bills before they are issued to commercial customers.

In 2017-18, Horizon corrected errors valued at $1.43 billion (Figure 6). These comprised errors of $1.42 billion for one commercial customer and $8.5 million for other commercial customers. The $1.42 billion error arose from the manual reading of the customer’s meter which does not have network access and must be read using a handheld device. Remaining errors were due to factors such as incorrect rates being applied to a customer, incorrect data and system changes.

While Horizon resolves errors as they arise, their high value is concerning.

Inadequate human resource security and contractor access management

Horizon’s policies and processes do not require criminal history checks to be undertaken for staff. We found new staff employed without criminal history checks had privileged access to critical power infrastructure and systems. Additionally, regular background checks for key staff are not undertaken. Although recruitment processes include checks of references and qualifications, and medical tests, the process does not include criminal history checks. Without appropriate screening processes, staff may be assigned to positions of trust for which they are unsuitable.

We reviewed screening checks for 9 key staff and found 8 had not undergone adequate screening despite being in their roles for 3 to 14 months. This finding is concerning as these staff have privileged access to the network electricity management and other key systems.

We also found that Horizon’s access management for third party contractor staff is not effective due to inaccurate HR records. Our review of 6 enabled contractor accounts found 3 belonged to former contractors who left Horizon 1 to 3 months before. Horizon has outsourced most of its ICT functions and over 300 contractors have been given access to the network and key systems to perform their work. Without an effective process to revoke contractor access, there is an increased risk that these accounts could be used to attack Horizon’s IT network and systems.

We noted that Horizon does perform quarterly reviews of network access to identify and disable accounts that have not been used for 60 days. However, between reviews, contractors no longer working for Horizon can retain access to the network and systems.

System information is at risk of errors and unintentional disclosure

Horizon relies on manual forms to record important meter installation information before the information is entered in the applications. Manual workflows increase the risk of inaccurate information being entered into the applications. While Horizon informed us that a process to validate data entered from forms into the applications is in place, it is not clear if the process is carried out due to lack of documentation. Data errors will go unnoticed and impact the integrity of information if a data validation process is not consistently followed.

These forms also contain sensitive information such as property addresses and meter configuration details, including internet protocol (IP) addresses. We also found an instance of a Horizon staff member using a private email account to transmit this sensitive information to Horizon. The use of a private email account to transmit sensitive information increases the risk of unintentional disclosure. Horizon could improve the confidentiality and integrity of its information by implementing processes to collect data electronically.

There is room to improve security of the network and electronic records

Horizon’s network and database security controls do not fully protect the confidentiality, integrity and availability of information. Weaknesses we found include:

  • Inappropriate configuration of the network firewall – The firewall that separates the AMI network from Horizon’s main corporate network was not properly configured (Figure 7). This increased the risk of cyber-attacks and unauthorised access to Horizon’s key systems. Horizon has since addressed this issue. We also found that the firewall software was out-of-date. Software updates which addressed security vulnerabilities and performance issues had not been installed. This led to performance issues with the firewall and leaves the networks vulnerable to exploitation. Horizon has started work to update the firewall software.

  • Database security is weak – A number of security weaknesses render AMI databases vulnerable to unauthorised and inappropriate access compromising the confidentiality, and integrity of information in the databases.
    • AMI databases are not segregated to restrict and protect information from unauthorised access. Additionally, network users could access the databases due to a network policy error. Good practice suggests only those systems and users that need access should have access to databases.
    • Two databases had not had patches installed for 2 years and were missing 12 software updates, released to address security and performance issues. The risk that vulnerabilities will be exploited is increased when patches are not applied in a timely manner.
    • Personal information such as names, addresses, dates of birth, and gender are not encrypted to reduce the risk of the information being inappropriately used. Encryption increases the security of sensitive information and reduces the risk of inappropriate access.  
    • Nine database accounts had not applied the password policy to enforce strong passwords. Weak passwords increase the risk of unauthorised access to systems and information.
    • One database had inappropriately assigned privileges to all users. This allowed users to access privileged functions and gain access to sensitive information.
  • Network access accounts are not well managed – The password for the highly privileged ‘Administrator’ account has not been changed for an extended period. This is despite privileged accounts being among the most targeted by hackers because they allow high levels of access. We also found from a sample of 16 network access accounts that 9 belonged to former staff and contractors and had not been disabled. Three of these can access ICT systems remotely. Without appropriate controls there is an increased risk of unauthorised or inappropriate access to the whole network.
  • Weak web server configuration – Our external vulnerability assessment of the ‘My Account’ web portal identified a number of security weaknesses. These weaknesses increase the risk of unauthorised access or unintentional disclosure of information. We identified:
    • the use of a legacy security protocol that has known vulnerabilities
    • the use of encryption algorithms that are weak and known to have been compromised
    • default application settings that make it susceptible to cyber-attacks.

Members of the public can use the ‘My Account’ portal to pay bills, update personal details and track their electricity consumption. If sensitive information was inappropriately accessed or disclosed it may lead to reputational damage for Horizon and adversely affect members of the public. Horizon’s test of the portal also identified similar vulnerabilities and work is underway to address these weaknesses.

  • Lack of logging and event monitoring policy – A formal activity log and event monitoring policy is not in place. This increases the risk that monitoring will be inconsistent and not identify potential problems, trends or ongoing attempts to compromise systems and information. We found that Horizon has good processes to capture application and system transactions, and activity. A formal monitoring policy would significantly strengthen controls.

There is a mature vulnerability management program but weaknesses in this process leave systems and information at risk of exposure

Third party application patching processes are ad hoc and informal. As a result, we found vulnerabilities in a number of systems. Without effective processes to manage vulnerabilities in third party applications, there is an increased risk that vulnerabilities could be exploited. This may result in unauthorised access to sensitive data or a loss of system operation in the event of a cyber-attack.  

We found that Horizon has a mature vulnerability management process. Assessments and cyber security penetration tests are carried out regularly to identify potential security weaknesses. While database and third party application vulnerabilities could be better managed, operating system patches are installed in a timely manner to address known vulnerabilities.

Recommendations

Horizon should:

  1. Determine, and where necessary resolve, the causes of consumption reading errors
    Horizon response: Agreed
    Implementation timeframe: by December 2019
  2. develop appropriate policies and procedures to conduct adequate staff and contractor background checks
    Horizon response: Agreed
    Implementation timeframe: by July 2019
  3. review manual processes and consider the use of digital forms and processes
    Horizon response: Agreed
    Implementation timeframe: by July 2019
  4. review and implement appropriate network and database security controls
    Horizon response: Agreed
    Implementation timeframe: by July 2019
  5. review and implement appropriate user access management practices
    Horizon response: Agreed
    Implementation timeframe: by July 2019
  6. enhance the vulnerability management process to include third-party applications.
    Horizon response: Agreed
    Implementation timeframe: by July 2019

Response from Horizon Power

Horizon Power welcomes the application control and management review by the Office of the Auditor General (OAG). The results confirm a number of findings identified through internal assessments and provide additional areas for improvement. Horizon Power has agreed to all of the recommendations and has moved quickly to address all recommendations where reasonable. The confidentiality, integrity and availability of systems remains a focus for Horizon Power and audits conducted by the OAG assist in improving controls and governance across our environment.

  1. Horizon Power is aware of the reasons for consumption data issues and advises that there is very limited practical ability to resolve these issues due to the complexity of Large Enterprise contract management and billing.  Horizon Power agrees with the intent of the recommendation, and will continue to investigate issues and seek improvements but will need to continue to make manual bill adjustments related to contract conditions. It is pleasing that the OAG has noted the controls in place. Horizon Power also notes that no incorrect bills were issued as a result.
  2. Horizon Power have implemented improvements to the employee and contractor on- boarding and off-boarding processes, including criminal history checks prior to appointment to positions of trust and regularly throughout the employment period.
  3. Horizon Power will be assessing the costs and benefits of implementing a digital solution. In the meantime, Horizon Power has reinforced with employees the importance of the accuracy and confidently of data collected through manual forms.
  4. Horizon Power has identified, reviewed and implemented improvements to remediate issues identified prior to, and during, the audit within the network and database security control environment.
  5. Horizon Power has implemented the necessary improvements to user access management practices. The improvements have predominantly been within the employee and contractor on-boarding and off-boarding processes to ensure that user access is accurate and updated in a timely manner.

Horizon Power has conducted a review to identify any existing vulnerabilities within third-party applications. In addition, there have been improvements made to the patch management process in relation to third-party applications.

Back to Top