The Department of Energy's largest Power Marketing Administrations (PMAs), Bonneville,
Western Area, and Southwestern, provide wholesale electric power to utilities for use in homes,
hospitals, financial institutions and military installations. Serving the electricity supply needs of
millions of citizens in the western part of the United States, these PMAs maintain an elaborate
and extensive infrastructure that includes electrical substations, high-voltage transmission lines
and towers, and power system control centers. To protect these assets, the PMAs follow safety
and security requirements established by the Department, the North American Electric
Reliability Corporation (NERC), and the Department of Homeland Security (Homeland
Security). Under established policy, the PMAs are required to conduct vulnerability and risk
assessments of their most critical assets to: evaluate existing security systems; analyze current
threat information; identify security enhancements needed to reduce risk; and, document the
level of risk PMA management is willing to accept on individual critical assets.
In 2003, the Office of Inspector General reported in our Audit of Power Marketing
Administration Infrastructure Protection (OAS-B-03-01, April 2003) that Bonneville had
initiated, but not yet completed vulnerability and risk assessments; Western had conducted
inadequate assessments; and, Southwestern had not conducted any assessments. Given the
importance of these efforts to safeguarding the Nation's electrical infrastructure, we initiated this
audit to determine whether the PMAs had conducted vulnerability and risk assessments.
