PORTLAND -- The Bonneville Power Administration is vulnerable to cyber intruders, a four-year KGW NewsChannel 8 investigation found.
Various government audits and reports indicate the Department of Energy has repeatedly warned the BPA about its shortcomings.
The BPA provides about 30 percent of the region's electricity. Customers throughout the Northwest rely on BPA to power homes, hospitals, banks and the military.
Security experts fear a sophisticated cyber intruder could try to disrupt the power grid.
"There is plenty to be afraid of," said Carolyn Turbyfill, a cyber security analyst with Quality Plus Engineering. "As we've seen, power outages can cause many, many problems even if the intent was not malicious at all."
A review of cyber security incidents at BPA beginning in 2007, obtained through the Freedom of Information Act, shows hundreds of listings. There are reports of compromised information, along with lost or stolen laptop computers. There were also repeated attempted intrusions, in which someone tried to get into a BPA computer system.
"We know the bad guys are out there and we know they intend to do us harm," said Larry Buttress, Chief Information Officer at the Bonneville Power Administration.
Government watchdogs found the most serious weakness at BPA headquarters, according to a March 2012 Department of Energy audit. Business computers at BPA headquarters are used for power marketing, billing, email and more.
Auditors wrote, "Should any of these information systems be compromised or otherwise rendered inoperable, the impact on Bonneville's customers could be significant."
"I would not concur that it would be significant," said Buttress. "I think we have adequate security in place and I think the measures that we have put in place recently and continue to put in place are more than adequate."
The greatest concern, cyber security experts say, is BPA's operational services that keep the power on. The transmission services run separately from BPA headquarters at a heavily-protected facility in Vancouver, Washington. Most of their computers are not connected to the Internet and most audits suggest BPA's transmission services are largely protected from outside attack.
But a recent Department of Energy report, obtained exclusively by NewsChannel 8, suggests auditors found "numerous exploitable vulnerabilities related to aging devices on communications networks, unprotected services and patching."
One cyber security analyst calls Bonneville's issues "pedestrian."
"I would say they look like any other company of their size in terms of what I saw," said Patrick Miller of EnergySec, a security company funded by the Department of Energy and other utility companies, including the BPA.
Miller adds, "We don't ask the question, 'Are we secure?' Because it is like asking, 'Is a safe unbreakable?' If you have enough tools and time you're going to get in."