4 Cyberattacks Cost DoE At Least $2 Million
IG: Number of Identified Weaknesses Up by 60% in YearThe report, part of the department's annual Federal Information Security Management Act review, didn't provide details on the cyberattacks, except to peg the cost of three of the four breaches at over $2 million.
"As noted by recent successful attacks at four department locations, exploitation of vulnerabilities can cause significant disruption to operations and/or increases the risk of modification or destruction of sensitive data or programs, and possible theft or improper disclosure of confidential information," Inspector General Gregory Friedman wrote in the report.
In July, a sophisticated cyberattack shut down Internet and e-mail services at the Pacific Northwest National Laboratory, an Energy Department facility that conducts IT security research (see Cyberattack Shutters Energy Department Lab ).
Though DoE had expanded efforts to mitigate these risks in the last fiscal year, which ended Sept. 30, more steps must be taken to strengthen department IT from attackers seeking to exploit vulnerabilities in applicatons and products, the inspector general audit said.
In fiscal year 2011, the inspector general said, DoE had resolved only 11 of the 35 cybersecurity weaknesses identified in the IG's FY 2010 review. The IG identified numerous weaknesses in the areas of access controls, vulnerability management, web application integrity, contingency planning, change control management and cybersecurity awareness training. "While many of the same or similar issues had been noted in prior FISMA reports," the IG said, "the number of weaknesses identified represented a 60 percent increase over our FY 2010 review."
At 11 DoE locations, including its Washington headquarters, the IG identified 18 deficiencies related to access controls, such as failure to perform periodic management reviews of user accounts, inadequate management of user access privileges, default or weak usernames and passwords, lack of segregation of duties and lack of logging and monitoring of user activity. The IG identified 21 weaknesses at 15 locations tied to vulnerability management. "We found desktops and network systems and devices running applications without current security patches for known vulnerabilities, situations that could allow unauthorized access to system resources," Friedman said.
The IG found 14 weaknesses in at least 32 different web applications used to support functions such as procurement and safety. "These vulnerabilities could be exploited by attackers to deliberately or inadvertently manipulate network systems," he wrote.
Though not widespread throughout the department, auditors found examples of failure to institute a business continuity/disaster recovery plan and to implement an annual refresher training program promoting cybersecurity awareness.
The IG credits the department for taking action to update its cybersecurity policy, and the National Nuclear Security Administration - the DoE operation responsible for the management and security of the nation's nuclear weapons, nuclear nonproliferation and naval reactor programs - for reestablishing periodic site-level cybersecurity reviews. "However," Friedman said, "given the increased number of vulnerabilities discovered this year, it is clear that continued vigilance is necessary."
Kenneth Powers, associate administrator for management and budget at the National Nuclear Security Administration, said in a letter sent to the inspector general that the IG mischaracterized the scope, severity and cause of the issues presented in its report. Powers also criticized the IG's evaluation approach, asserting that it focused strictly on a compliance checklist that did not adequately consider current federal policies relating to cost-effective, risk-based approaches to cybersecurity, a depiction Friedman in his written report disputes, asserting those factors were taken into account.
DoE Chief Information Officer Michael Locatis III concurred with the IG's recommendations and disclosed in his written response that the department had initiated or already completed actions to address issues identified in the inspector general report.