Watchdog Finds DOE Falling Short on CybersecurityAudit Finds Vulnerabilities in Energy Department's Unclassified Systems
The U.S. Department of Energy is routinely failing to secure unclassified IT systems in the nation's critical infrastructure, including nuclear facilities, leaving them open to outside attacks and hacking, an annual audit from the agency's Inspector General finds.
And while the Energy Department is capable of fixing these cybersecurity deficiencies, the federal agency continues to make the same mistakes and security errors year-after-year, the report shows.
The security issues range from poor cybersecurity training and preparedness of employees, to not patching vulnerabilities in web applications and having poor configuration management for certain IT systems, the audit notes.
"Although the Department had taken actions over the past year to address previously identified weaknesses related to its cybersecurity program, our current evaluation identified weaknesses that were consistent with our prior reports related to vulnerability management, configuration management, system integrity of Web applications, access controls and segregation of duties, cybersecurity and privacy training, and security control testing and continuous monitoring," the report, issued earlier this month, finds.
Overall, the Inspector General report makes 54 different cybersecurity recommendations for the department's CIO and security teams to follow. The watchdog also told management of other improvements it could make in its security program, but did not issue formal recommendations for those.
In response to the report, the Inspector General's Office noted that Energy Department's management agreed with the recommendations outlined in this year's audit and planned to make changes to its cybersecurity plans.
The Energy Department had previously addressed 21 of the 25 recommendations that the Inspector General's office made about its security programs in 2018, the new audit notes.
Issues With Patch Management
The audit is based on security evaluations conducted at 28 different Energy Department facilities between February and October. These facilities included ones overseen by the department's Administrator for the National Nuclear Security Administration, Under Secretary for Science and the Under Secretary of Energy.
The inspectors focused solely on the department's unclassified systems.
During its review, the Inspector General's office found a series of ongoing problems with some of the most basic cybersecurity practices, according to the audit. For instance, at one unnamed site, the inspectors found over 10,500 software vulnerabilities rated either high or critical in 159 workstations tested, the report shows.
At two other facilities, the Inspector General found that 142 of 297 servers were missing critical software updates or patches.
Other cybersecurity issues that inspectors found included:
- Eleven Energy Department sites that were running unsupported software on network servers or workstations;
- Nine department locations were operating workstations and servers that required critical- and high-risk vulnerability security patches or software updates;
- At one location, the inspectors found workstations running outdated antivirus software. The review also found that some AV software had not been properly configured.
After conducting its review, the Inspector General noted that in many cases the IT or security teams were not properly scanning networks for vulnerabilities.
If any network scanning was being done, it was not conducted on a regular schedule, which meant that critical vulnerabilities were missed or patches were not applied, according to the report.
"We determined that the mitigating controls may not always be effective and could result in unauthorized access to systems and information," the report notes.
Configuration and Web Application Challenges
The Inspector General's report also took the Energy Department to task over its configuration management strategies, including how well it ensures the integrity of its information systems.
In one facility, for example, firewalls were misconfigured and allowed a general support network to inappropriately access two web servers on another network that support a primary industrial control system at that site, the report shows.
At another facility, a shared file destination was configured to allow anonymous access. This meant that anyone with network access to the general support system could have connected to the shared drives and files without credentials, the report notes.
The audit also notes several issues with how the Energy Department mishandles security issues with its web application. In one case, an application that coordinated foreign assignments and visits to a facility lacked access controls, the report notes.
"As a result, any authenticated user with application authorization could have inappropriately obtained access to all data available in the application and used all functions by directly browsing to the desired content," the report adds.
Threats to DOE
The Inspector General's audit comes at a time when the Energy Department is under increasing scrutiny when it comes to cybersecurity, especially related to threats to the nation's electrical grid, which is considered part of the country's critical infrastructure.
A U.S. Government Accountability Office report released in September found that the nation's electrical grid is increasingly vulnerable to attack from nation-states (see: GAO Raises Concerns About Power Grid Vulnerabilities).
In March, hackers probed weaknesses in the network firewalls of a U.S. power utility as part of an attempted distributed denial of service attack, according to a report. And while there was no disruption of power, the attack caused gaps in communication between power stations and the main control system (see: Hackers Attempted DDoS Attack Against Utility: Report).