According to an inspector general report, the U.S. Department of Energy continues to have serious network security issues for the second year in a row and is regularly hit by cyber-attackers.
The Department of Energy has
been hit by multiple cyber-attacks in the past year, costing the federal
government over $2 million to recover, according to a recent audit report.
An annual review of the
Department of Energy's unclassified networks revealed a number of security
issues, including weak access controls, improper patching strategy and poor
employee training, according to a report from the department's inspector
general Gregory Friedman released Oct. 24. Tests at 25 DOE facilities,
including its headquarters, revealed 32 previously unidentified
vulnerabilities, according to the report.
The inspector general's
audit also found that security problems had increased by 60 percent in 2011 on
DOE computer networks, compared with the number found during the 2010 audit.
Only 11 out of the 35 issues identified in the 2010 report had been addressed,
the report found.
Department computer networks
are "routinely threatened with sophisticated cyber-attacks," the
report said. In fact, cyber-attacks on federal agencies have increased by 40
percent since last year, the report found. The report covered the 2011 fiscal
year, which ended Sept. 30.
The exploitation of
vulnerabilities causes "significant disruption" to operations and
increases the risk of data being modified or destroyed, Friedman wrote in the
The report also looked at
"recent successful attacks at four department locations" and
estimated that recovery efforts cost the department over $2 million at three of
the sites. Due to security concerns, Friedman did not identify the four
locations or the kind of vulnerabilities that had been exploited in those
attacks. He also did not identify the attackers.
Some of the problems were
the result of management failing to continuously monitor the security
protections in place, the report found. For example, the agency neglected to
block unauthorized users from accessing data or to perform validation
procedures on at least 32 Web applications used in procurement programs and
other support functions.
action" is required to help address threats, he said. The department needs
to develop a series of procedures to secure and monitor various networks and
systems, Friedman said.
"Continued vigilance is
necessary due to the recent department incidents and increased cyber-attacks by
both domestic and international sources," Friedman wrote in the report.
The Department of Energy has
dozens of agencies, regional offices and laboratories. While the report didn't
call out any agency, Friedman said the officials at the National Nuclear
Security Administration (NNSA), a DOE agency that manages the country's nuclear
stockpile, "expressed concern with our characterization of the scope,
severity and cause of the issues presented in our report." NNSA also
"criticized" the evaluation approach, claiming it was too focused on
compliance checklists, according to Friedman.
NNSA also said the report
failed to recognize the effectiveness of its "layered" approach to
cyber-security and called some of the problems identified in the report "isolated
issues" in its extensive network, Kenneth Powers, the NNSA's associate
administrator for management and budget, wrote in a letter to the inspector
general, which was included in the report.
"We are concerned that
a casual reader of this report might not fully understand that the findings,
while important, do not represent demonstrated risks," Powers wrote.