The Department of Energy has been hit by multiple cyber-attacks in the past year, costing the federal government over $2 million to recover, according to a recent audit report.
An annual review of the Department of Energy's unclassified networks revealed a number of security issues, including weak access controls, improper patching strategy and poor employee training, according to a report from the department's inspector general Gregory Friedman released Oct. 24. Tests at 25 DOE facilities, including its headquarters, revealed 32 previously unidentified vulnerabilities, according to the report.
The inspector general's audit also found that security problems had increased by 60 percent in 2011 on DOE computer networks, compared with the number found during the 2010 audit. Only 11 out of the 35 issues identified in the 2010 report had been addressed, the report found.
Department computer networks are "routinely threatened with sophisticated cyber-attacks," the report said. In fact, cyber-attacks on federal agencies have increased by 40 percent since last year, the report found. The report covered the 2011 fiscal year, which ended Sept. 30.
The exploitation of vulnerabilities causes "significant disruption" to operations and increases the risk of data being modified or destroyed, Friedman wrote in the report.
The report also looked at "recent successful attacks at four department locations" and estimated that recovery efforts cost the department over $2 million at three of the sites. Due to security concerns, Friedman did not identify the four locations or the kind of vulnerabilities that had been exploited in those attacks. He also did not identify the attackers.
Some of the problems were the result of management failing to continuously monitor the security protections in place, the report found. For example, the agency neglected to block unauthorized users from accessing data or to perform validation procedures on at least 32 Web applications used in procurement programs and other support functions.
"Additional action" is required to help address threats, he said. The department needs to develop a series of procedures to secure and monitor various networks and systems, Friedman said.
"Continued vigilance is necessary due to the recent department incidents and increased cyber-attacks by both domestic and international sources," Friedman wrote in the report.
The Department of Energy has dozens of agencies, regional offices and laboratories. While the report didn't call out any agency, Friedman said the officials at the National Nuclear Security Administration (NNSA), a DOE agency that manages the country's nuclear stockpile, "expressed concern with our characterization of the scope, severity and cause of the issues presented in our report." NNSA also "criticized" the evaluation approach, claiming it was too focused on compliance checklists, according to Friedman.
NNSA also said the report failed to recognize the effectiveness of its "layered" approach to cyber-security and called some of the problems identified in the report "isolated issues" in its extensive network, Kenneth Powers, the NNSA's associate administrator for management and budget, wrote in a letter to the inspector general, which was included in the report.
"We are concerned that a casual reader of this report might not fully understand that the findings, while important, do not represent demonstrated risks," Powers wrote.