Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Nuclear Agency’s Cybersecurity Center Not Optimized: Audit

An audit has found that the U.S. Nuclear Regulatory Commission’s security operations center is not optimized to protect the agency’s networks, which raises some concerns given the increasing volume of cyberattacks aimed at government systems.

An audit has found that the U.S. Nuclear Regulatory Commission’s security operations center is not optimized to protect the agency’s networks, which raises some concerns given the increasing volume of cyberattacks aimed at government systems.

The security operations center (SOC) of the Nuclear Regulatory Commission (NRC) is tasked with securing the agency’s network and monitoring it for any suspicious activity. While the SOC is not responsible for classified systems, the network it oversees does process sensitive unclassified information.

The objective of the Office of the Inspector General (OIG) audit was to determine if the NRC’s cybersecurity center meets operational requirements, and to assess its effectiveness in working with other organizations involved in securing the NRC’s network.

The nuclear agency’s SOC is primarily staffed by contractors working under an information technology infrastructure support services (ITISS) contract. The SOC staff, which is overseen by the NRC’s Office of the Chief Information Officer Operations Division, is responsible for analyzing network activity and taking part in incident response efforts. The SOC also provides information on incidents to the NRC’s Information Security Directorate, which in turn reports them to CERT.

According to the report, the number of cyber security incidents reported by NRC to CERT in 2014 increased by 18 percent compared to the previous fiscal year, an increase that is nearly double compared to the number of government-wide incidents reported during the same period. The list of incidents included malicious code, unauthorized access, policy violations, social engineering, scans and other access attempts.

The audit has found that while SOC staff meets security operational requirements, the center’s capabilities could be improved by better defining contractual requirements. The problem, according to the OIG, is that the current contract doesn’t clearly define the SOC’s performance objectives and functional requirements.

“NRC staff described several areas in which the SOC does not meet agency needs, including proactive analysis and timely, detailed reports. This occurs because although the contract performance criteria are aligned with National Institute of Standards and Technology and NRC internal guidance, the contract does not clearly define SOC performance goals and metrics that can be used to determine whether agency needs are being met,” the OIG said in its report.

“Additionally, SOC staff and NRC stakeholders expressed differing expectations of SOC roles and responsibilities. This occurs due to a lack of adequate definitions in agency policies and undifferentiated functional descriptions between different entities responsible for securing NRC’s network,” the auditor added.

Advertisement. Scroll to continue reading.

Another recommendation made by the OIG for improving the cybersecurity center’s performance and capabilities is to better clarify organizational responsibilities and roles.

A study conducted last year by Chatham House on cybersecurity at civil nuclear facilities revealed that the nuclear industry still underestimates the risk posed by cyberattacks.

Records obtained in September 2015 from the U.S. Department of Energy showed that the organization’s components had been breached more than 150 times between October 2010 and October 2014. Documents revealed that 19 of the successful attacks targeted the National Nuclear Security Administration.

Related: South Korea Accuses North of Cyber-attacks on Nuclear Plants

Related: Former US Govt Employee ‘Tried to Sell Nuclear Secrets’

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture