Nuclear Agency’s Cybersecurity Center Not Optimized: Audit

An audit has found that the U.S. Nuclear Regulatory Commission’s security operations center is not optimized to protect the agency’s networks, which raises some concerns given the increasing volume of cyberattacks aimed at government systems.

The security operations center (SOC) of the Nuclear Regulatory Commission (NRC) is tasked with securing the agency’s network and monitoring it for any suspicious activity. While the SOC is not responsible for classified systems, the network it oversees does process sensitive unclassified information.

The objective of the Office of the Inspector General (OIG) audit was to determine if the NRC’s cybersecurity center meets operational requirements, and to assess its effectiveness in working with other organizations involved in securing the NRC’s network.

The nuclear agency’s SOC is primarily staffed by contractors working under an information technology infrastructure support services (ITISS) contract. The SOC staff, which is overseen by the NRC’s Office of the Chief Information Officer Operations Division, is responsible for analyzing network activity and taking part in incident response efforts. The SOC also provides information on incidents to the NRC’s Information Security Directorate, which in turn reports them to CERT.

According to the report, the number of cyber security incidents reported by NRC to CERT in 2014 increased by 18 percent compared to the previous fiscal year, an increase that is nearly double compared to the number of government-wide incidents reported during the same period. The list of incidents included malicious code, unauthorized access, policy violations, social engineering, scans and other access attempts.

The audit has found that while SOC staff meets security operational requirements, the center’s capabilities could be improved by better defining contractual requirements. The problem, according to the OIG, is that the current contract doesn’t clearly define the SOC’s performance objectives and functional requirements.

“NRC staff described several areas in which the SOC does not meet agency needs, including proactive analysis and timely, detailed reports. This occurs because although the contract performance criteria are aligned with National Institute of Standards and Technology and NRC internal guidance, the contract does not clearly define SOC performance goals and metrics that can be used to determine whether agency needs are being met,” the OIG said in its report.

“Additionally, SOC staff and NRC stakeholders expressed differing expectations of SOC roles and responsibilities. This occurs due to a lack of adequate definitions in agency policies and undifferentiated functional descriptions between different entities responsible for securing NRC’s network,” the auditor added.

Another recommendation made by the OIG for improving the cybersecurity center’s performance and capabilities is to better clarify organizational responsibilities and roles.

A study conducted last year by Chatham House on cybersecurity at civil nuclear facilities revealed that the nuclear industry still underestimates the risk posed by cyberattacks.

Records obtained in September 2015 from the U.S. Department of Energy showed that the organization’s components had been breached more than 150 times between October 2010 and October 2014. Documents revealed that 19 of the successful attacks targeted the National Nuclear Security Administration.

Related: South Korea Accuses North of Cyber-attacks on Nuclear Plants

Related: Former US Govt Employee ‘Tried to Sell Nuclear Secrets’