The Department of Energy (DoE) still lacks a department-wide cyber-security incident management system, five years after auditors flagged problems in how the department manages cyber-security incidents.
The fact that the Energy Department doesn’t have a unified cyber-security incident management prevents timely incident response and leads to unnecessary spending, according to an office of inspector general report released Dec. 11. Since the DoE does not include the National Nuclear Security Administration, a semi-autonomous agency within the department, the NNSA and DOE agencies are spending over $30 million annually on duplicate or overlapping incident management capabilities, the report (PDF) found.
The Department’s Joint Cybersecurity Coordination Center provided response and advisory services and maintained capabilities supporting computer forensics and assistance in investigating and preserving cyber evidence. However, the report found that at least two other organizations provided similar capabilities to the department.
“Continued operation of independent capabilities could hinder the Department’s ability to maintain an effective incident management program and result in unnecessary expenditures,” Gregory H. Friedman, the inspector general, wrote in the memorandum accompanying the report.
The gaps adversely impact the ability of law enforcement agencies when investigating incidents, the report said. Various DoE sites haven’t always reported cyber-security incidents because the instructions for reporting them from the Energy Joint Cyber-Security Coordination Center are not very detailed or clear, the report found. Investigators were also hampered by the fact that incident reporting to law enforcement was not always timely or complete.
“The fragmentation of cyber security incident response centers could limit the exchange of needed information and delay decision-making in response to security incidents,” Friedman wrote.
The 2008 report from the office of the inspector general previously highlighted the separation between NNSA and DoE. Shortly after the report was released, Energy and NNSA officials agreed to establish a joint incident management operation, but the latest report found that disparate functions still exist.
While it is reassuring to know that overall number of vulnerabilities at the DoE has declined from 56 to 38 since 2011, it turned out 16 of those were originally flagged in the inspector general’s 2011 report and remain unresolved.
The department reported over 2,300 cyber-security incidents between October 2009 and March 2012, Friedman said. The incidents included unauthorized access to systems, improper use of computing resources, and the installation of malicious software, according to the memo.
“Our review of the Offices of the Under Secretary for Nuclear Security, Under Secretary for Science and Under Secretary of Energy organizations identified various control weaknesses related to access controls, vulnerability management, system integrity of web applications, planning for continuity of operations and change control management,” the report said.
Auditors found problems with physical security controls, as people could access areas they weren’t supposed to be able to go at six DoE facilities. Networks and computers at some facilities had weak passwords. Of the 1,952 desktop computers inspected, a little over half had unpatched software. Several servers were also missing updates. The report also found that 29 Web applications dealing with financial, human resources, and “general support” at eight locations were vulnerable to hackers.
Energy officials told the office of inspector general the DoE would implement a new enterprise-wide policy for incident categorization and reporting, as well as rolling out a department-wide incident management system which includes NNSA, by Sept. 30, 2013.