The Department of Energy (DoE) Office of Inspector General (OIG) released a report on Oct. 19 that found several weaknesses in the cybersecurity program at DoE in fiscal year 2018, including recurring issues in vulnerability management, patching, and formal cybersecurity training policies.
While DoE has made progress on addressing some of its cybersecurity gaps, the same types of weaknesses have emerged in successive years. OIG noted that the department had “made progress remediating weaknesses” from its FY 2017 evaluation, and DoE was able to close all 12 of its prior-year weaknesses.
But while the department made progress in correcting cybersecurity gaps flagged in FY 2017, OIG said that in FY 2018 it “identified weaknesses that were mostly consistent with our prior reports related to vulnerability and configuration management, system integrity of Web applications, access controls, security awareness and privacy training, and security control testing.”
The FY 2018 review revealed the same type of weaknesses present in FY 2017, but at new locations within the expanse of DoE’s labs and offices. The specific sites were not disclosed in the public report “due to the sensitive nature of the vulnerabilities identified.”
OIG issued 25 program- and site-specific recommendations to the department in order to address the range of cyber gaps. It also issued one overall recommendation that the agency “ensure appropriate emphasis is placed on correcting identified cybersecurity weaknesses.”
The evaluations took place at 27 locations, “primarily under the purview of the National Nuclear Security Administration, Under Secretary for Science, Under Secretary of Energy, and other staff offices,” and reviewed several aspects of the locations’ unclassified cybersecurity programs.
Of note, at least 10 locations “continued to use software on workstations and servers that were missing security patches or were no longer supported by the vendor,” four locations had access control weaknesses, two locations had weaknesses in the system integrity of Web applications, three locations failed to develop or implement role-based security training for all users–with “a significant number of users with overdue training”–and one location “could not demonstrate that it had completed a thorough assessment of all required security controls as part of its continuous monitoring process.”
“Without improvements to address the weaknesses identified during our evaluation, the Department’s information systems and data may be at a higher-than-necessary risk of compromise, loss, and/or modification,” the report states.
DoE management concurred with the report’s recommendations and said corrective actions were planned to address the issues.