In an evaluation report released today, the Department of Energy’s Inspector General said there had been some “positive actions” taken by DOE and the National Nuclear Security Administration to improve the “security and awareness” of the unclassified cybersecurity program. However, as is almost always the case with cybersecurity, more is needed to lower the risks.
The report said DOE had made an effort to improve deficiencies identified in previous evaluation, but the IG noted that the use of information tech by federal entities is evolving rapidly (use of cloud computing, virtualization, etc.). And that progression also exposes these systems to new and changing threats, the report stated.
The Office of Inspector General took a look at 24 different DOE locations in the evaluation, but it did not identify the sites or contractors.
“Without improvements, the Department’s unclassified cybersecurity program will continue to operate at a higher-than-necessary level of risk,” the report said.
Among the findings:
— At eight locations, issues related to weaknesses in logical access controls were identified that could “allow an attacker to gain access to sensitive data or disrupt network connectivity to systems.”
— Network systems and workstations at 13 locations were found to have patch management weaknesses “of varying degrees of criticality.” Critical and high-risk vulnerabilities were found on many of the systems and networks tested by the IG.
— Six locations had weaknesses related to system integrity of Web applications, increasing the risk of malicious attacks and unauthorized access.