Meanwhile, Agency Continues to Investigate SolarWinds Attack
Cybersecurity weaknesses persist throughout the U.S. Department of Energy’s unclassified networks, including those of the National Nuclear Security Administration, according to an inspector general audit.
Although the DOE has made strides in improving its cybersecurity programs, including addressing 42 of 58 previous recommendations, the IG’s recently released 2020 audit found the department’s unclassified networks and systems remain vulnerable.
To address these persistent issues, the inspector general issued another 83 recommendations for improving cybersecurity, including enhancing vulnerability management and boosting the security of web applications. DOE’s management agreed to work to address all the security issues identified in the report.
“We made recommendations to each of the locations where weaknesses were identified. Recommendations were related to areas such as system integrity of web applications, configuration management, vulnerability management, and access controls,” the IG report notes. “During the fiscal year, we also issued reports and recommendations related to areas such as security over information technology peripheral devices and contingency planning at selected locations.”
The IG report comes as the DOE and eight other federal agencies targeted for follow-on attacks after the SolarWinds supply chain attack continue their investigations. The U.S. government says the attacks were part of a Russian cyberespionage operation (see: SolarWinds Attack Illustrates Evolving Russian Cyber Tactics).
The impact of the SolarWinds attack on the DOE was not reflected in the IG report.
“Due to the timing of our review, we did not evaluate the circumstances surrounding any potential impact to the Department or the National Nuclear Security Administration, or how such an attack could have impacted our results, if at all,” the report notes. “We will continue to follow developments related to any potential impact as we continue our future test work.”
The IG’s DOE audit considered the department’s cybersecurity programs at 28 locations from March 2020 to January of this year. Locations investigated were those overseen by the National Nuclear Security Administration, the administrator for the Energy Information Administration, the acting undersecretary for Science and Energy at the DOE as well as certain other staff offices, according to the report.
“While we did not test every possible exploit scenario, we did conduct testing of various attack vectors to determine the potential for exploitation,” the IG notes.
The IG identified some issues where the DOE has repeatedly come up short. For instance, auditors found that at two locations, web applications could not properly validate data that had been input or properly protect the credentials of employees using the apps.
“At one of the locations, the web application did not verify whether an authenticated user was authorized to access files stored within the application, which could have allowed an attacker to obtain files uploaded to the application by other users,” according to the report.
The audit also found that vulnerability management at some of the DOE sites did not ensure that apps had undergone proper penetration testing for security shortcomings, nor did the department have a good method of identifying flaws in the applications. “Maintaining effective system integrity controls over web applications can decrease the risk of unauthorized access to and/or modification of sensitive information in the applications,” the report notes.
At other locations, configuration management was an ongoing security issue, the audit notes. In one case, firewalls were not properly configured, meaning that external traffic could have access to internal systems. At the same time, there were “unnecessary rules” put in place that could have allowed additional access to unauthorized users.
“For example, multiple firewalls had rules that could have permitted any system in the ‘Users’ enclave to access the Supervisory Control and Data Acquisition (SCADA) system and related devices through at least one unsecure protocol,” the report notes.
In other areas, system usernames and passwords were not updated from default settings, while some servers were left open to public access, which meant an attacker could access network credentials, the audit says.
The department also lacked proper vulnerability management, with hundreds of workstations and devices responsible for sensitive data running and outdated versions of the operating systems Red Hat Linux, Apple macOS and Microsoft Windows Server 2008, the audit notes.
Other shortcomings the audit identified were in the areas of access controls, contingency planning, privacy measures, security training and life cycle management.
The IG’s audit was published at about the same time that a bipartisan group of U.S. senators urged the Department of Energy to prioritize cybersecurity and to keep the leadership of the Office of Cybersecurity, Energy Security, and Emergency Response in place to ensure that the department can respond to security threats (see: Senators Raise Concerns About Energy Dept. Cybersecurity).
A DOE spokesperson said no changes have been made to that office.
A recent report released by the General Accountability Office also recommended the DOE do more to improve the security protecting the U.S. electrical grid (see: GAO: Electrical Grid’s Distribution Systems More Vulnerable).