Dozens of cyber vulnerabilities found at Department of Energy facilities

At a time when senior defense officials are sounding the alarms about the potential for a devastating cyber attack against America’s critical infrastructure, the U.S. Department of Energy’s inspector general (IG) has found dozens of unaddressed cyber vulnerabilities at key DOE facilities, including ones dealing with nuclear programs. The good news? The overall number of ...

Wikimedia Commons
Wikimedia Commons
Wikimedia Commons

At a time when senior defense officials are sounding the alarms about the potential for a devastating cyber attack against America's critical infrastructure, the U.S. Department of Energy's inspector general (IG) has found dozens of unaddressed cyber vulnerabilities at key DOE facilities, including ones dealing with nuclear programs.

The good news? The overall number of cyber vulnerabilities at DOE has declined from 56 to 38 since 2011 as a result of better IT security practices. The bad: 22 of those 38 vulnerabilities are brand-new while the remaining 16 went unresolved even after the inspector general noted them in 2011, according to a report released this month. This comes as the department has suffered "nearly 3,000 cyber-related incidents" over the last four years, according to the report.

"Our review of the Offices of the Under Secretary for Nuclear Security, Under Secretary for Science and Under Secretary of Energy organizations identified various control weaknesses related to access controls, vulnerability management, system integrity of web applications, planning for continuity of operations and change control management," reads the report.

At a time when senior defense officials are sounding the alarms about the potential for a devastating cyber attack against America’s critical infrastructure, the U.S. Department of Energy’s inspector general (IG) has found dozens of unaddressed cyber vulnerabilities at key DOE facilities, including ones dealing with nuclear programs.

The good news? The overall number of cyber vulnerabilities at DOE has declined from 56 to 38 since 2011 as a result of better IT security practices. The bad: 22 of those 38 vulnerabilities are brand-new while the remaining 16 went unresolved even after the inspector general noted them in 2011, according to a report released this month. This comes as the department has suffered "nearly 3,000 cyber-related incidents" over the last four years, according to the report.

"Our review of the Offices of the Under Secretary for Nuclear Security, Under Secretary for Science and Under Secretary of Energy organizations identified various control weaknesses related to access controls, vulnerability management, system integrity of web applications, planning for continuity of operations and change control management," reads the report.

The report found that actual, real live people (quaint, right?) could access places they weren’t supposed to at six DoE facilities due to inadequate standards in physical controls — e.g., failing to properly to keep track of who is allowed inside certain facilities. It also found networks and computers at some facilities had weak password protection — something that could make it easier for the wrong people to log onto DoE computers.

Meanwhile, 1,132 desktop computers (out of 1,952 that were inspected, or 58 percent) had unpatched software holes and dozens of servers were in the same shape. At eight locations, the IG found that twenty-nine web applications dealing with financial, human resources, and "general support" were vulnerable to hacking.

The report goes on to knock DOE for failing to implement known fixes and policies designed to enhance cyber security.

"The cyber security control weaknesses we identified were due, in part, to inadequate development and implementation of security control processes," the report says. "In particular, many sites developed policies and procedures that did not always satisfy Federal or Department security requirements."

Even when security policies were officially in place, some sites failed to follow them. This is exactly the type of problem that government officials constantly lament when they say that most cyber vulnerabilities could be addressed if organizations practiced basic IT "hygiene" — meaning they need to require strong passwords and frequently update software with security patches.

At the end of the day, these vulnerabilities, if left unchecked, leave the department open to "increased risk of compromise and/or loss, modification and non-availability of the Department’s systems and the information residing within them."

The department agreed with the IG’s findings (though it did quibble with some of the findings regarding security standards and policies, and said some of the vulnerabilities may involve acceptable levels of risk) and is moving to implement its recommendations for fixing the security holes, according to the report.

While the report detailed numerous vulnerabilites, simply patching them may only result in a permanent game of catch up against hackers, said one cyber security expert.

"It reminded me of the results of most vulnerability assessment reports for any decently sized organization," said Richard Bejtlich, chief security officer of cybersecurity firm, Mandiant.  "Vulnerabilities of all kinds are found, involving unpatched systems, code waiting to be exploited, and the like. The next report will look the same."

"It would have been much more useful if DoE had brought a third party to each of its sites to determine ‘what intruders are actively exploiting those sites right now’, then prioritize incident response and countermeasures to frustrate the adversary," he added. "Instead, I expect another round of trying to fix every problem, while intruders watch and evade any security ‘improvements’ that DOE applies."

At the time of this posting, DOE officials had not responded to requests for comment.

John Reed is a national security reporter for Foreign Policy. He comes to FP after editing Military.com’s publication Defense Tech and working as the associate editor of DoDBuzz. Between 2007 and 2010, he covered major trends in military aviation and the defense industry around the world for Defense News and Inside the Air Force. Before moving to Washington in August 2007, Reed worked in corporate sales and business development for a Swedish IT firm, The Meltwater Group in Mountain View CA, and Philadelphia, PA. Prior to that, he worked as a reporter at the Tracy Press and the Scotts Valley Press-Banner newspapers in California. His first story as a professional reporter involved chasing escaped emus around California’s central valley with Mexican cowboys armed with lassos and local police armed with shotguns. Luckily for the giant birds, the cowboys caught them first and the emus were ok. A New England native, Reed graduated from the University of New Hampshire with a dual degree in international affairs and history.

More from Foreign Policy

An illustration shows George Kennan, the father of Cold War containment strategy.
An illustration shows George Kennan, the father of Cold War containment strategy.

Is Cold War Inevitable?

A new biography of George Kennan, the father of containment, raises questions about whether the old Cold War—and the emerging one with China—could have been avoided.

U.S. President Joe Biden speaks on the DISCLOSE Act.
U.S. President Joe Biden speaks on the DISCLOSE Act.

So You Want to Buy an Ambassadorship

The United States is the only Western government that routinely rewards mega-donors with top diplomatic posts.

Chinese President Xi jinping  toasts the guests during a banquet marking the 70th anniversary of the founding of the People's Republic of China on September 30, 2019 in Beijing, China.
Chinese President Xi jinping toasts the guests during a banquet marking the 70th anniversary of the founding of the People's Republic of China on September 30, 2019 in Beijing, China.

Can China Pull Off Its Charm Offensive?

Why Beijing’s foreign-policy reset will—or won’t—work out.

Turkish Defense Minister Hulusi Akar chairs a meeting in Ankara, Turkey on Nov. 21, 2022.
Turkish Defense Minister Hulusi Akar chairs a meeting in Ankara, Turkey on Nov. 21, 2022.

Turkey’s Problem Isn’t Sweden. It’s the United States.

Erdogan has focused on Stockholm’s stance toward Kurdish exile groups, but Ankara’s real demand is the end of U.S. support for Kurds in Syria.