The IG said that the DOE had fixed less than one-third of the cybersecurity gaps in unclassified information systems identified in last year’s audit. In addition, the auditors identified numerous additional cybersecurity gaps in the areas of access controls, vulnerability management, web application integrity, contingency planning, change control management, and cybersecurity training. As a result, cybersecurity weaknesses have increased 60% from last year, the IG said.
For example, at 11 locations, auditors identified 18 deficiencies related to access controls, such as failure to perform periodic management reviews of user accounts, inadequate management of user access privileges, default or weak usernames and passwords, lack of segregation of duties, and lack of logging and monitoring user activity.
In addition, the IG identified 21 vulnerability management weaknesses at 15 locations, such as desktops and network systems and devices running applications without current security patches for known vulnerabilities.
The auditors found 14 weaknesses in at least 32 different web applications used to support functions such as procurement and safety – vulnerabilities that could be exploited by attackers to deliberately or inadvertently manipulate network systems.
“The weaknesses identified occurred, in part, because departmental elements had not ensured that cybersecurity requirements included all necessary elements and were properly implemented. Program elements also did not always utilize effective performance monitoring activities to ensure that appropriate security controls were in place”, the audit observed.
Without corrective actions, “there is an increased risk of compromise and/or loss, modification, and non-availability of the department's systems and information. As observed in the recent cyber attacks at four sites, exploitation of vulnerabilities can cause significant disruption to operations and/or increase the risk of modification or destruction of sensitive data or programs”, the report warned.
In response to the audit, the DOE’s National Nuclear Security Administration (NNSA) objected to the IG’s characterization of the “scope, severity, and cause of the issues” presented in the report. “We are concerned that the casual reader of this report may lack the context, technical cybersecurity knowledge, and risk management expertise required to draw accurate conclusions regarding NNSA’s stewardship of unclassified information technology assets.”