Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Nuclear regulator slow in correcting information security vulnerabilities, says audit

The US government agency tasked with overseeing the safety of nuclear power plants cannot secure its own networks, according to an audit of the agency
The US government agency tasked with overseeing the safety of nuclear power plants cannot secure its own networks, according to an audit of the agency

The audit, performed by Richard S. Carson & Associates on behalf of the NRC Inspector General, found that the commission’s plans of action and milestones for the remediation of information security vulnerabilities often did not contain all known security vulnerabilities and remained open past their due date. In addition, agency staff sometimes declared the vulnerabilities to be resolved without sufficient evidence.

A security test found that many network components had never been security hardened and that many patches had not been installed. The problems with patching indicated either that the agency's patching solution had not been properly configured or that personnel responsible for those system components had not requested downloads of the patches from the enterprise-wide patching system, the audit said.

The fact that the problems have been identified with the timely remediation of security vulnerabilities in more than one operational system “indicates the agency needs to improve its configuration management procedures to ensure all identified vulnerabilities, including configuration-related vulnerabilities, scan findings, and security patch-related vulnerabilities, are remediated in a timely manner”, the audit stressed.

In addition, the audit found that the agency had not developed an organization-wide risk management strategy.

What’s Hot on Infosecurity Magazine?