The Department of Energy’s (DoE) Office of the Inspector General (OIG) reported numerous cybersecurity weaknesses at DoE and issued 54 recommendations to the agency throughout Fiscal Year 2019, according to a report released on Nov. 19.
“Without improvements to address the weaknesses identified in our report, the Department’s information systems and data may be at a higher-than-necessary risk of compromise, loss, and/or modification,” the report states, “Therefore, additional action is necessary to help strengthen the Department’s unclassified cybersecurity program.”
In a test of 1,848 work stations owned by DoE, the OIG auditor discovered more than half were missing security patches and updates that had been released over a month prior to the audit. At one location, the OIG reported, there were nearly 11,000 critical and high-risk vulnerabilities related to missing security patches and unsupported software. At two other locations, all servers tested were missing critical or high-risk security patches and updates.
OIG found configuration management discrepancies at three DoE sites, including errors in firewall rules that allowed systems to inappropriately access other networks. “The use of secure configurations that emphasize hardening of systems against flaws can result in greater levels of security and protection from future vulnerabilities,” OIG advised in the report.
Auditors also uncovered access control errors over peripheral devices like printers, management of privileged and non-privileged accounts, and user accounts within the financial management system. Further, cybersecurity and privacy training at two DoE locations lacked role-based training strategies and a commitment to annual awareness training.
Finally, OIG found “significant deficiencies” in security control testing and continuous monitoring at two DoE locations. On-site officials at one DoE facility did not test controls of important systems to inspect if they were operating as intended.
OIG said that its report is intentionally vague about the cybersecurity weaknesses to protect the agency from threats, but also assured that DoE officials are working to correct the issues.
“Due to the sensitive nature of the vulnerabilities identified during our evaluation, we have omitted specific information and site locations from this report. We have provided site and program officials with detailed information regarding vulnerabilities that we identified at their locations, and in many cases, officials have initiated corrective actions to address the identified vulnerabilities,” the report states.
DoE CIO Rocky Campione responded to the audit by assuring OIG that the agency is working toward closing the recommendations.
“The Department concurs with the 54 recommendations issued this year to DoE’s programs and sites related to improving the Department’s cybersecurity program” he said in a letter to the inspector general. “The Department will continue to address each of these weaknesses at all the organizational levels to adequately protect DoE’s information assets and systems from harm,” he said.
Since FY2018, the department has completed 21 of 25 prior year recommendations from the OIG.