How Safe is our Nuclear Cyber Network?
Last Updated on Thursday, 25 September 2008 11:35 Written by admin Thursday, 25 September 2008 11:33
.jpg)
The September 2008 Inspector General’s Evaluation Report on the Department of Energy’s unclassified Cyber Security program has been released.
There are very few details or specifics, which is at it should be in an UNCLASS report, however what’s really disturbing is the sluggish pace at which the National Nuclear Security Agency (NNSA) is complying with cyber security standards. Here’s one example taken from p. 8 of the report:
Despite concurring with a prior OIG recommendation, NNSA had taken only limited action to establish an oversight process to ensure effective implementation of Federal cyber security requirements by field organizations and facility contractors. An official indicated that NNSA was in the process of changing their site assessment program.
While four assessments had been completed by NNSA, no additional ones had been scheduled. We also noted problems in the manner that certain of these assessments were performed. For instance, one assessment cited significant weaknesses that required resolution, but nonetheless granted a passing score. (emphasis added)
I have to say that this is a bit disturbing to me. We’re not talking about cyber security over at HUD. The NNSA is responsible for “securing thousands of nuclear weapons and components, and hundreds of tons of special nuclear material in all forms, shapes and sizes”.
And the above quoted incident wasn’t the only one mentioned in the IG report. The Office of Science, which is responsible for making site visits to ensure that findings in prior evaluation reports are being followed up on, has discontinued that program.
How Many Cyber Security Incidents?
Despite strong defense-in-depth network protective measures, and with over a month remaining in FY 2008 at the time of our evaluation, sites had reported 480 cyber security incidents affecting 703 machines to the Department’s Computer Incident Advisory Capability. This represents an increase of about 45 percent over the prior year and about 136 percent since 2004. In addition, 127 incidents involved PII (Personally Identifiable Information), an increase of about 165 percent from those reported in FY 2007.
This is a disaster waiting to happen, and requires urgent attention by the next Administration.
