Energy Department failed to address tens of thousands of critical security gaps, reveals a new audit report
- The review includes 28 department facilities including a location operated by the National Nuclear Security Administration, which maintains the country’s nuclear weapons stockpile.
- At one facility, the auditors have discovered more than 10,500 unpatched critical and high-risk security issues.
The Energy Department has again come under fire for botching cybersecurity practices and repeating the same mistake year after year. According to a new audit report, the department officials are still struggling to fix vulnerabilities that were uncovered in previous years.
The review includes 28 department facilities including a location operated by the National Nuclear Security Administration, which maintains the country’s nuclear weapons stockpile.
What does the new audit report say?
In the annual audit of the department’s cybersecurity program, investigators uncovered several recurring security weaknesses related to configuration management, access controls, personnel training programs, and security testing.
The audit also revealed that there were substantial shortcomings in the department’s vulnerability management practices. This has left multiple critical and high-risk vulnerabilities exposed within its digital ecosystem.
Furthermore, the Department including the National Nuclear Security Administration was found leaving unclassified systems in the nation’s nuclear facilities and other critical infrastructure exposed to digital attacks.
In many cases, the security gaps stemmed from energy officials failing to implement required cybersecurity policies. In others, the auditors found that the officials had failed to test the effectiveness of the policies and procedures after putting them into practice.
11 out of 28 department facilities were found running outdated software on their network servers and workstations. Nine other locations of energy department included in the review had failed to install critical and high-risk security patches on their infrastructure.
At one facility, the auditors had discovered more than 10,500 unpatched critical and high-risk security issues.
How many flaws from 2018 are addressed?
The department has addressed 21 of the 25 recommendations made in 2018. However, dozens of additional vulnerabilities have popped up this year. Interestingly, a majority of these security issues are similar to those identified during the previous evaluation.
To correct the cybersecurity weaknesses identified throughout the Department, the Inspector General has made 54 recommendations. These recommendations will help improve the department’s cybersecurity program.