With all the hoopla and rhetoric being tossed about regarding the potential for a devastating attack against systems governing critical infrastructure that could result in a "cybergeddon," news that the Department of Energy (DoE) and the National Nuclear Security Administration have successfully addressed more than half of the network vulnerabilities identified in a 2011 security audit should be viewed as substantial progress.
The DoE's Inspector General (IG) has issued the fiscal 2012 security audit results and determined that the agency has addressed 40 of the 56 vulnerabilities from the fiscal 2011 assessment, and that the success of the effort was due in part to the move towards a risk-based approach to dealing with identified weaknesses and an increased focus on continuous monitoring.
Despite the noted progress, there is still a lot of work to be done. "In 2012, the overall number of identified vulnerabilities decreased to 38. While this is a positive trend, our current evaluation found that the types and severity of weaknesses continued to persist and remained consistent with prior years," the IG report states.
The 38 vulnerabilities identified in the report include 4 that remain unaddressed from the 2010 audit, 16 more from the 2011 evaluation, and an additional 22 weaknesses found over the course of 2012.
"Our review of the Offices of the Undersecretary for Nuclear Security, Undersecretary for Science and Undersecretary of Energy organizations identified various control weaknesses related to access controls, vulnerability management, system integrity of web applications, planning for continuity of operations and change control management," the report states, and specifically those vulnerabilities that remain unmitigated include:
- Deficiencies related to weak access controls, including a lack of periodic reviews of user accounts, inadequate management of logical and physical user access privileges, use of default or weak username and passwords, and a lack of segregation of duties between privileged users;
- Weaknesses related to vulnerability management that could have allowed unauthorized access, desktops and network servers and devices that had not been updated to resolve known vulnerabilities and/or operating systems that were no longer supported by the vendor
- At least 29 web applications that lacked adequate validation procedures which could be exploited by attackers to manipulate systems
- Change control management weaknesses were observed at at least one location and the failure to develop of an overall impact assessment as part of a business continuity plan at at least one other
The IG report commends the department for implementing a plan to better integrate the policies and procedures developed at individual agencies under the DoE's control, known as the RightPath program, as well as stepping up security awareness training for personnel. But the report blasts the department for failing to implement numerous best-practices to address long-standing vulnerabilities identified in previous audits.
"The weaknesses identified occurred, in part, because department elements had not ensured that cyber security requirements were fully developed and implemented. In addition, programs and sites had not always effectively monitored performance to ensure that appropriate controls were in place," the report notes.
The report does not include details of the weaknesses found in critical systems for obvious security reasons, but does confirm that specifics have been provided to staff and that corrective actions on many issues have already been initiated.