DoE Incident Response Challenges Hold Lessons for the Enterprise

Anthony Freed
By | December 18, 2012

Posted in: Network Security Trends

The U.S. Department of Energy's (DoE) Office of the Inspector General issued a report last week detailing the continued shortcomings present in the agency’s cybersecurity incident management capabilities. The report reveals that while some progress has been made since the first such audit was conducted in 2008, the department still has a long way to go in implementing an effective policy. The findings, though specific to the DoE and other agencies the department oversees, hold valuable lessons for the private sector with regards to establishing an adequate incident management program.

"Although certain actions had been taken in response to our prior report, we identified several issues that limited the efficiency and effectiveness of the Department's cyber security incident management program and adversely impacted the ability of law enforcement to investigate incidents," the report states.

Specifically, the audit found that the DoE still maintained "duplicative cybersecurity incident management capabilities at an annual cost of more than $30 million," and that security incidents were not consistently identified or reported to the Department's Joint Cybersecurity Coordination Center (JC3) as required.

The audit found that 91 of the 223 reported incidents (41%) at seven DoE sites had not been reported within the established time frames, that facilities had failed to provide the information necessary for JC3 to respond to incidents, and that the facilities had failed to report all security incidents to the relevant law enforcement agencies.

"The issues identified were due, in part, to the lack of a unified, Department-wide cyber security incident management strategy... In the absence of an effective enterprise-wide cyber security incident management program, a decentralized and fragmented approach has evolved that places the Department's information systems and networks at increased risk," the report concluded.

While the DoE's cybersecurity incident management audit found that progress has been made since the original audit was conducted almost five years ago, the department is still facing significant challenges which are indicative of those being addressed by both the public and private sector in general, said Chris Blask, chair of the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC).

"The report notes a lack of coordination among incident response capabilities internal to the Department. These sections of the report include indications of advancement in the development of these capabilities within DoE - steps forward compared with previous periods, and a sign that groups within the organization have been making efforts to create and operate incident response processes," Blask told Security Bistro.

"But this same section also shows difficulty in the coordination of incident response centers even within a single large public-sector organization, and shows the challenges individuals and groups involved face in their attempts to address their specific needs while contributing to the security goals of a large organization."

While the public and private sectors differ a great deal in their basic structure, there are lessons for the enterprise to take away from the DoE report with regards to implementing an effective incident management and reporting program, Blask says.

"First, regardless of larger issues private sector organizations face, the time to begin implementing incident detection and response processes and deploying the technologies required is already past," Blask said. "Secondly, the challenge in sharing information to increase your organization's effectiveness and to appropriately involve external entities requires a specific focus."

Blask recommends that private sector organizations should look to existing efforts and structures their peers have instituted to begin addressing the information sharing topic discussed in the DoE report.

"Private sector organizations should review their existing capabilities to bring in external knowledge for internal application and their plans for communicating outbound to external entities before, during, and after they face active cybersecurity incidents," Blask advised.

You May Also Be Interested In: