[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Increasing security breaches worry Energy IG


By Susan M. Menke
January 22, 2008

Inspector General Gregory Friedman hopes to lock down security on the 
Energy Department's interconnected computer networks, after auditors 
called 132 security breaches serious enough to report to law enforcement 
in fiscal 2006 22 percent more than in the prior year.

The department's 69 organizations support as many as eight separate 
intrusion and analysis groups, which do not use a common 
incident-reporting format and do not always retain crucial information 
about cyberattacks, the IG said in a report [1] released today. Some 
sites opt out of monitoring their networks or even disable the sensor 

Energy has found such cyber weaknesses before but "does not specifically 
require that incidents be reported to law enforcement or 
counterintelligence officials," the report said. The IG recommends:

    * Developing and implementing an enterprisewide cyber incident 
      management strategy
    * Taking a consistent approach to developing or revising policies 
      across all Energy organizations.
    * Finding a way to periodically test and evaluate the department's 
      overall performance in cybersecurity incidents.

The Office of the Chief Information Officer's Computer Incident Advisory 
Capability has been watching cybersecurity and providing computer 
forensics services to the department since 1989, at a cost of $6.8 
million in fiscal 2006, the IG report said. Nevertheless, other groups, 
such as the National Nuclear Security Administration's Information 
Assurance Response Center and smaller organizations at various Energy 
sites, compete with CIAC for authority and funding.

The CIO in 2006 called for "an integrated approach to management of 
cyber incidents." The department's most recent guidance, however, does 
not cover communications and coordination in "Incident Management 
Guidance," known as CS-9. A draft replacement known as "Technical and 
Management Requirement 9" does not address the duplication of security 
efforts, the IG said. Plans to revitalize policies within 60 days of the 
February 2006 acceptance of a similar report have yet to be approved.

The IG report said it took 10 months to learn that a hacker had stolen 
the names and Social Security numbers of 1,500 Energy employees from an 
NNSA site in 2005. Seven of 11 field sites audited, three federal and 
eight contractor-operated, have not identified which of their systems 
store such personal information or evaluated the risks of exposing it.

Energy's CIO will now draft a formal departmental cybersecurity strategy 
by March 31, according to the report.

[1] http://www.ig.energy.gov/documents/IG-0787.pdf

Subscribe to InfoSec News