DOE IG: CYBER SECURITY ISSUES CONTINUE TO LEAVE DOE VULNERABLE

While the Department of Energy has taken steps in the last year to correct cyber security weaknesses in its systems, numerous vulnerabilities remain, according to a DOE Office of Inspector General report released Friday. Those weaknesses were exploited in the cyber security breach last summer that compromised the personal information of over 100,000 former and current DOE employees and contractors. Corrective actions in the last year have resolved 28 of the 38 conditions identified in the IG’s Fiscal Year 2012 evaluation, and DOE has also established a senior leadership council to address the issue. “In spite of these efforts, we found that significant weaknesses and associated vulnerabilities continued to expose the Department’s unclassified information systems to a higher than necessary risk of compromise,” the report states.

Issues identified in the latest review relate to “security reporting, access controls, patch management, system integrity, configuration management, segregation of duties and security management,” the report states. “In total, we discovered 29 new weaknesses and confirmed that 10 weaknesses from the prior year’s review had not been resolved. These problems were spread across 11 of the 26 Department locations where we performed testing.” The report included five recommendations centering on correcting the weaknesses identified by the IG. In response to the report, DOE management agreed with the recommendations and said that it would take corrective actions to address them.