An unidentified U.S. Energy Department Office of Environmental Management nuclear facility needs to remedy shortcomings in its cybersecurity program, according to DOE’s Office of Inspector General.
The Energy Department IG identified weaknesses in access controls, contingency planning, and continuous management, according to the memo dated July 19. The detailed report of the actual findings was not made public.
The site in question was the Waste Isolation Pilot Plant in New Mexico, one source said Monday. The Energy Department by deadline Friday had not replied to a query seeking confirmation.
The integrity and availability of computer systems and data managed by the facility could be hurt by the identified vulnerabilities, according to Sarah Nelson, assistant inspector general for technology, financial, and analytics. The two-page memo is addressed to the principal deputy assistant secretary for the Office of Environmental Management, a post held by Todd Shrader.
The report itself was for “official use only,” according to Nelson. “We provided site and program officials with detailed information regarding vulnerabilities that we identified.”
Management at the site concurred with the recommendations and corrective actions are planned, Nelson wrote.
The cybersecurity program at the nuclear cleanup site is overseen by the DOE Environmental Management Consolidated Business Center. The Office of Inspector General conducted the audit to determine if the site managed its cybersecurity program in accordance with federal requirements. The Federal Information Security Modernization Act of 2014 requires each U.S. agency to develop a cybersecurity program to protect systems and data that support its operations.
Scott Kovac, operations and research director at the advocacy group Nuclear Watch New Mexico, said this week he has not heard any talk of cyber issues at WIPP.
