While preaching vigilance to the utility industry, the Energy Department has failed to correct previously identified cybersecurity weaknesses in its unclassified information systems and has opened new vulnerabilities this year, an internal review found.
“While this is a positive trend, our current evaluation found that the types and severity of weaknesses continued to persist and remained consistent with prior years,” he said Wednesday
The department did not dispute the findings and said it would take action to correct the problems.
“The Energy Department is committed to continuing the progress we’ve made in strengthening the department’s unclassified cybersecurity program, including enhancing our cybersecurity posture through the RightPath initiative, improving training programs and developing risk management plans,” a spokeswoman said.
“The department appreciates the Inspector General’s recommendations and is taking actions to implement the findings and continue improving how the department manages and protects its cyber information systems,” she added.
The review found that 16 problems remained from the 2011 review, including four first identified in 2010. Friedman said the weaknesses related to “access controls, vulnerability management, integrity of web applications, planning for continuity of operations, and change control management.”
Some of the problems were found at the department’s headquarters offices, which he said included the lack of periodic reviews of user accounts and access privileges and weak user names and passwords, among other problems.
A total of 157 network systems were found to be operating without current security upgrades and patches, and 41 network servers operating on systems that were no longer supported by the vendor. At eight locations, applications were discovered that allowed malicious data to be input, a weakness that could be used to launch attacks against other users, Friedman reporter.
He said the problems remained because the department had not fully developed and implemented security controls and had not monitored performance. The issue has become more important as the pace of cyberattacks ramps up, Friedman stressed, to 3,000 incidents over the last four years.
By Rand Paul
Obama acts as though we no longer have a Constitution
Independent voices from the TWT Communities
First over-the-counter column approved for fast and effective relief from even your worst media-induced headache.
Challenge the political status quo. Realize that you make better decisions than the bureaucrats in D.C.?
A politically conservative and morally liberal Hebrew alpha male hunts left-wing viper
Sometimes life requires a paradigm twist.
Benghazi: The anatomy of a scandal
Vietnam Memorial adds four names
Cinco de Mayo on the Mall
NRA kicks off annual convention
California wildfires wreak havoc