The pace of cyberattacks on U.S. energy assets is picking up rapidly. The Energy Department, which is leading the vigilance efforts, has vulnerabilities of its own.
While preaching vigilance to the utility industry, the Energy Department has failed to correct previously identified cybersecurity weaknesses in its unclassified information systems and has opened new vulnerabilities this year, an internal review found.
In all, some 38 specific weaknesses remained, even after the department addressed 40 others, Inspector General Gregory H. Friedman said in a letter to Energy Secretary Steven Chu.
"While this is a positive trend, our current evaluation found that the types and severity of weaknesses continued to persist and remained consistent with prior years," he said Wednesday
The department did not dispute the findings and said it would take action to correct the problems.
"The Energy Department is committed to continuing the progress we’ve made in strengthening the department’s unclassified cybersecurity program, including enhancing our cybersecurity posture through the RightPath initiative, improving training programs and developing risk management plans," a spokeswoman said.
"The department appreciates the Inspector General’s recommendations and is taking actions to implement the findings and continue improving how the department manages and protects its cyber information systems," she added.
The review found that 16 problems remained from the 2011 review, including four first identified in 2010. Friedman said the weaknesses related to "access controls, vulnerability management, integrity of web applications, planning for continuity of operations, and change control management."
Some of the problems were found at the department's headquarters offices, which he said included the lack of periodic reviews of user accounts and access privileges and weak user names and passwords, among other problems.
A total of 157 network systems were found to be operating without current security upgrades and patches, and 41 network servers operating on systems that were no longer supported by the vendor. At eight locations, applications were discovered that allowed malicious data to be input, a weakness that could be used to launch attacks against other users, Friedman reporter.
He said the problems remained because the department had not fully developed and implemented security controls and had not monitored performance. The issue has become more important as the pace of cyberattacks ramps up, Friedman stressed, to 3,000 incidents over the last four years.