From: FCW
By Amber Corrin
A cyberattack on Energy Department networks that compromised confidential data apparently came weeks after two reports from DOE’s inspector general highlighted vulnerabilities at the agency.
The data breach occurred in January but was disclosed to DOE employees in Washington on Feb. 1, according to Reuters. The breach did not compromise classified information, authorities said. Instead, personally identifiable information of employees and contractors was hacked by unknown sources. DOE has not said which of its components were targeted in the attack.
A January cyber incident would have come just weeks after two DOE IG reports evaluated the department’s cybersecurity program and its incident response and management. While acknowledging progress in cybersecurity efforts, the reports identify a number of areas of vulnerability in the agency, including at the National Nuclear Security Administration.
Weaknesses in DOE’s cybersecurity program include issues with access control, vulnerability management, integrity of Web applications and planning for continuity of operations, according to the November 2012 report. The IG found faults “related to vulnerability management that could have allowed unauthorized access to systems and information,” as well as “at least 29 Web applications, including those supporting financial, human resources and general support functions” that could allow attackers to manipulate network systems. “The weaknesses identified occurred, in part, because the department elements had not ensured that cybersecurity requirements were fully developed and implemented,” the report states.
In December 2012, the IG found “several issues that limited the efficiency and effectiveness of the department’s cybersecurity incident management program and adversely impacted the ability of law enforcement to investigate incidents.” Among them were duplicative and disjointed incident management capabilities that cost the agency $30 million annually and inconsistencies in the timely identification and reporting of incidents, which is required by law.
Leave a Reply