IG scrutinizes cyber security

-A A +A

DOE > Report details concerns about lab’s vulnerability

By John Severance

The Department of Energy Inspector General has been monitoring the Los Alamos National Laboratory’s cyber security safeguards and those costs.

And it still has a fair amount of concerns.

The report said, “We were unable to obtain an accurate amount due to the laboratory’s limited ability to track its IT spending.  The audit found that while additional action is needed, LANL had taken steps to address concerns regarding its cyber security program raised in prior evaluations. 

“However, our audit identified continuing concerns related to LANL’s implementation of risk management, system security testing and vulnerability management practices.”

The report said the issues identified occurred, in part, because of a lack of effective monitoring and oversight of LANL’s cyber security program by the Los Alamos Site Office, including approval of practices that were less rigorous than those required by Federal directives.  In response, NNSA management concurred with the findings and recommendations and agreed to take necessary corrective actions. 

LANL, meanwhile, released the following statement concerning the cyber security audit.

“All indications — including audits — confirm that the most important and sensitive information at Los Alamos National Laboratory continues to be protected. Cybersecurity is a national concern.

“The laboratory is under continual and relentless attack, hundreds of attacks per second, every minute.  We are equally relentless in our efforts to counter those attacks. The laboratory is fully aware of the issues contained in this most recent DOE IG audit report and work is already underway to resolve those issues.”

The report, meanwhile, detailed the following problems.
• LANL had not always developed and implemented an effective risk management process consistent with Federal requirements. For instance, system-level risk assessments did not always provide details regarding vulnerabilities and threats. Even though specifically required, risk assessments did not consider or evaluate how combinations of vulnerabilities and threats could increase the overall risk to an information system.
• LANL had not always ensured that it had developed, tested and implemented adequate controls over its information systems. For example, LANL had only tested a small fraction of the required security controls during the most recent authorization period for two of the seven national security systems and the one unclassified system that were reviewed. Further, LANL’s testing was not always adequate to ensure that controls and/or control enhancements were functioning as designed.
• Critical and high-risk vulnerabilities had also not always been properly addressed. Notably, issues were identified during scans of both national security and unclassified systems. For example, there were five critical and 15 high-risk weaknesses on the four national security systems scanned, some of which dated back to 2008. Similarly, vulnerabilities related to patch management, access controls and system integrity of web applications were identified on certain unclassified systems tested.

The report stated, “While additional action is needed, we found that LANL had made significant improvements to its cyber security program in recent years. Specifically, LANL improved the protection of national security systems and data through the elimination or disablement of data ports on machines containing classified information and ensured that incompatible security personnel functions were segregated and related compensating controls were in place and operational.

• LANL also segregated vulnerable computers and equipment no longer supported by vendors from the rest of the unclassified computing environment.

Without further improvements to its cyber security program, however, LANL’s systems remain at a higher than necessary risk of compromise.

“Specifically, LANL’s transition to a Risk Management Framework, which is heavily reliant on continuous monitoring, could be hindered by the issues identified in the report, including a lack of understanding by responsible individuals as to the totality of risks associated with the systems,” the report stated.

The report detailed the following recommendations to LANL.

• Correct, through implementation of appropriate controls, the technical vulnerabilities identified in this report;
• Ensure that all Federal cyber security requirements are met, particularly in the areas of system security control testing and risk assessments; and,
• Direct LANL to modify internal procedures to include scanning processes designed to identify all internal vulnerabilities on the national security and unclassified computing environments.

NNSA responded to the concerns by saying management concurred with each of the report’s recommendations and “indicated that corrective actions would be taken to address the issues identified. Management stated that LANL had taken aggressive measures to develop comprehensive cyber security procedures within the last five years.

“In addition, management commented that it remains committed to maturing its cyber security processes and expanding the use of risk-based methodologies to drive more effective and efficient outcomes.”