recommended reading

Report: Fifty-eight percent of Energy computers went months without bug fixes

Simon Booth/

A perhaps disturbing summation of the state of federal cyber security: An internal audit found nearly 60 percent of Energy Department desktop computers were missing critical software patches -- and those findings don’t surprise security experts.

Officials risk disrupting agency business by applying patches because fixes likely would require pausing widely used programs, said Patrick Miller, chief executive officer of EnergySec, a federally funded public-private partnership.

The inspector general audit, which was released this week, covered unclassified systems at administrative offices departmentwide.

“It would actually be more damaging to the organization to patch it than to not patch it,” Miller said. “The reality is most organizations, the larger they get, the harder it is for them to manage their patching.” It is unclear whether the department compensated for holes by using other safeguards, such as firewalls.

The assessment revealed that many desktops and servers were running without security patches. Department-level systems handle budgeting and human resources data, as well as information on public-private investments, such as the controversial economic stimulus loan to solar power firm Solyndra. The now-bankrupt recipient of a more than $500 million Recovery Act award obtained court approval Thursday to sell its headquarters for $90 million.

About 58 percent of the Energy desktops tested used operating systems or software without fixes for weaknesses that had been discovered, in some cases, up to six months earlier. Also, 41 network servers were running operating systems no longer supported by their developers.

But, Miller said, defects are typical at fiscally strained federal agencies that are overseeing massive networks. “Those numbers are quite low for an agency of its size,” he said.  

Some of the flawed systems operate critical department operations, though the report did not identify specific activities.

“These vulnerabilities could have resulted in a compromise of business information or unauthorized access to critical application functionality and data, as well as loss or disruptions of critical operations,” Energy Inspector General Gregory H. Friedman wrote.

Systems that run federal utilities and handle nuclear testing were not part of the evaluation.

The probe was conducted between February and November and examined facilities overseen by the undersecretary for nuclear security, undersecretary of energy and undersecretary for science.

A separate agency, the Health, Safety and Security Office of Enforcement and Oversight, studies cyber controls for Energy national security systems.

The study did not try to spot actual breaches.

In a Nov. 5 response to a draft report, Energy Chief Information Officer Robert Breese agreed to follow up on the uncovered problems. “The weaknesses noted in this report have been reviewed and corrective actions, to include the implementation of appropriate controls, have been identified,” he wrote. Energy offices will be expected to report quarterly to the CIO on their progress bolstering systems.

Systems powering federal utilities have come under the IG’s microscope several times during the past year.

In late October, the inspector general reported that the government's largest renewable power delivery agency was using a default password to protect a scheduling database, and regularly failed to update security software. The Western Area Power Administration distributes hydroelectric energy to utilities serving millions of homes and businesses in the Rocky Mountain, Sierra Nevada, Great Plains and Southwest regions.

Cyber experts said weaknesses flagged in a March audit of a Northwestern utility that powers 30 percent of the region, including key military installations, are typical of many government and industry energy systems. Eleven servers at the federal Bonneville Power Administration in Portland, Ore., used weak passwords, "an issue that could have allowed a knowledgeable attacker to obtain complete access to the system," the IG report stated.

Officials from Energy, the Homeland Security Department and the White House will highlight actions undertaken to help public and private sector utilities prioritize defenses at a  Washington event on Nov. 27 hosted by Government Executive Media Group.

(Image via Simon Booth/

Threatwatch Alert

Stolen laptop

3.7M Hong Kong Voters' Personal Data Stolen

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.