recommended reading

Nuclear Lab Remains Vulnerable to Cyberstrikes, Energy IG says

A scientist used the Dual-Axis Radiographic Hydrodynamic Test Facility at Los Alamos.

A scientist used the Dual-Axis Radiographic Hydrodynamic Test Facility at Los Alamos. // Los Alamos National Laboratory

A leading U.S. nuclear arms site has taken significant steps in recent years to defend against strikes on its computer systems, but key weaknesses remain to be fixed, the Energy Department’s inspector general said this week.

The Los Alamos National Laboratory in New Mexico uses a host of information systems and networks to carry out its duties, which include research and production programs in support of maintaining the nation’s nuclear arsenal, Inspector General Gregory Friedman said in a memorandum attached to a cybersecurity report.

“The vulnerabilities in the report do cover national security systems (systems which process classified data),” Felicia Jones, spokeswoman for the DOE Inspector General’s Office, told Global Security Newswire by e-mail. “We cannot comment on whether or not these systems pertained to the lab’s nuclear arms work.”

Friedman’s office in previous audits has found vulnerabilities in Los Alamos’ defenses against computer-based assaults, such as insufficient monitoring at the laboratory and federal levels and key protections that did not work correctly.

“LANL has taken steps to address concerns regarding its cybersecurity program raised in prior evaluations,” Friedman stated. “Our current review, however, identified continuing concerns related to LANL’s implementation of risk management, system security testing and vulnerability management practices.”

Troubles persist in the absence of “effective monitoring and oversight’ of defense operations by the on-site office that oversees Los Alamos for the Energy Department’s National Nuclear Security Administration, according to Friedman. In some cases, the Los Alamos Site Office signed off on “practices that were less rigorous than those required by federal directives.”

Friedman warned that additional adjustments must be made to reduce the threat of breaches to the laboratory’s computer systems.

Among the issues identified in the latest report:

  • The laboratory has failed to consistently prepare and employ adequate risk management systems, including insufficiently detailed analyses of threats to its computer operations.
  • Los Alamos personnel have not consistently found effective responses to particularly worrisome weaknesses. Checks by auditors identified five “critical” and 15 “high-risk” weaknesses on four systems that feature national security data.
  • Computer network servers and systems featured “easily guessed log-in credentials or required no authentication. For example, 15 web applications and five servers were configured with default or blank passwords.”

The Energy Department has been subject to a massive increase in cyberstrikes in recent years, including system breaches and malware infections, the inspector general said in a late 2012 report.The public website for the NNSA Y-12 National Security Complex had to be taken down temporarily after one 2011 attack.

Los Alamos has faced a number of security and safety setbacks in recent years, most recentlyfaulty defense technology in the area that houses production of plutonium cores for nuclear weapons.

 “I’m concerned that sensitive data at LANL could be at risk, given the lab's past security scandals and still unresolved cyber security issues,” Jay Coghlan, executive director of the watchdog organization Nuclear Watch New Mexico, stated by e-mail. “After all of the security problems and exploding cost overruns all across NNSA’s nuclear weapons complex, Congress should be mandating strict federal oversight and demanding greater return on taxpayers’ dollars from contractors by requiring them to meet specific performance goals.”

The inspector general’s report calls for improved risk management and continuous monitoring for threats against the laboratory’s computer operations. It also recommends that top NNSA officials fix technical weaknesses cited in the report; make sure the laboratory is meeting federal mandates for threat analysis and other key cyberdefense areas; and “direct LANL to modify internal procedures to include scanning processes designed to identify all vulnerabilities on the national security and unclassified computing environments.”

The nuclear agency said it accepted the recommendations and would make the needed fixes no later than March 30, 2014.

“It should be noted that LANL has taken aggressive measures to develop comprehensive cybersecurity procedures within the last five years,” NNSA Associate Administrator Cindy Lersten stated in a letter to the Inspector General’s Office. “NNSA remains committed to maturing our cybersecurity processes.”

Threatwatch Alert

Spear-phishing

Google Chrome Update Addresses Super Sneaky URL Trick

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.