recommended reading

Nuclear Lab Remains Vulnerable to Cyberstrikes, Energy IG says

A scientist used the Dual-Axis Radiographic Hydrodynamic Test Facility at Los Alamos.

A scientist used the Dual-Axis Radiographic Hydrodynamic Test Facility at Los Alamos. // Los Alamos National Laboratory

A leading U.S. nuclear arms site has taken significant steps in recent years to defend against strikes on its computer systems, but key weaknesses remain to be fixed, the Energy Department’s inspector general said this week.

The Los Alamos National Laboratory in New Mexico uses a host of information systems and networks to carry out its duties, which include research and production programs in support of maintaining the nation’s nuclear arsenal, Inspector General Gregory Friedman said in a memorandum attached to a cybersecurity report.

“The vulnerabilities in the report do cover national security systems (systems which process classified data),” Felicia Jones, spokeswoman for the DOE Inspector General’s Office, told Global Security Newswire by e-mail. “We cannot comment on whether or not these systems pertained to the lab’s nuclear arms work.”

Friedman’s office in previous audits has found vulnerabilities in Los Alamos’ defenses against computer-based assaults, such as insufficient monitoring at the laboratory and federal levels and key protections that did not work correctly.

“LANL has taken steps to address concerns regarding its cybersecurity program raised in prior evaluations,” Friedman stated. “Our current review, however, identified continuing concerns related to LANL’s implementation of risk management, system security testing and vulnerability management practices.”

Troubles persist in the absence of “effective monitoring and oversight’ of defense operations by the on-site office that oversees Los Alamos for the Energy Department’s National Nuclear Security Administration, according to Friedman. In some cases, the Los Alamos Site Office signed off on “practices that were less rigorous than those required by federal directives.”

Friedman warned that additional adjustments must be made to reduce the threat of breaches to the laboratory’s computer systems.

Among the issues identified in the latest report:

  • The laboratory has failed to consistently prepare and employ adequate risk management systems, including insufficiently detailed analyses of threats to its computer operations.
  • Los Alamos personnel have not consistently found effective responses to particularly worrisome weaknesses. Checks by auditors identified five “critical” and 15 “high-risk” weaknesses on four systems that feature national security data.
  • Computer network servers and systems featured “easily guessed log-in credentials or required no authentication. For example, 15 web applications and five servers were configured with default or blank passwords.”

The Energy Department has been subject to a massive increase in cyberstrikes in recent years, including system breaches and malware infections, the inspector general said in a late 2012 report.The public website for the NNSA Y-12 National Security Complex had to be taken down temporarily after one 2011 attack.

Los Alamos has faced a number of security and safety setbacks in recent years, most recentlyfaulty defense technology in the area that houses production of plutonium cores for nuclear weapons.

 “I’m concerned that sensitive data at LANL could be at risk, given the lab's past security scandals and still unresolved cyber security issues,” Jay Coghlan, executive director of the watchdog organization Nuclear Watch New Mexico, stated by e-mail. “After all of the security problems and exploding cost overruns all across NNSA’s nuclear weapons complex, Congress should be mandating strict federal oversight and demanding greater return on taxpayers’ dollars from contractors by requiring them to meet specific performance goals.”

The inspector general’s report calls for improved risk management and continuous monitoring for threats against the laboratory’s computer operations. It also recommends that top NNSA officials fix technical weaknesses cited in the report; make sure the laboratory is meeting federal mandates for threat analysis and other key cyberdefense areas; and “direct LANL to modify internal procedures to include scanning processes designed to identify all vulnerabilities on the national security and unclassified computing environments.”

The nuclear agency said it accepted the recommendations and would make the needed fixes no later than March 30, 2014.

“It should be noted that LANL has taken aggressive measures to develop comprehensive cybersecurity procedures within the last five years,” NNSA Associate Administrator Cindy Lersten stated in a letter to the Inspector General’s Office. “NNSA remains committed to maturing our cybersecurity processes.”

Threatwatch Alert

Spear-phishing / Stolen credentials / User accounts compromised

Gmail Scam Tricks Users With Convincing Login Page

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.