The Energy Department paid more than $2 million to recover from several recent cyberattacks, according to agency auditors.
An annual review of Energy's unclassified cybersecurity observed network weaknesses have increased 60 percent between fiscal 2010 and fiscal 2011, the department's inspector general reports. The security holes include weak access controls, software flaws and poor employee training, among other deficiencies.
"As noted by recent successful attacks at four department locations, exploitation of vulnerabilities can cause significant disruption to operations and/or increases the risk of modification or destruction of sensitive data or programs," writes Energy IG Gregory H. Friedman in an Oct. 20 evaluation. "The estimated cost to the department for the recent cyberattacks at three of the four sites was over $2 million."
Tests at 25 facilities, including headquarters, revealed 32 previously unidentified vulnerabilities plus an additional 24 left unresolved from the prior year, Friedman notes.
The report does not say where the four breaches occurred or name the specific weaknesses discovered elsewhere due to security concerns, the document states.
Friedman attributes the problems, in part, to management's failure to monitor the performance of security safeguards.
For example, the agency neglected to block unauthorized users from accessing or modifying data on Web programs. "At least 32 web applications, used to support functions such as procurement and safety, did not perform validation procedures," he writes. "Such procedures ensure that changes made to information and programs are only allowed in a specified and authorized manner and that the system's operation is not impaired by deliberate or inadvertent unauthorized manipulation, such as through software flaws and malicious code."