recommended reading

Report: Fifty-eight percent of Energy computers went months without bug fixes

Simon Booth/

A perhaps disturbing summation of the state of federal cyber security: An internal audit found nearly 60 percent of Energy Department desktop computers were missing critical software patches -- and those findings don’t surprise security experts.

Officials risk disrupting agency business by applying patches because fixes likely would require pausing widely used programs, said Patrick Miller, chief executive officer of EnergySec, a federally funded public-private partnership.

The inspector general audit, which was released this week, covered unclassified systems at administrative offices departmentwide.

“It would actually be more damaging to the organization to patch it than to not patch it,” Miller said. “The reality is most organizations, the larger they get, the harder it is for them to manage their patching.” It is unclear whether the department compensated for holes by using other safeguards, such as firewalls.

The assessment revealed that many desktops and servers were running without security patches. Department-level systems handle budgeting and human resources data, as well as information on public-private investments, such as the controversial economic stimulus loan to solar power firm Solyndra. The now-bankrupt recipient of a more than $500 million Recovery Act award obtained court approval Thursday to sell its headquarters for $90 million.

About 58 percent of the Energy desktops tested used operating systems or software without fixes for weaknesses that had been discovered, in some cases, up to six months earlier. Also, 41 network servers were running operating systems no longer supported by their developers.

But, Miller said, defects are typical at fiscally strained federal agencies that are overseeing massive networks. “Those numbers are quite low for an agency of its size,” he said.  

Some of the flawed systems operate critical department operations, though the report did not identify specific activities.

“These vulnerabilities could have resulted in a compromise of business information or unauthorized access to critical application functionality and data, as well as loss or disruptions of critical operations,” Energy Inspector General Gregory H. Friedman wrote.

Systems that run federal utilities and handle nuclear testing were not part of the evaluation.

The probe was conducted between February and November and examined facilities overseen by the undersecretary for nuclear security, undersecretary of energy and undersecretary for science.

A separate agency, the Health, Safety and Security Office of Enforcement and Oversight, studies cyber controls for Energy national security systems.

The study did not try to spot actual breaches.

In a Nov. 5 response to a draft report, Energy Chief Information Officer Robert Breese agreed to follow up on the uncovered problems. “The weaknesses noted in this report have been reviewed and corrective actions, to include the implementation of appropriate controls, have been identified,” he wrote. Energy offices will be expected to report quarterly to the CIO on their progress bolstering systems.

Systems powering federal utilities have come under the IG’s microscope several times during the past year.

In late October, the inspector general reported that the government's largest renewable power delivery agency was using a default password to protect a scheduling database, and regularly failed to update security software. The Western Area Power Administration distributes hydroelectric energy to utilities serving millions of homes and businesses in the Rocky Mountain, Sierra Nevada, Great Plains and Southwest regions.

Cyber experts said weaknesses flagged in a March audit of a Northwestern utility that powers 30 percent of the region, including key military installations, are typical of many government and industry energy systems. Eleven servers at the federal Bonneville Power Administration in Portland, Ore., used weak passwords, "an issue that could have allowed a knowledgeable attacker to obtain complete access to the system," the IG report stated.

Officials from Energy, the Homeland Security Department and the White House will highlight actions undertaken to help public and private sector utilities prioritize defenses at a  Washington event on Nov. 27 hosted by Government Executive Media Group.

(Image via Simon Booth/

Threatwatch Alert

Stolen credentials

Hackers Steal $31M from Russian Central Bank

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.