recommended reading

Nuclear Lab Remains Vulnerable to Cyberstrikes, Energy IG says

A scientist used the Dual-Axis Radiographic Hydrodynamic Test Facility at Los Alamos.

A scientist used the Dual-Axis Radiographic Hydrodynamic Test Facility at Los Alamos. // Los Alamos National Laboratory

A leading U.S. nuclear arms site has taken significant steps in recent years to defend against strikes on its computer systems, but key weaknesses remain to be fixed, the Energy Department’s inspector general said this week.

The Los Alamos National Laboratory in New Mexico uses a host of information systems and networks to carry out its duties, which include research and production programs in support of maintaining the nation’s nuclear arsenal, Inspector General Gregory Friedman said in a memorandum attached to a cybersecurity report.

“The vulnerabilities in the report do cover national security systems (systems which process classified data),” Felicia Jones, spokeswoman for the DOE Inspector General’s Office, told Global Security Newswire by e-mail. “We cannot comment on whether or not these systems pertained to the lab’s nuclear arms work.”

Friedman’s office in previous audits has found vulnerabilities in Los Alamos’ defenses against computer-based assaults, such as insufficient monitoring at the laboratory and federal levels and key protections that did not work correctly.

“LANL has taken steps to address concerns regarding its cybersecurity program raised in prior evaluations,” Friedman stated. “Our current review, however, identified continuing concerns related to LANL’s implementation of risk management, system security testing and vulnerability management practices.”

Troubles persist in the absence of “effective monitoring and oversight’ of defense operations by the on-site office that oversees Los Alamos for the Energy Department’s National Nuclear Security Administration, according to Friedman. In some cases, the Los Alamos Site Office signed off on “practices that were less rigorous than those required by federal directives.”

Friedman warned that additional adjustments must be made to reduce the threat of breaches to the laboratory’s computer systems.

Among the issues identified in the latest report:

  • The laboratory has failed to consistently prepare and employ adequate risk management systems, including insufficiently detailed analyses of threats to its computer operations.
  • Los Alamos personnel have not consistently found effective responses to particularly worrisome weaknesses. Checks by auditors identified five “critical” and 15 “high-risk” weaknesses on four systems that feature national security data.
  • Computer network servers and systems featured “easily guessed log-in credentials or required no authentication. For example, 15 web applications and five servers were configured with default or blank passwords.”

The Energy Department has been subject to a massive increase in cyberstrikes in recent years, including system breaches and malware infections, the inspector general said in a late 2012 report.The public website for the NNSA Y-12 National Security Complex had to be taken down temporarily after one 2011 attack.

Los Alamos has faced a number of security and safety setbacks in recent years, most recentlyfaulty defense technology in the area that houses production of plutonium cores for nuclear weapons.

 “I’m concerned that sensitive data at LANL could be at risk, given the lab's past security scandals and still unresolved cyber security issues,” Jay Coghlan, executive director of the watchdog organization Nuclear Watch New Mexico, stated by e-mail. “After all of the security problems and exploding cost overruns all across NNSA’s nuclear weapons complex, Congress should be mandating strict federal oversight and demanding greater return on taxpayers’ dollars from contractors by requiring them to meet specific performance goals.”

The inspector general’s report calls for improved risk management and continuous monitoring for threats against the laboratory’s computer operations. It also recommends that top NNSA officials fix technical weaknesses cited in the report; make sure the laboratory is meeting federal mandates for threat analysis and other key cyberdefense areas; and “direct LANL to modify internal procedures to include scanning processes designed to identify all vulnerabilities on the national security and unclassified computing environments.”

The nuclear agency said it accepted the recommendations and would make the needed fixes no later than March 30, 2014.

“It should be noted that LANL has taken aggressive measures to develop comprehensive cybersecurity procedures within the last five years,” NNSA Associate Administrator Cindy Lersten stated in a letter to the Inspector General’s Office. “NNSA remains committed to maturing our cybersecurity processes.”

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.