Nuclear Lab Remains Vulnerable to Cyberstrikes, Energy IG says

A leading U.S. nuclear arms site has taken significant steps in recent years to defend against strikes on its computer systems, but key weaknesses remain to be fixed, the Energy Department’s inspector general said this week.

The Los Alamos National Laboratory in New Mexico uses a host of information systems and networks to carry out its duties, which include research and production programs in support of maintaining the nation’s nuclear arsenal, Inspector General Gregory Friedman said in a memorandum attached to a cybersecurity report.

“The vulnerabilities in the report do cover national security systems (systems which process classified data),” Felicia Jones, spokeswoman for the DOE Inspector General’s Office, told Global Security Newswire by e-mail. “We cannot comment on whether or not these systems pertained to the lab’s nuclear arms work.”

Friedman’s office in previous audits has found vulnerabilities in Los Alamos’ defenses against computer-based assaults, such as insufficient monitoring at the laboratory and federal levels and key protections that did not work correctly.

“LANL has taken steps to address concerns regarding its cybersecurity program raised in prior evaluations,” Friedman stated. “Our current review, however, identified continuing concerns related to LANL’s implementation of risk management, system security testing and vulnerability management practices.”

Troubles persist in the absence of “effective monitoring and oversight’ of defense operations by the on-site office that oversees Los Alamos for the Energy Department’s National Nuclear Security Administration, according to Friedman. In some cases, the Los Alamos Site Office signed off on “practices that were less rigorous than those required by federal directives.”

Friedman warned that additional adjustments must be made to reduce the threat of breaches to the laboratory’s computer systems.

Among the issues identified in the latest report:

• The laboratory has failed to consistently prepare and employ adequate risk management systems, including insufficiently detailed analyses of threats to its computer operations.
• Los Alamos personnel have not consistently found effective responses to particularly worrisome weaknesses. Checks by auditors identified five “critical” and 15 “high-risk” weaknesses on four systems that feature national security data.
• Computer network servers and systems featured “easily guessed log-in credentials or required no authentication. For example, 15 web applications and five servers were configured with default or blank passwords.”

The Energy Department has been subject to a massive increase in cyberstrikes in recent years, including system breaches and malware infections, the inspector general said in a late 2012 report.The public website for the NNSA Y-12 National Security Complex had to be taken down temporarily after one 2011 attack.

Los Alamos has faced a number of security and safety setbacks in recent years, most recentlyfaulty defense technology in the area that houses production of plutonium cores for nuclear weapons.

 “I’m concerned that sensitive data at LANL could be at risk, given the lab's past security scandals and still unresolved cyber security issues,” Jay Coghlan, executive director of the watchdog organization Nuclear Watch New Mexico, stated by e-mail. “After all of the security problems and exploding cost overruns all across NNSA’s nuclear weapons complex, Congress should be mandating strict federal oversight and demanding greater return on taxpayers’ dollars from contractors by requiring them to meet specific performance goals.”

The inspector general’s report calls for improved risk management and continuous monitoring for threats against the laboratory’s computer operations. It also recommends that top NNSA officials fix technical weaknesses cited in the report; make sure the laboratory is meeting federal mandates for threat analysis and other key cyberdefense areas; and “direct LANL to modify internal procedures to include scanning processes designed to identify all vulnerabilities on the national security and unclassified computing environments.”

The nuclear agency said it accepted the recommendations and would make the needed fixes no later than March 30, 2014.

“It should be noted that LANL has taken aggressive measures to develop comprehensive cybersecurity procedures within the last five years,” NNSA Associate Administrator Cindy Lersten stated in a letter to the Inspector General’s Office. “NNSA remains committed to maturing our cybersecurity processes.”