Auditors Uncover Tens of Thousands of Critical Security Gaps At Energy Facilities

[InfoSec News <alerts () infosecnews org>]

https://www.nextgov.com/cybersecurity/2019/11/auditors-uncover-tens-thousands-critical-security-gaps-energy-facilities/161539/

By Jack Corrigan
Staff Correspondent
Nextgov
November 25, 2019

The Energy Department continues to botch the same cybersecurity practices year 
after year, leaving unclassified systems in the nation’s nuclear facilities and 
other critical infrastructure exposed to digital attacks, according to a 
federal watchdog.

In general, the agency is capable of fixing vulnerabilities after they’re 
uncovered, but officials have struggled to put in place policies to ensure they 
aren’t repeating the same mistakes, the Energy inspector general said. In their 
annual audit of the department’s cybersecurity program, investigators uncovered 
multiple recurring weaknesses related to configuration management, access 
controls, personnel training programs and security testing.

The audit also revealed substantial shortcomings in the department’s 
vulnerability management practices, which left tens of thousands of “critical 
and high-risk vulnerabilities” unaddressed within its digital ecosystem.

“Without improvements to address the weaknesses identified during our 
evaluation, the department information systems and data may be at a 
higher-than-necessary risk of compromise, loss and/or modification,” auditors 
said in the report. “We and other independent reviewers continue to identify 
vulnerabilities related to developing, updating and/or implementing policies 
and procedures that may adversely affect the department’s ability to properly 
secure its information systems and data.”

[...]

--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_