Not only has the Energy Department failed to make much progress in improving cybersecurity a year after its inspector general pointed out numerous vulnerabilities, but a follow-up evaluation found that the number of weaknesses actually swelled by 60 percent.

An Oct. 20 evaluation of the department's unclassified cybersecurity program finds the department has corrected only 11 of the 25 weaknesses identified in a fiscal 2010 review. Ongoing problems include:

• 18 access-control deficiencies at headquarters and 10 other locations, including failure to perform periodic management reviews of user accounts, lax management of user access privileges, usernames and passwords, and failure to log and monitor user activity;
• 21 vulnerability-management weaknesses at 15 locations, with computers and network systems and devices running applications that could allow unauthorized access to the system;
• 14 weaknesses in at least 32 Web applications used at 10 locations to support functions such as procurement and safety.
• Change control-management weaknesses at several locations;
• One location's failure to provide cyberattack awareness refresher training.

"The weaknesses identified occurred, in part, because departmental elements had not ensured that cybersecurity requirements included all necessary elements and were properly implemented," the IG's office says in a memo accompanying the report. "Program elements also did not always utilize effective performance monitoring activities to ensure that appropriate security controls were in place."

DOE needs to "intensify efforts to safeguard its systems and the information they contain," the memo says, noting that the department did update its cybersecurity policy this year and restore periodic site reviews.

Energy officials concurred with the findings and said they had already addressed the discrepancies. The National Nuclear Security Administration, for its part, said the IG inappropriately relied on a compliance checklist that discounted federal policies on risk-based, cost-effective approaches to cybersecurity. The IG's office disagreed.

For more:
-download the DOE IG memo and evaluation (.pdf)

Related articles:
DoE unveils roadmap for making the power grid resistant to cyber threats
NIST releases continuous monitoring guidance