August 9, 2016
As the one-year anniversary for the Cybersecurity Act of 2015 approaches, the Department of Energy is close to meeting all the mandates contained therein. However, the agency still has some metrics to meet, according to an inspector general report released Aug. 9.
As one of the agencies focused on a critical infrastructure — the energy sector — the department’s cybersecurity posture is of keen interest.
“For instance, the department’s national security systems process classified information to support critical activities related to maintaining the nation’s nuclear weapons stockpile,” according to the report. “In addition, unclassified systems that contain sensitive information, such as personally identifiable information (PII), are used to support activities related to financial management, human resources and health and safety.”
And hackers are definitely interested. A USA Today investigation last year showed the Energy Department was hacked at least 150 times over a four-year period.
Energy officials and security professionals continue to shore up the agency’s systems, including working on the mandates in the Cybersecurity Act.
But the IG report notes the department can do better tracking data on its networks — particularly data leaving the network — and has “limited to no capabilities related to digital rights management.”
The IG found several “robust” tools throughout the department used for monitoring data on the network, including the CIO’s Joint Cybersecurity Coordination Center and the National Nuclear Security Administration’s Information Assurance Response Center.
However, the decentralized nature of these efforts has left gaps in the department’s security. The report notes less than 15 percent of the agency’s internet traffic is routed through a trusted internet connection (TIC); while the CIO’s Office scans networks for encrypted PII, it does not do so consistently across the department; and at least two locations “had not implemented data loss prevention capabilities.”