The revelation this week that the Department of Energy (DoE) Joint Cybersecurity Coordination Center recorded more than 1,000 hacks into department computer systems from 2010 to 2014, including more than 150 successful intrusions into systems containing sensitive data about the nation’s electric power grid, cybersecurity experts said they aren’t at all surprised.
Fifty-three of the 159 intrusions from October 2010 to October 2014 were "root compromises" that gave the hacker administrative privileges to DoE’s computer systems. And that’s not good.
“Again, we have what appears to be a surprise revelation about a US government agency that has suddenly come under cyber attack. However, it has been well known that the Department of Energy has had poor cyber hygiene for some time,” said Cris Thomas, strategist at Tenable Network Security.
“The Department of Energy has all the same problems as just about every other agency, the same problems that were highlighted” by the massive hack into Office of Personnel Management (OPM) computers, Thomas said. “Basic fundamental security practices are either not properly implemented, not enforced or just plain missing. The overall state of insecurity at the DoE was revealed by a report released by the Office of Inspector General just last year which found numerous default or easily guessed passwords on user workstations among other issues. These were some of the same exact problems that were found at OPM.” And at DoE.
DoE’s Inspector General said in an audit report last October that “additional effort is needed to ensure that the risks of operating systems are identified and that systems and information are adequately secured. The issues identified occurred, at least in part, because the department’s programs and sites reviewed had not ensured that cybersecurity policies and procedures were developed and properly implemented.”
The OPM breach further revealed the shortcomings in the US’s efforts to curb advanced cyber intrusions. During a House Committee on Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies hearing in July, the Government Accountability Office (GAO) testified that the OPM hack and other recent data breaches illustrate the need for strong controls across federal agencies.
The subcommittee heard that as cyber threats continue to evolve, federal agencies face a number of obstacles challenging their ability to keep pace. These challenges include designing and implementing a risk-based cybersecurity program, enhancing oversight of contractors providing IT services, improving security incident response activities, responding to breaches of personal information, and implementing cybersecurity programs at small agencies.
“Until federal agencies take actions to address these challenges—including implementing the hundreds of recommendations GAO and agency inspectors general have made—federal systems and information, including sensitive personal information, will be at an increased risk of compromise from cyber-based attacks and other threats,” GAO stated.
Thomas said, “The attacks at the DoE may help reignite the debate surrounding [the] Cybersecurity Information Sharing Act of 2015 [CISA],” which is stalled out in the Senate.
“CISA does has flaws, it is not a magic bullet that suddenly makes us secure, but it’s a good firststep,” Thomas said. “However, this round of attacks leveled against the DoE supports the idea that government should be sharing more than just threat indicators. The DoE itself shares threat indicators amongst its own labs, plants and other sites and yet that sharing did nothing to prevent these attacks.”
Continuing, Thomas said, “government agencies and private sector companies and organizations need to release that it is not, if they are attacked, but when. They need to plan on how they will identify, contain and recover from that attack before it happens.”
“It is important to understand that security is a process and will never be completely resolved,” but “we need to continue making progress and we need to do it smartly,” Utilities Telecom Council (UTC) Vice President of Industry Affairs and Cybersecurity Strategist Nadya Bartol said at a joint hearing of the House Committee on Science, Space and Technology subcommittees on oversight and energy Thursday. Bartol is a trusted cybersecurity expert to utilities and other critical infrastructure providers globally.
“Relying strictly on technical solutions to solve cybersecurity is insufficient and dangerous because people will always circumvent the technology if they are motivated to do so,” Bartol told lawmakers. “Some grid vulnerabilities are outside of our control such as the external threats, which include individual hackers, activist groups, cyber criminals and nation states,” Bartol noted, adding, “We can mitigate the impact of these threats, but only to a certain extent. However, as a community, we can make a substantial impact on those vulnerabilities that are a lot more within our span of control such as availability of qualified workforce, legacy infrastructure, lack of legal framework for information sharing and evolving practices for assuring security in supplier products and services.”
“Disruption of critical infrastructure by a cyber incident is a serious concern for utility executives and technical practitioners,” Bartol said. She also said, “UTC believes that cybersecurity is the 21st century reliability challenge.”
