Information Security:

Vulnerabilities in DOE's Systems for Unclassified Civilian Research

AIMD-00-140: Published: Jun 9, 2000. Publicly Released: Jun 30, 2000.

Additional Materials:

Contact:

Robert F. Dacey
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed the security of the Department of Energy's (DOE) unclassified information systems that support its civilian research programs, focusing on: (1) whether DOE's unclassified systems for civilian research are vulnerable to unauthorized access; (2) whether DOE is effectively managing information systems security; and (3) what DOE is doing to address the risk of unauthorized access to unclassified systems for civilian research.

GAO noted that: (1) unclassified information systems for scientific research are not consistently protected at all DOE laboratories; (2) although some laboratories are taking significant measures to strengthen access controls, many systems remain vulnerable; (3) in four recent cases, Internet-based attacks forced specific laboratories to disconnect their networks from the Internet, interrupting scientific research for as long as a week on at least two occasions; (4) independent reviews conducted at various DOE labs confirm significant continuing vulnerabilities; (5) GAO supplemented these evaluations with its own penetration tests at four DOE laboratories; (6) GAO tests showed that two of the laboratories have recently taken steps that would prevent many casual Internet-based attacks; (7) nevertheless, some DOE systems remain vulnerable; (8) a major contributing factor to the continuing existence of security vulnerabilities at the DOE laboratories is that DOE has not had an effective program for managing information technology (IT) security consistently throughout the department; (9) GAO found that DOE lacks key elements of a comprehensive IT security program as outlined in GAO's 1998 Executive Guide; (10) no security plans had been prepared for 17 of the 20 major systems in GAO's sample; (11) DOE has not effectively assessed risks; (12) although all but 2 of the 10 laboratories that GAO reviewed had performed risk assessments on a laboratorywide level, no system-specific risk assessments had been done for 19 of the 20 systems in GAO's sample; (13) also, a lack of clear policy on what information is appropriate for public Internet access has led some laboratories to publicly post information on the World Wide Web that could facilitate a potential intruder's attempt to break into DOE systems; (14) moreover, line management within the department has not effectively overseen implementation of computer security at the labs; (15) few on-site audits or reviews have been conducted, and official IT security policies have not been enforced; (16) DOE management is aware that its unclassified security program has been inadequate and has taken several steps to improve it, including issuing an updated IT security policy and developing a five-year action plan; (17) the department's independent oversight function for information security was strengthened in 1999 and is now more active in reviewing IT security at the laboratories; and (18) further continuing action will be needed to effectively reform the department's line management oversight structure for IT security.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: DOE reported that it chartered a cyber security policy working group, including senior line management and security experts, to address the GAO recommendation relating to integrating the skills and expertise of staff at DOE labs in developing official policy and guidance. DOE reported that this working group had met quarterly for the past year, as of September 2002.

    Recommendation: The Secretary of Energy should take immediate steps to strengthen the management of the department's unclassified computer security program. Specifically, the Secretary of Energy should develop a mechanism for effectively integrating skills and expertise of staff at the DOE laboratories in the development of official policy and guidance. The CIO should consider chartering the existing System of Laboratories Computer Coordinating Committee Technical Working Group in this capacity.

    Agency Affected: Department of Energy

  2. Status: Closed - Implemented

    Comments: DOE reported that it published DOE Notice 205.1, Unclassified Cyber Security Programs, that provides policy, enforcement, and management responsibilities to DOE organizations to address this recommendation.

    Recommendation: The Secretary of Energy should take immediate steps to strengthen the management of the department's unclassified computer security program. Specifically, the Secretary of Energy should ensure that headquarters-based reviews identify and correct shortcomings in draft annual security plans prepared by the science laboratories. Specifically, the plans should identify which systems are critical for the laboratories to achieve their scientific missions and how these systems are interconnected, both within the lab and externally. The plans should also outline the procedures used by the laboratories to assess threats and vulnerabilities and regularly test whether the countermeasures employed to protect these systems are effective in mitigating identified risks.

    Agency Affected: Department of Energy

  3. Status: Closed - Implemented

    Comments: DOE reported that it published DOE Order 241.1 and DOE Guide 241.1, Scientific and Technical Information Management, to address the GAO recommendation relating to determination of sensitivity of computer information and internet access to that information.

    Recommendation: The Secretary of Energy should take immediate steps to strengthen the management of the department's unclassified computer security program. Specifically, the Secretary of Energy should establish guidelines for determining the sensitivity of electronic information and the extent to which such information should be publicly accessible through the Internet and establish management oversight processes to ensure compliance with this guidance.

    Agency Affected: Department of Energy

  4. Status: Closed - Implemented

    Comments: DOE reported that it published DOE Notice 205.1, Unclassified Cyber Security Programs, that provides policy, enforcement, and management responsibilities to DOE organizations and DOE Notice 205.4, Incident Warning and Reporting Manual,to address this recommendation.

    Recommendation: The Secretary of Energy should take immediate steps to strengthen the management of the department's unclassified computer security program. Specifically, the Secretary of Energy should establish mechanisms to enforce reporting of all serious security incidents to DOE's Computer Incident Advisory Capability. Further, the Chief Information Officer (CIO) should establish and issue guidelines to clarify what types of incidents must be reported. At a minimum, these types must include all incidents that could adversely affect scientific research through compromises of mission data or computational resources.

    Agency Affected: Department of Energy

  5. Status: Closed - Implemented

    Comments: DOE stated a clear process and structure to monitor and enforce laboratory compliance with DOE-wide policy has been implemented by the Office of Science. For example, DOE Notice 205.1 requires each laboratory to develop and implement cyber security protection plans that requires approval from management. In addition, the progress of cyber security improvements by DOE sites is monitored by the laboratories' operations office through monthly reports. Also, cyber security has been added as a topic for the annual on-site reviews of the planning process. There are also continuous efforts underway by its IG and independent oversight counsel to inspect the agency's unclassified networks.

    Recommendation: The Secretary of Energy should take immediate steps to strengthen the management of the department's unclassified computer security program. Specifically, the Secretary of Energy should develop a clear and comprehensive line management oversight process to continuously monitor and enforce the laboratories' compliance with departmentwide policy and the effectiveness of established controls. The process should include audits and reviews and establish clear roles and responsibilities for each organization in the line management chain and procedures for tracking identified vulnerabilities and for ensuring that follow-up actions are implemented.

    Agency Affected: Department of Energy

  6. Status: Closed - Implemented

    Comments: DOE reported that it completed developing cyber security program plans for all its major programs and organizations to address GAO's recommendation pertaining to establishing a consistent risk-based approach.

    Recommendation: The Secretary of Energy should take immediate steps to strengthen the management of the department's unclassified computer security program. Specifically, the Secretary of Energy should: (1) establish guidelines for a consistent risk-based approach to IT security management; (2) require all of DOE's scientific laboratories to identify all their critical systems and formally assess the potential threats and vulnerabilities of each system before operation, upon significant change, or at least every 3 years; and (3) require that managers document that this process has been followed, what level of protection they have determined is appropriate, what controls they have selected to provide this protection, and that they accept responsibility for any residual risks.

    Agency Affected: Department of Energy

  7. Status: Closed - Implemented

    Comments: The DOE science laboratories closed all identified security weaknesses.

    Recommendation: The DOE CIO should: (1) review the specific vulnerabilities and suggested actions provided to laboratory Computer Protection Program Managers at the conclusion of GAO's testing; (2) determine and implement appropriate security countermeasures; and (3) track the implementation and disposition of these actions.

    Agency Affected: Department of Energy: Office of the Chief Information Officer

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Nov 17, 2014

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Looking for more? Browse all our products here