Department Of Energy Cyberattack: 5 Takeaways

  /     /     /  
Publicated : 22/11/2024   Category : security

Department Of Energy Cyberattack: 5 Takeaways


Exclusive: Outdated, unpatched system blamed for DOE breach, but agency said to be getting its cybersecurity house in order.


Is the Department of Energy (DOE) serious about cybersecurity? It appears to be doing better than most federal agencies, despite two high-profile breaches this year. What follows is a second-day look at whats known about the latest breach, how it happened and what the agency might do to prevent future attacks.
First, some background. The DOE warned employees in an emailed memo earlier this month that information pertaining to 14,000 current and former employees had been compromised in a cyber incident that occurred at the end of July. Stolen information included personally identifying information (PII) in the form of names and social security numbers, according to a
copy of the memo
published by
The Wall Street Journal
.
No classified data was targeted or compromised, the memo read. Once the full nature and extent of this incident is known, the department will implement a full remediation plan. The agency promised that all affected employees would be notified individually by the end of August.
[ Want to know more about government security problems? See
Most VA Privacy Breaches Trace To Paper, Not PCs
. ]
The July breach marked the second time this year that the DOE reported that online attackers had infiltrated its systems, following a February intrusion that officials said resulted in the theft of information pertaining to
several hundred employees
.
1. Source: Hack Involved Outdated System
According to a source close to the DOE, the system hacked in the July breach -- which stored PII -- was outdated, unpatched and easy pickings. The form and style of this attack were not difficult to defend if youre doing the basics of cybersecurity: knowing whats on your network, knowing what your vulnerabilities are, doing good patch management and establishing mitigations against the places where you know youre vulnerable, the source said. But youve got to start with knowing whats on your network.
A DOE spokeswoman, as well as the agencys CTO, didnt respond to multiple requests for comment -- made over the past week via email and phone -- about the breach and whether the agency plans to alter its approach to cybersecurity.
2. DOE Failed To Implement SANS Top 20
Knowing whats on your network alludes to SANS Institutes
20 Critical Security Controls for Effective Cyber Defense
, which are widely considered to be the
basic steps
for every information security program. Put another way, the consensus is that organizations which fail to put those 20 controls in place cant effectively defend themselves against attackers.
The No. 1 recommendation on the SANS Top 20 is to create an inventory of authorized and unauthorized devices. In other words, businesses and government agencies must
know whats on their network
. If they dont, then attempting to safeguard the network against intrusions becomes orders of magnitude more difficult.
3. Why DOE Might Be Running Unpatched Systems
The above isnt rocket science. So how was an outdated, unpatched and apparently Internet-accessible system containing personal information on thousands of DOE employees -- some of whom
work with cutting-edge nuclear secrets
-- allowed to run on the agencys network?
One likely explanation: unclear lines of IT oversight and authority. The DOE, like all government agencies,
comprises
numerous internal departments and fiefdoms. Furthermore, most of the agencys budget comes from Congressional appropriations that flow to project offices; relatively little is directed to centralized functions. As a result, creating a top-down, thou shalt comply IT and patch management regime is difficult.
The IT picture is further complicated by the agencys oversight of 17 national laboratories (including Fermi National Accelerator Laboratory and Los Alamos National Laboratory) and 14 other
facilities
, including Bettis Atomic Power Laboratory, Kansas City Plant and the Yucca Mountain nuclear waste repository. The scale of those operations is highlighted by the fact that the DOE reportedly had
about 16,000 employees
as of 2009, and 93,000 contractors on the books as of 2008. (A DOE spokeswoman didnt respond to an emailed request for more up-to-date employment figures.)
All of those 30-plus labs and facilities are run by contractors, and theyre arguably held to a higher information security standard than the DOE itself. To wit, the DOEs two most recent breaches didnt involve networks managed by labs or facilities, but rather infrastructure managed by DOEs in-house IT staff. No heads appear to be rolling at DOE, and no
Congressional inquiry
has begun. Would the same be true if those cybersecurity shortcomings were traced to a contractor?
4. Upside: DOE Leading On Agency Cybersecurity
Then again, Alan Paller, director of research at the SANS Institute, thinks the DOEs cybersecurity practices are quite good. From what I can tell, DOE is doing about the best job in government on cyber governance in a very challenging structure where each element has enormous business independence, Paller said in an email.
What might DOE be doing better? In general, he noted that at every government institution, paper-based policies and strategies too often trump hands-on security improvements.
5. Challenge: Improving Actual Security, Not Just Policies
Blame a widespread
lack of hands-on cybersecurity skills
across the federal government. The great failing of DOE is that too many of its security officers do not have the technical mastery to implement the 20 [SANS] controls cost-effectively, Paller said. They still are living in an era of compliance, where writing reports is more important than securing systems. This same affliction is found in most federal agencies, and I see DOE as among the better ones. It is that cyber-skills weakness, along with a lack of persuasion skills -- needed to get agency staff to take necessary action -- that leads to losses.
Again, Paller emphasized that this problem isnt unique to the DOE, which he lauded for having publicized the breaches. You are not seeing most of the losses in the other agencies, he said. DOE has led the way on being open.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Department Of Energy Cyberattack: 5 Takeaways