The compromises, which occurred at four department locations, were not described in detail, but were deemed “successful” for adversaries, according to the annual audit, which is required by the Federal Information Security Management Act (FISMA).
Three of the four attacks caused an estimated $2 million in damages. The audit did not reveal the estimated impact of the fourth.
“As observed in the recent cyberattacks at four sites, exploitation of vulnerabilities can cause significant disruption to operations and/or increase the risk of modification or destruction of sensitive data or programs,” Gregory Friedman, DoE inspector general (IG), wrote in the report.
Several sophisticated attacks at DoE laboratories have made headlines this year.
In April, the Tennessee-based Oak Ridge National Laboratory, a facility that conducts research in nuclear energy for national security purposes, fell victim to an attack described as an advanced persistent threat (APT) after nearly 60 employees clicked on a malicious link contained in emails promising information about their benefits package. Then in July, hackers breached the Pacific Northwest National Labs, a DoE research facility, which resulted in email and internet being temporarily turned off.
The audit outlined a number of glaring weaknesses in DoE's security posture. While the agency has taken steps over the past year to improve its security stance, deficiencies remain with respect to access controls; vulnerability management; web application integrity; business continuity and disaster recovery planning; change control management; and security training, according to the report.
The DoE has corrected 11 out of the 35 shortfalls identified in last years' review. The 2011 evaluation turned up many of the same issues noted in the past, though there was a 60 percent increase in weaknesses since 2010.
Specifically, auditors discovered weaknesses in at least 32 different web applications used at 10 different department locations to support functions such as procurement and safety. In addition, 15 agency locations had vulnerability management deficiencies, 11 had access control problems, and one had not developed a business continuity and disaster recovery plan.
“Without improvements … there is an increased risk of compromise and/or loss, modification, and non-availability of the department's systems and information,” the report states.
In a letter responding to the report, Kenneth Powers, associate administrator for management and budget at the DoE's National Nuclear Security Administration (NSSA), said the IG mischaracterized “the scope, severity, and cause of the issues presented.”
But DoE Chief Information Officer Michael Locatis III, in his written response, concurred with the IG's recommendation to fix the issues, noting that some corrective actions have already been taken.