A review of federal records has revealed that the U.S. Department of Energy’s computer systems were successfully hacked, risking the security of sensitive energy data and research.
This is cause for concern considering the potential for damage if that information is in the wrong hands. But it is even more troubling that the report, published Sept. 11 by USA Today, showed the Energy Department was successfully hacked not once, twice or three times, but 159 times between 2010 and 2014.
The article, the result of a Freedom of Information Act request, showed there were even more intrusion attempts. The cyber-attack tally for the same timeframe was 1,131.
Ninety of the 159 successful cyber intrusions targeted the department’s Office of Science, which directs scientific research and heads 10 federal energy laboratories.
The newspaper said the Energy Department would not say whether federal governments may have been involved in the cyber attacks and whether any sensitive data, specifically concerning the nuclear weapons stockpile or the U.S. power grid, were stolen or accessed.
But “the potential for an adversary to disrupt, shut down (power systems), or worse … is real here,” Scott White, professor of homeland security and security management and director of the computing security and technology program at Drexel University, said in the article. “It’s absolutely real.”
The report did not reveal the attack methods used. That information was redacted from the records released to the newspaper.
Andrew Gumbiner, spokesman for the Energy Department, told USA Today that it “seeks to identify indicators of compromise and other cybersecurity relevant information, which it then shares broadly among all DOE labs, plants, and sites as well as within the entire federal government.”
A federal oversight report, released in December 2013 after a July 2013 cybersecurity breach, shows the Energy Department is aware of its vulnerabilities and the need to do something about it. The federal report highlighted a number of areas that needed to be addressed. Among the technical and management issues cited, as stated in the federal report, were:
- Frequent use of complete Social Security numbers as identifiers.
- Permitting direct internet access to a sensitive system without adequate security controls.
- Lack of assurance that required security planning and testing activities were conducted.
- Permitting systems to operate knowing they had high-risk security vulnerabilities.
- Failing to assign the appropriate level of urgency to replacing end-of-life systems.
“Unclear lines of responsibility between and within program and staff offices” was also tagged as a contributing factor when it came to who was responsible for detecting and correcting cybersecurity issues.
The report came with a list of recommendations to improve security.
“The attackers in this case were able to use exploits commonly available on the internet to gain unfettered access to the relevant systems and exfiltrate large amounts of data— information that could be used to damage the financial and personal interests of many individuals,” Inspector General Gregory H. Friedman said in the report. “As noted, in many past Office of Inspector General Evaluation Reports completed pursuant to the Federal Information Security Management Act of 2002, weaknesses identical to those exploited in this case hold the potential for significant harm to the department.”
The Energy Department’s fiscal year 2016 budget request includes $52 million for R&D to strengthen energy infrastructure against cyber threats. The funding, the Energy Department said, “establishes a virtual collaborative environment for conducting real-time advanced digital forensics analysis, which can be used to analyze untested and untrusted code, programs and websites without allowing the software to harm the host device.”
Cybersecurity is also among the six initiatives for which more than $1.2 billion was requested.
The U.S. government’s fiscal year 2016 budget highlighted the issue and noted the budget included funding for cybersecurity. Hopefully, those funds won’t get tied up. The U.S. House of Representatives passed the Energy and Water Development Appropriations Bill in May.
USA Today said the oversight and energy subcommittees of the House Committee on Science, Space and Technology will have a joint hearing Sept. 17 on this growing threat.
Velda Addison can be reached at vaddison@hartenergy.com.
Recommended Reading
Comstock Continues Wildcatting, Drops Two Legacy Haynesville Rigs
2024-02-15 - The operator is dropping two of five rigs in its legacy East Texas and northwestern Louisiana play and continuing two north of Houston.
To Dawson: EOG, SM Energy, More Aim to Push Midland Heat Map North
2024-02-22 - SM Energy joined Birch Operations, EOG Resources and Callon Petroleum in applying the newest D&C intel to areas north of Midland and Martin counties.
Ohio Utica’s Ascent Resources Credit Rep Rises on Production, Cash Flow
2024-04-23 - Ascent Resources received a positive outlook from Fitch Ratings as the company has grown into Ohio’s No. 1 gas and No. 2 Utica oil producer, according to state data.
CEO: Continental Adds Midland Basin Acreage, Explores Woodford, Barnett
2024-04-11 - Continental Resources is adding leases in Midland and Ector counties, Texas, as the private E&P hunts for drilling locations to explore. Continental is also testing deeper Barnett and Woodford intervals across its Permian footprint, CEO Doug Lawler said in an exclusive interview.
Sinopec Brings West Sichuan Gas Field Onstream
2024-03-14 - The 100 Bcm sour gas onshore field, West Sichuan Gas Field, is expected to produce 2 Bcm per year.