The U.S. government agency tasked with overseeing the safety of nuclear power plants cannot secure its own networks, an agency audit said.
The audit, performed by Richard S. Carson & Associates on behalf of the Nuclear Regulatory Commission (NRC) Inspector General, found the commission’s plans of action and milestones for the remediation of information security vulnerabilities often did not contain all known security vulnerabilities and remained open past their due date.
In addition, agency staff sometimes declared the vulnerabilities resolved without sufficient evidence.
A security test found network components were never security hardened and patches not installed. The problems with patching indicated either the configuration of the agency’s patching solution was not correct, or personnel responsible for those system components had not requested downloads of the patches from the enterprise-wide patching system, the audit said.
The fact the problems have been identified with the timely remediation of security vulnerabilities in more than one operational system “indicates the agency needs to improve its configuration management procedures to ensure all identified vulnerabilities, including configuration-related vulnerabilities, scan findings, and security patch-related vulnerabilities, are remediated in a timely manner”, the audit said.
In addition, the audit found the agency had not developed an organization-wide risk management strategy.