Unclassified nuclear computer systems are susceptible to attacks because “generic” security contracts don’t make it clear who’s responsible for keeping an eye on them, the inspector general said.
The Nuclear Regulatory Commission’s (NRC) cyber security center isn’t “optimized to protect the agency’s network in the current cyber threat environment,” the NRC’s inspector general office’s said. The NRC’s classified systems are separate and they were not a part of the inspector general’s report.
The finding comes at a time when the number of reported “computer security incidents” at the NRC is rising at almost twice the rate of the federal government as a whole, it said.
The “incidents” aren’t detailed, but the inspector general said they include unauthorized access to unclassified NRC systems, injection of malicious code, “social engineering” attacks to obtain passwords and personal information and unauthorized scans and other access attempts.
The inspector general said agency officials said they are in “general agreement” with its findings and recommendations, the results of an investigation conducted from July to November.
The outlines of the vulnerability are no secret. Two years ago, the Senate Homeland Security Committee criticized the NRC’s cyber security infrastructure, saying the agency has regularly experienced “unauthorized disclosures of sensitive information.”
What the new report does is shine a light on why that’s happening.
The report doesn’t fault the staff of the Nuclear Security Operations Center (SOC). They’re meeting the requirements of their $252 million government contract, which expires in May 2017, it said.
The problems are in the contract itself, said the report, which found the terms require staff to do little more than manage a few antivirus, anti-malware and anti-spam systems. And even then, there’s no way to know for sure whether they’re doing a good job.
“There are no performance goals,” said the report, which means there’s little way to determine “whether agency needs are being met.”
The report also found:
• While contracts say procedures should end up updated “as necessary,” they never define “necessary,” and there’s no requirement to perform reviews to decide whether they need updates.
• While someone should “gather and analyze statistical security information,” the contracts never say who that is, or when and how they’re supposed to do it.
• Monitoring of critical networks is behind the times, and when monitoring systems do detect something suspicious, investigators are hampered by a lack of clear guidelines on whom they’re supposed to tell.
“NRC staff with an interest in SOC activities unanimously wished for proactive analysis and research into anomalies logged by network monitoring tools,” the report said.
The inspector general recommended the NRC rip up the “generic” security contract and write a new one that spells out who does what, how and when, and who’s ultimately responsible.
“Robust SOC capabilities are particularly crucial given the sensitivity of the unclassified information processed on NRC’s network, and the increasing volume of attacks carried out against Federal Government computer systems,” it said.
Click here to view the entire document.