Cyber weaknesses continue to nag the Department of Energy — as does the agency's failure to fix them, its inspector general has found.
Twenty-nine new issues are revealed in the Oct. 29 report, which also recounted 10 unfixed ones from a 2012 report. The problems found existed in 11 of 26 reviewed Energy Department facilities.
Poor management at eight facilities allowed the wrong people to be granted physical access to sensitive areas, according to the IG. A failure to produce cyber security improvements will allow the systems to be at a "higher than necessary risk of comprise," according to the report.
Vulnerable operating systems and unsecured desktop computers were found at five locations, which contributed directly to the July 2013 "compromise and exfiltration of personally identifiable information on over 100,000 individuals from one of the department's systems." The breach allowed the attackers to get into a system at the department's headquarters and take personal identifiable information of current and former employees, employee dependents and contractors. The IG notes a criminal investigation is currently underway, and a report will soon follow its conclusion.
A failure to administer security training for employees was also discovered in three facilities. In addition, there was a failure to report cyber security incidents, maintain a system inventory of the incidents and regularly review the detailed logs.
The cyber weaknesses are attributed to the department's failure to make sure policies are "fully developed and implemented" to meet cyber security requirements.
Finally, the IG said Energy Department officials failed to track 63 of the weaknesses identified last year.
After receiving the report, the Department of Energy agreed with its findings and says it has committed to correcting the weaknesses found.
View the full report here.