June 7, 2019
Security over Industrial Control Systems at Select Department of Energy Locations
Successful cyber or physical attacks on industrial control systems can have significant impacts to operations and safety and result in costly recovery. The Federal Government has increased efforts to ensure agencies identify and protect these types of systems. The Department of Energy utilizes industrial control systems and/or high value assets to support its missions related to energy, scientific research, environmental cleanup, and national security. While prior reviews have identified physical and cybersecurity weaknesses on various types of information systems, the Department’s Office of Inspector General has conducted limited testing related to the industrial control systems that manage critical operations. Our annual evaluation report related to the Department’s implementation of the Federal Information Security Modernization Act of 2014 continues to identify weaknesses related to the Department’s business systems but does not typically include the review of industrial control systems. We initiated this audit to determine whether the Department implemented security controls over selected industrial control systems in accordance with established requirements.
We found that the Department had not always implemented security controls over selected industrial control systems in accordance with established requirements. The Department continues to make improvements related to its cybersecurity program; however, we noted that additional efforts were needed to ensure that security controls were implemented to protect industrial control systems. Specifically, we found that some locations reviewed had not always developed complete inventories of industrial control systems or had not appropriately categorized the impact of industrial control systems to external systems and the Department’s mission in accordance with Federal requirements. In addition, at some locations, we identified weaknesses related to documentation of security controls for industrial control systems, vulnerability management, and physical and/or logical access control.
Without improvements to the cybersecurity programs at the locations reviewed, information systems and data may be exposed to a higher than necessary level of risk of compromise, loss, modification, or non-availability. For example, inappropriate system categorization can result in less stringent application of cybersecurity requirements, leaving the information system and its data at a higher risk of negative operational impact, including potentially impairing mission accomplishment. Furthermore, the Department’s operations could be negatively affected without sufficient security measures, such as effective continuous monitoring processes, in place. As such, we have made five recommendations that, if fully implemented, could improve security controls over industrial control systems.
Topic: Management & Administration