Oversight

Audit finds network vulnerabilities at NRC

Shutterstock image (by Maksim Kabakou): Science data concept, nuclear icon. 

An independent audit focused on the Nuclear Regulatory Commission found that one of its main offices may have network vulnerabilities and recommends more-frequent updates of the commission's cybersecurity policies and procedures.

The NRC is split into four regional offices across the country; Region IV's office is located in Arlington, Texas. Overall the audit, conducted in July 2017 by Richard S. Carson & Associates on behalf of NRC's Office of the Inspector General, found that Region IV's IT security program was "generally effective," but did find lapses in a handful of areas that have left the network vulnerable to cyber intruders.

One of the problems discovered was that the office has been lax in updating its IT security policy guidelines. The NRC is required to periodically update its 110 policy guides, annually for some and every three years for others. The audit found four policy guides around IT and security that had gone more three years without review or update, and another three that had gone more than a year, including the region's main IT security guideline. Auditors also found that the region's procedures for backing up critical systems and data were out of step with NIST guidelines.

"Outdated procedures can result in important steps or processes being missed. In addition, outdated procedures make it more difficult when training new personnel to handle a specific activity," the auditors wrote.

Perhaps most concerning, auditors ran a network vulnerability scan and found holes in both Region IV IT components as well as within the larger NRC infrastructure. The scan found both moderate areas of concern and high-risk critical problems, but the audit does not go into detail about the vulnerabilities or what information may have been unprotected. The NRC handles both classified and unclassified information regarding the physical protection and safeguarding of nuclear materials and facilities.

The commission may have reason to worry. In June 2017, the Department of Homeland Security and FBI sent out an alert to power providers that there were ongoing cyber intrusions at a number of nuclear facilities dating back to May, with hackers using phishing attacks in an attempt to gain the credentials of senior control engineers. A 2016 audit also found that cyber attacks on the commission have been steadily rising in recent years, outpacing many other departments and agencies.

The NRC agreed with the findings and opted not to submit formal comment to auditors.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.