The U.S. agency in charge of the safety and security of the U.S. nuclear weapons reserve is still in the early stages of implementing various cybersecurity measures that help assess and manage risk across its operational technology (OT) and nuclear weapons IT environments, according to a new watchdog report.
The latest findings about the National Nuclear Security Administration (NNSA), the semi-autonomous agency within the Department of Energy that is charged with maintaining and modernizing the nation’s nuclear weapons stockpile, are part of an audit that was conducted between October 2022 and June 2023, and released Monday by the Government Accountability Office (GAO).
The GAO previously criticized the NNSA for lacking consistent “foundational risk management practices” across its OT and contractor environments in a September 2022 report. Since then, the GAO said the agency has taken steps forward in planning out security measures that address these issues, including programs to create an inventory for its OT systems and a security risk management framework for its nuclear weapons IT environment. However, these efforts have not yet been fully implemented, according to the GAO.
“We made nine recommendations to NNSA to improve cybersecurity risk management, all of which NNSA agreed with,” according to the GAO’s Monday report. “As of May 2023, NNSA had identified actions to address our recommendations but had not fully implemented any of them.”
The NNSA oversees sites across the nuclear security enterprise that include hundreds of thousands of OT systems, which include manufacturing equipment and industrial control systems with embedded IT. In its previous 2022 report, the GAO said that while NNSA has fully implemented most of its pillar risk management practices in the traditional IT environment, the agency was lagging behind in implementing those same practices for its OT devices.
The agency is currently creating an inventory of its systems so that it can better assess and mitigate security risks. However, while the NNSA has carried out some “precursor” steps to this system inventory, such as developing a guidebook for identifying the actions that reduce risk and creating OT courses for training staff, its efforts to create an end-to-end inventory for OT systems have so far “been limited in scope,” said the GAO.
“Digital systems are increasingly being integrated into nuclear weapons and into activities and operations across the NNSA’s nuclear security enterprise."
The agency is currently surveying senior management at each site in order to identify the most critical OT systems, and selecting OT system components from each site for conducting risk assessments. However, as of May, the GAO found that only one site in Nevada had completed the full system-of-systems breakdown of its most critical OT capability, assessed the risks to each system and identified risk mitigations.
The agency’s efforts to address security concerns across its nuclear weapons IT environment are also in their inceptive stages. One roadblock here is that official guidance doesn’t exist for defining the components included in nuclear weapons IT. As such, NNSA officials aren’t able to estimate the number of systems across the nuclear weapons IT environments.
“In the context of the nuclear security enterprise, NNSA generally characterizes IT contained within a warhead or bomb, including model versions of a warhead or bomb, as nuclear weapons IT,” according to the GAO's report. “An example of a nuclear weapons IT system is the weapon control unit inside the B61-12 gravity bomb.”
The scope of nuclear IT systems that are potentially at risk is smaller than that in the OT environment, and the level of risk varies, since many of these nuclear weapons were developed decades ago and don’t include IT. However, weapons that are more modern, which are slated to enter the nuclear stockpile after 2030, may include more IT, according to the NNSA.
“For these weapons, NNSA officials said that each program is still considering approaches to managing cybersecurity risks as part of the weapon design and development process,” according to the GAO.
The agency is also currently developing a security risk management framework for its nuclear weapons IT environment and plans to finalize these requirements by the end of fiscal year 2024. Though the agency has made progress in pinpointing the measures needed to better secure its different IT and OT systems, the full implementation of these steps is critical as threat actors increasingly scope out OT environments.
“Digital systems are increasingly being integrated into nuclear weapons and into activities and operations across the NNSA’s nuclear security enterprise,” according to the GAO. “There is potential for these digital systems to be hacked, corrupted, or subverted by malicious actors, and NNSA has stated that securing its digital assets is an agency priority.”