A watchdog report has detailed several cybersecurity weak points afflicting the National Nuclear Security Administration (NNSA), including a lack of consistently enforced risk management practices in the agency’s operational technology (OT) environment and lax oversight of subcontractor cybersecurity policies.
The NNSA, a semi-autonomous agency within the Department of Energy, is in charge of the safety and security of the U.S. nuclear weapons reserve. Cybersecurity has previously been an issue for the NNSA; the agency was targeted in 2005, for instance, by hackers who exfiltrated a file with the names and social security numbers of 1,502 NNSA employees. Since then, IT systems have become further integrated into the agency’s equipment for designing nuclear weapons and automating manufacturing processes, making cybersecurity an even more significant priority for the NNSA.
After a Senate committee report in 2020 charged the Government Accountability Office (GAO) with reviewing the agency’s cybersecurity policies, the GAO found that the NNSA’s “foundational risk management practices” are not complete or consistent, particularly across its OT and contractor environments. These practices include the identification of risk management roles and responsibilities, the establishment of an organization-wide risk management strategy, the continual assessment of security risks, the designation of controls available for information systems and the development of a strategy for continually monitoring risks across the entity.
“The OT environment is vast and highly complex, encompassing hundreds of thousands of systems potentially at risk,” according to the GAO report released on Friday. “However, NNSA’s [Operational Technology Assurance] initiative is still in its inception phase after 3 years and is proceeding at a pace out of sync with the potential scope and severity of the cybersecurity risk present in this environment.”
Operational Technology Security 'Weaknesses'
While the NNSA has fully implemented most of these pillar risk management practices in the traditional IT environment, the GAO raised concerns that the agency has lagged behind in implementing those same practices for its OT devices. The agency has not identified the resources necessary to achieve full implementation, but it is also managing its OT security with a risk management program developed for traditional IT, according to GAO. OT devices are drastically different from IT devices and that impacts how - and the level to which - they are secured. For instance, OT devices need to be managed by control engineers, as opposed to IT teams, and may not have certain features like error logging or password protection that are present in IT systems.
“Consequently, OT systems may require different approaches when selecting and implementing cybersecurity safeguards or compensating controls for their unique circumstances, such as network segmentation,” according to GAO. “NNSA officials acknowledged that there are weaknesses in managing OT under a cybersecurity program developed to address traditional IT risks.”
In 2018, the NNSA began launched an initiative called the Operational Technology Assurance (OTA) in order to better implement these types of policies in the OT environment. As part of that initiative the agency has taken some steps in securing OT devices, such as attempting to identify the highest priority mission-impact OT function at each NNSA site. However, the OTA program's rollout has taken years, the GAO said.
“Notwithstanding these efforts, NNSA officials told us that they did not have an overall plan or roadmap to guide its future actions on OT cybersecurity—including efforts to provide guidance and expectations to contractors operating the sites—and to ensure that those actions will be consistent with the foundational risk management practices,“ according to GAO.
Lax Contractor Cybersecurity Oversight
The GAO report also found gaping holes around how cybersecurity measures are enforced and assessed when it comes to the contractors that manage and operate its nuclear security enterprise sites.
NNSA, which has over 50,000 federal and contract employees at labs, plants, and sites nationwide, requires contractors to document how their subcontractors are complying with security standards through its Baseline Cybersecurity Program, which is incorporated into NNSA contracts. However, contractors’ efforts to provide this type of oversight are mixed, and three of seven contractors do not believe it is a contractual responsibility, according to GAO.
“Representatives from each of the M&O [management and operating] contractors told us that they complied with the requirement by including cybersecurity provisions in their subcontracts,” according to the GAO report. “However, through interviews and written responses from representatives of each of the seven M&O contractors, we found that once a subcontract was awarded, M&O contractors’ monitoring of such measures was inconsistent among the sites.”
Another challenge inherent in the Baseline Cybersecurity Program is that the onus for cybersecurity oversight falls on the contractors, and no further supervision from the NNSA exists. The GAO said that while an NNSA official had proposed adding an evaluation of such oversight to its annual contractor performance evaluation process, there was no evidence that the NNSA had applied this measure.
“In light of the increasing threat to systems with federal information, NNSA needs to have greater assurance that contractors and subcontractors are implementing a standardized cybersecurity framework,” according to the GAO report. “These oversight gaps, at both the contractor and NNSA level, leave NNSA with little assurance that sensitive information held by subcontractors is effectively protected.”
The GAO made sweeping recommendations for the NNSA to improve its cybersecurity measures, including advocating that site contractors develop and maintain cybersecurity continuous monitoring strategies and a risk management strategy that incorporates NIST guidance and that is reviewed annually. Contractors also need more transparent communication that they are required to monitor subcontractor security measures, and a better process should be in place for evaluating the contractor oversight of these subcontractor security measures as part of the performance evaluation process, according to the GAO.
Additionally the GAO recommended that the Office of Information Management identify resources needed to implement foundational practices for the OT environment, including the development of an OT “business case” to be made across the NNSA planning, programming, budgeting and evaluation processes. According to GAO, NNSA agreed with the recommendations and has started to develop planned actions to address them.
“The Department of Energy’s National Nuclear Security Administration recognizes the importance of cybersecurity, including nuclear weapon cybersecurity and for the associated equipment used for production and testing,” according to Jill Hruby, NNSA administrator, in a September statement provided to the GAO. “As noted in the report, DOE/NNSA has taken positive steps to address the ever-growing digital threat to our programs.”