Nuclear commission risks being hacked because of organizational issues: watchdog report

Computer networks used by the U.S. Nuclear Regulatory Commission pose a real possibility of being exploited by hackers as a result of inadequate organization among security personnel, a federal report found this week.

The NRC’s inspector general said in a 18-page assessment released on Tuesday that its Security Operations Center, or SOC, isn’t “optimized to protect the agency’s network in the current cyber threat environment.”

Weeks after new reports revealed that hackers had successfully compromised a hydroelectric dam in New York City in 2013, the government watchdog said the NRC’s unclassified computer networks risk being breached because the agency has failed to structure itself in a way that would ensure any unauthorized intrusions are handled appropriately.

NRC staffers told the inspector general that the SOC “does not meet agency needs” and singled out a lack of proactive analyses and timely, detailed reports that could otherwise provide the information necessary to keep its networks properly protected.

“There are no performance goals,” the watchdog found, meaning the NRC cannot possibly assess “whether agency needs are being met.”

More specifically, the report faulted “generic” contracts that have yielded “differing expectations” with respect to roles and responsibilities, as well as “inadequate definitions in agency policies and undifferentiated functional descriptions between different entities responsible for securing NRC’s network.”

“This occurs because although the contract performance criteria are aligned with National Institute of Standards and Technology and NRC internal guidance, the contract does not clearly define SOC performance goals and metrics that can be used to determine whether agency needs are being met,” the inspector general concluded following a five-month audit of the NRC’s headquarters in Rockville, Maryland.

To keep the NRC’s unclassified networks safe from hackers, the agency must ensure that organizational roles and responsibilities are more clearly defined, the watchdog said.

In the meantime, the inspector general acknowledged in a footnote that the nuclear sector has not been spared from cyberattacks: While federal data has suggested a 9.7 percent surge between 2013 and 2014 with regards to computer security incidents across the board, the NRC experienced an 18 percent increase in hack attacks during that same span, including instances in which hackers had attempted to gain unauthorized access through malicious code injections, social engineering, policy violations or other attempts.

“A dynamic cyber threat environment demands a high-performing SOC,” the inspector general wrote. “The sophistication and frequency of malicious activity targeting NRC has increased. These forces, combined with the need for NRC users to stay connected with stakeholders and partners through the Internet, make effective information security a critical capability.”