Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Reports

GAO detects IT-OT cybersecurity loopholes at NNSA, seeks full implementation of foundational cybersecurity risk practices

September 27, 2022
GAO detects IT-OT cybersecurity loopholes at NNSA, seeks full implementation of foundational cybersecurity risk practices

The U.S. Government Accountability Office (GAO) said that it found that the National Nuclear Security Administration (NNSA) and its contractors have not fully implemented six foundational cybersecurity risk practices in its traditional IT environment. Additionally, the NNSA has not fully implemented these practices in its operational technology (OT) and nuclear weapons IT (NW-IT) environments. 

NNSA’s cybersecurity directive requires contractors to oversee their subcontractors’ cybersecurity measures, but contractors’ efforts to provide such oversight are mixed, and three of seven contractors do not believe it is a contractual responsibility, GAO said in its report. “An NNSA official proposed adding an evaluation of such oversight to its annual contractor performance evaluation process, but NNSA could not provide evidence that it had done so. These oversight gaps, at both the contractor and NNSA level, leave NNSA with little assurance that sensitive information held by subcontractors is effectively protected,” it adds.

The Senate committee report accompanying the National Defense Authorization Act for Fiscal Year 2020 included a provision for GAO to review NNSA’s cybersecurity practices and policies, and GAO was also asked to perform similar work. The GAO reviewed NNSA and contractor documents, compared NNSA’s efforts with federal and agency requirements for risk management practices, and interviewed NNSA officials and contractor representatives.

GAO’s report examines the extent to which NNSA and its seven site contractors implemented foundational cybersecurity risk management practices and contractors oversee subcontractor cybersecurity. The agency also reviewed NNSA and contractor documents, compared NNSA’s efforts with federal and agency requirements for risk management practices, and interviewed NNSA officials and contractor representatives.

The U.S. watchdog is making nine recommendations to NNSA, including that it fully implement an IT continuous monitoring strategy; determine needed resources for operational technology efforts; create a nuclear weapons risk strategy; and enhance monitoring of subcontractor cybersecurity. NNSA agreed with GAO’s recommendations.

Federal agencies, such as NNSA, and private sector companies are increasingly dependent on IT and OT systems to execute mission and business objectives, the GAO report said. “Virtually all federal operations are supported by computer systems and electronic data, and agencies would find it difficult, if not impossible, to carry out their missions without these information assets. In addition, many of these systems contain vast amounts of sensitive or classified data, making it imperative to protect them.”

In recent times, increasingly sophisticated cyber incidents at federal agencies and in the private sector demonstrate the damage that advanced threats can cause and reinforce the importance of effectively protecting systems that process federal information and data, GAO said. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said that the potential exploitation from these cybersecurity incidents pose an unacceptable risk to federal civilian executive branch agencies because of the likelihood of vulnerabilities being exploited and the prevalence of affected software. 

The GAO report said that the NNSA and its management and operating (M&O) contractors have fully implemented most of the foundational cybersecurity risk management practices in the traditional IT environment, but NNSA has implemented fewer of these same practices in the OT and NW-IT environments. “In the traditional IT environment, NNSA has fully implemented four of six foundational risk management practices—such as identifying and assigning cybersecurity risk management roles and responsibilities—while the M&O contractors have fully implemented three of six foundational risk management practices, including documenting and maintaining cybersecurity program policies and plans,” it adds. 

GAO said that in the OT environment, NNSA has not fully implemented any of the foundational risk management practices, in part because it has not identified the resources necessary to achieve full implementation. “Finally, in the NW-IT environment, NNSA has implemented one foundational risk management practice to address NW-IT cybersecurity and is making progress toward implementing most additional practices,” it adds.

The GAO report also points out that M&O contractors are required, under provisions of their contracts that incorporate DOE and NNSA cybersecurity requirements, to monitor subcontractor cybersecurity measures. “However, we found that M&O contractors do not consistently monitor subcontractor cybersecurity measures because some do not believe they are required to do so. In addition, NNSA does not emphasize the importance of M&O oversight of subcontractors’ cybersecurity through its annual contractor performance assessment process.” 

Additionally, NNSA officials have plans that could enhance contractor and subcontractor cybersecurity requirements by implementing a standardized cybersecurity framework for unclassified systems, but implementation of this framework is likely to be significantly delayed. 

The NNSA has made limited progress—after several years of effort—to implement foundational risk management practices that address OT cybersecurity at the organizational level in part because NNSA has not identified the resources necessary to achieve full implementation, GAO said. As a result, the agency has not yet fully implemented any of the foundational risk management practices in the OT environment. 

“NNSA is currently managing OT cybersecurity under the risk management program and policies that the agency developed for traditional IT, a practice that is at odds with NIST guidance and DOE requirements,” the GAO report said. “NIST guidance recommends and DOE Order 205.1C requires NNSA to implement foundational risk management practices that are specifically tailored to address OT cybersecurity as part of a comprehensive cybersecurity risk management program,” it adds.

According to NIST, OT systems often require different approaches when selecting and managing risk, the GAO report said. “For example, according to NIST guidance, OT systems are often managed by control engineers rather than IT personnel, and they may lack features that traditional IT systems have such as encryption, error logging, and password protection. Consequently, OT systems may require different approaches when selecting and implementing cybersecurity safeguards or compensating controls for their unique circumstances, such as network segmentation,” it adds. 

NNSA officials acknowledged that there are weaknesses in managing OT under a cybersecurity program developed to address traditional IT risks, GAO said. “NNSA officials told us that they began an initiative in the fall of 2018—now titled Operational Technology Assurance (OTA)—to implement the foundational risk management practices to address risks in the OT environment at NNSA and its sites. Since 2018, NNSA and its M&O contractors have taken some actions as a precursor to or as part of the OTA initiative,” it adds. 

NNSA officials said that they had surveyed senior management within NNSA and at each of NNSA’s sites to identify the highest priority mission-impacting OT functions at each site and to implement measures to address them. In addition, NNSA officials told us that they had undertaken efforts to capture OT best practices within and outside NNSA’s nuclear security enterprise, established partnerships with the broader OT community, and developed and held two courses to train site staff on OT considerations and potential risks.

The GAO report said that the NNSA’s implementation is not complete or consistent in many foundational risk management practices. Until NNSA fully implements foundational cybersecurity risk management practices in its traditional IT environment, management and M&O contractors have a limited ability to establish clear and up-to-date cybersecurity expectations and respond to emerging cyber threats across the organization, it added. 

The OT environment is vast and highly complex, encompassing hundreds of thousands of systems potentially at risk. However, NNSA’s OTA initiative is still in its inception phase after three years and is proceeding at a pace out of sync with the potential scope and severity of the cybersecurity risk present in this environment. By creating a business case for the OTA activity that it can feed into NNSA’s existing budgeting process, the agency will be better positioned to marshal the attention and resources necessary to develop an OT cybersecurity risk management framework that aligns with foundational risk management practices, which is important for national security interest. 

The report said that the NNSA faces a complex task in implementing the foundational risk management practices in the NW-IT environment. While NNSA has undertaken some activities to implement foundational cybersecurity practices, the current policies fall short of a comprehensive risk management strategy for the NW-IT environment. Without such a strategy, NNSA may lack an organization-wide understanding of acceptable risk levels and appropriate risk response strategies to assess and plan for cyber threats to its NW-IT systems and data. 

NNSA has an urgent need to ensure M&O contractor oversight of subcontractor cybersecurity. However, NNSA has yet to clarify to contractors that they are required to monitor subcontractor cybersecurity measures, include an evaluation of that oversight in its annual contractor performance assessment process, or implement third-party validation of subcontractor cybersecurity measures, GAO reported. By doing so, NNSA could close gaps in M&O contractor monitoring of subcontractors and in NNSA’s limited information about such oversight. Furthermore, NNSA would have greater assurance that information handled by contractors and subcontractors is consistently and effectively protected, it added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights