Hackers Have a Field Day at the Department of Energy

power lines

USA Today reports on some remarkably grim statistics culled from federal records it obtained with a Freedom of Information Act:

Incident reports submitted by federal officials and contractors since late 2010 to the Energy Department’s Joint Cybersecurity Coordination Center shows a near-consistent barrage of attempts to breach the security of critical information systems that contain sensitive data about the nation’s power grid, nuclear weapons stockpile and energy labs.

The records, obtained by USA TODAY through the Freedom of Information Act, show DOE components reported a total of 1,131 cyberattacks over a 48-month period ending in October 2014. Of those attempted cyber intrusions, 159 were successful.

“The potential for an adversary to disrupt, shut down (power systems), or worse … is real here,” said Scott White, Professor of Homeland Security and Security Management and Director of the Computing Security and Technology program atDrexel University. “It’s absolutely real.”

Wow. Does anyone in the Administration think the public should have been told their massive Energy Department – which is primarily concerned with interfering with energy production, not creating it – was hit by hackers over a thousand times, and successfully penetrated on 159 occasions? We needed USA Today to choke the news out of them with a FOIA request?

Energy Department officials would not say whether any sensitive data related to the operation and security of the nation’s power grid or nuclear weapons stockpile was accessed or stolen in any of the attacks, or whether foreign governments are believed to have been involved.

“DOE does not comment on ongoing investigations or possible attributions of malicious activity,” Energy Department spokesman Andrew Gumbiner said in a statement.

Oh, that’s comforting as hell. Remember all those stories a few years back about how terrorists and foreign powers with cyber-espionage squads were interested in developing methods to knock out America’s electrical infrastructure? Looks like they got quite a bit of research done.

The Energy Department sounds like the usual circus of negligence and bureaucratic confusion we’ve come to take for granted in this Obama age of reduced expectations and billion-dollar faceplants:

After a cyber attack in 2013 resulted in unauthorized access to personally identifying information for more than 104,000 Energy Department employees and contractors, auditors noted “unclear lines of responsibility” and “lack of awareness by responsible officials.” In an audit report released in October of last year, the Inspector General found 41 Energy Department servers and 14 workstations “were configured with default or easily guessed passwords.”

Felicia Jones, spokeswoman for the Energy Department Office of Inspector General, said while there have been some improvements, “threats continue and the Department cannot let down its guard.”

Except your department did let down its guard, Ms. Jones, just as the Office of Personnel Management did. USA Today says 53 of those 159 hacker penetrations were “root compromises,” which means the attackers had “super user” administrative access.

Iowa State cyber-security professor Manimaran Govindarasu helpfully explains that super user access means “you can do anything on the computer, so that is definitely serious. Whether the computer was critical or just a simple office computer, we don’t know.”

Why don’t we know?

We had to crawl through weeks of slow-drip revelations about the OPM hack before we had any idea how serious it was, or just how completely former department head Katherine Archuleta and her team had dropped the ball. It took forever to reach the point that Archuleta stopped patting herself on the back for a job well done and departed her post, after unsuccessfully performing the “I take full responsibility” ritual that usually absolves Obama officials of consequences for their actions. Would this Administration please set aside its butt-covering concerns and start taking its duties seriously?

The USA Today article concludes by noting that “amid mounting concerns,” the House Committee on Science, Space, and Technology would hold meetings on Thursday to “examine vulnerabilities of the national electric grid and the severity of various threats.”

It looks like those concerns are still mounting.


Please let us know if you're having issues with commenting.