Records produced by the U.S. Department of Energy (“DOE”) to USA TODAY under a Freedom of Information Act request revealed over 150 successful cyber intrusions into DOE computer systems between 2010 and 2014. Concerns about the protection of sensitive data and systems related to the nation’s energy facilities and research comes amidst recent DOE activities to encourage broader adoption of cybersecurity frameworks in the energy sector.
The DOE records obtained by USA TODAY reflect over 1,130 cyber-attacks over a 48-month period, with 159 successful intrusions. The DOE has not indicated what, if any, data was stolen during the attacks, but USA TODAYreports that the onslaught of attacks was directed at information systems with sensitive data about the nation's power grid, nuclear weapons stockpile and energy research labs.
News of these intrusions follows on the heels of a notorious July 2013 attack on the DOE that resulted in the exfiltration of personally identifiable information (“PII”) of over 104,000 individuals, including Social Security numbers, bank account data, dates and places of birth, user names, and answers to security questions. In addition, a July 31, 2015 report released by the White House in regard to its 30-day Cybersecurity Sprint (launched in the wake of the Office of Personnel Management hacks), ranked the DOE at the very bottom of 24 federal agencies with respect to identity, credential, and access management.
The DOE has been actively encouraging the energy industry to improve cybersecurity risk management programs. In February 2014, the DOE release a Cybersecurity Capability Maturity Model (C2M2) to enhance the cybersecurity capabilities of the energy sector. On January 8, 2015, the DOE released Energy Sector Cybersecurity Framework Implementation Guidance, developed with industry participants as an energy sector implementation of the NIST Cybersecurity Framework that also incorporates the DOE’s prior C2M2 guidance.
The risks posed by cyber-attacks against the energy sector, and specifically against the DOE, may prompt the Administration and Congress to take a closer look at the sectors’ cybersecurity posture and current measures in place to manage cybersecurity risks.