Sensitive non-classified data on the US nuclear agency’s network is vulnerable because contracts do not make it clear who is responsible for cyber security, a federal watchdog has warned.
Although the security operations centre (Soc) of the Nuclear Regulatory Commission (NRC) meets operational security requirements, auditors found that Soc capabilities could be improved through better definition of contractual requirements.
The NRC’s Soc is responsible for securing the agency’s network infrastructure and monitoring the network for suspicious activity.
The audit report by the NRC’s inspector general’s office, which did not cover classified systems, said Soc co-ordination with other NRC stakeholders could benefit from a clearer definition of organisational roles and responsibilities.
A key objective of the audit was to assess the effectiveness of Soc co-ordination with other organisations that have a role in securing the NRC’s network.
The report notes that the Soc is mainly staffed by contractors working under the Information Technology Infrastructure Support Services (ITISS) contract.
“Robust Soc capabilities are particularly crucial given the sensitivity of the unclassified information processed on NRC’s network, and the increasing volume of attacks carried out against federal government computer systems,” the audit report said.
The audit found there were several areas in which the Soc does not meet NRC needs, including proactive analysis and timely, detailed reports.
This occurs, the report said, because the contract does not clearly define Soc performance goals and metrics that can be used to determine whether agency needs are being met.
The audit found that Soc staff and NRC stakeholders expressed differing expectations of Soc roles and responsibilities.
The report said thiis occurs due to a lack of adequate definitions in agency policies and undifferentiated functional descriptions between different entities responsible for securing the NRC’s network.
The report found that contracts do not require reviews to decide whether updates to procedures are needed, that contracts do not detail who is responsible for gathering and analysing security information, and that monitoring procedures are poorly defined.
The audit report recommends a revision of the IT service contract requirements to include Soc-specific performance objectives, to define Soc functional requirements, to define in-policy Soc functions and support obligations to NRC stakeholders.
In October 2015, a report by international affairs think-tank Chatham House found that most nuclear power plants around the world are not well prepared for cyber attacks.
Many of the control systems used for nuclear plants, including those in the UK, are not well protected and are “insecure by design” said the report, which was based on an 18-month study of cyber defences in nuclear power plants around the world.
Responding to the Chatham House report, Europol consultant, cyber security expert and visiting professor at Surrey University Alan Woodward said the cyber threat to nuclear facilities is indicative of the threat to much of all critical infrastructure.
“In the case of nuclear power plants, the potential for damage to others, not just the installation, is what makes this particular threat of huge concern,” he said. “However, I fear other installations may be just as vulnerable, and could cause as big a risk.”