Going Nuclear: Watchdog Identifies Major Cyber Risks
Nuclear weapons pose the most catastrophic physical risk to the world if they are deployed. And the systems responsible for maintaining them do not have adequate cybersecurity measures in place to protect them.
This was the conclusion from a recent U.S. Government Accountability Office (GAO) audit, which found that while the National Nuclear Security Administration (NNSA) relies on advanced computers and integrated digital systems for weapons and manufacturing equipment, it has not fully implemented six key practices for a cybersecurity management program.
“For example, both NNSA and its contractors had not fully implemented a continuous monitoring strategy because their strategy documents were missing key recommended elements,” the GAO wrote. “Without such elements, NNSA and its contractors lack a full understanding of their cybersecurity posture and are limited in their ability to effectively respond to emerging cyber threats.”
Setting Up the Analysis
The NNSA is part of the U.S. Department of Energy, and it is responsible for safeguarding national security through the military application of nuclear science. The administration was created in 2000 to maintain and enhance the safety, security, and effectiveness of the U.S. nuclear weapons stockpile. It’s also tasked with reducing the global danger from weapons of mass destruction, providing the U.S. Navy with safe—and effective—nuclear propulsion, and responding to nuclear and radiological emergencies in the United States and around the world.
To carry out its mission, NNSA is increasingly integrating information systems into nuclear weapons, manufacturing equipment, and the computer modeling to design weapons. It also relies on management and operating contractors at eight of its laboratory and production sites, who in turn also use subcontractors that work for the administration.
As part of the NNSA’s modernization effort, the administration “plans to increasingly integrate digital systems into nuclear weapons, automate manufacturing processes and equipment, and rely on advanced computer processing capabilities to assess weapons and predict performance,” according to the GAO. “Digital systems such as these can be hacked, corrupted, or subverted by malicious actors. They also can be subject to equipment failures, software coding errors, or the accidental actions of employees.”
One such cyber intrusion has already occurred. In May 2021, a ransomware attack on an NNSA subcontractor “led to the disclosure and public posting of invoices for NNSA contracts and descriptions of research and development projects managed by defense and energy contractors,” the GAO wrote.
U.S. federal law requires NNSA to create a program to manage cybersecurity risk, which includes implementing six foundational practices:
- Practice 1: Identify and assign cybersecurity roles and responsibilities for risk management.
- Practice 2: Establish and maintain a cybersecurity risk management strategy for the organization.
- Practice 3: Document and maintain policies and plans for the cybersecurity program.
- Practice 4: Assess and update organization-wide cybersecurity risks.
- Practice 5: Designate controls that are available for information systems or programs to inherit.
- Practice 6: Develop and maintain a strategy to monitor risks continuously across the organization.
As part of their oversight efforts, U.S. lawmakers included a provision in the National Defense Authorization Act for Fiscal Year 2020 to task the GAO with reviewing NNSA’s cybersecurity practices and policies to ensure the administration was protected against cyber threats.
What the GAO Found
The GAO began its review in March 2020 and released its findings in September 2022, detailing that NNSA had not fully implemented four of the six foundational practices and had only partially implemented two of them. The GAO also found that NNSA contractors had not fully implemented three of the six practices, while only fully implementing the three others.
“For example, both NNSA and its contractors had not fully implemented a continuous monitoring strategy because their strategy documents were missing key recommended elements,” according to the GAO. “Without such elements, NNSA and its contractors lack a full understanding of their cybersecurity posture and are limited in their ability to effectively respond to emerging cyber threats.”
The GAO also assessed the NNSA’s operational technology (OT) environment—including manufacturing equipment and building control systems—and found that the administration had not “fully implemented any foundational risk management practices” in that environment or guidance for its contractors.
One reason for this is that NNSA manages its OT cybersecurity under a risk management program and policies that were developed for traditional IT—which is at odds with recommendations from the National Institute of Standards and Technology (NIST).
“For example, according to NIST guidance, OT systems are often managed by control engineers rather than IT personnel, and they may lack features that traditional IT systems have such as encryption, error logging, and password protection,” the GAO explained. “Consequently, OT systems may require different approaches when selecting and implementing cybersecurity safeguards or compensating controls for their unique circumstances, such as network segmentation.”
While NNSA has taken some steps to address this discrepancy, officials said they did not have an “overall plan or roadmap to guide its future actions” to address OT cybersecurity.
Additionally, the GAO found that the NNSA had not created a cyber risk management strategy to address IT-specific threats to nuclear weapons.
Along with the findings on NNSA itself, the GAO also assessed that requirements for the administration’s contractors to monitor subcontractors’ cybersecurity were carried out inconsistently because some contractors did not think they were required to meet this mandate.
“In addition, NNSA does not emphasize the importance of [contractor] oversight of subcontractors’ cybersecurity through its annual contractor performance assessment process,” the GAO found.
What GAO Recommended
To address the identified shortcomings, the GAO made nine recommendations for the NNSA to implement immediately.
These recommendations included directing NNSA and site contractors to develop and maintain cybersecurity continuous monitoring strategies that address all elements of NIST guidance, identifying and assigning all risk management roles and responsibilities called for in NIST guidance, and directing site contractors to maintain a site-wide cybersecurity risk management strategy that addresses all NIST guidance and is reviewed at least annually.
Additionally, GAO suggested implementing foundational practices for the OT environment and establishing a cybersecurity risk management strategy for nuclear weapons IT.
The NNSA agreed with GAO’s findings and provided the auditor with an outline of specific actions it intended to take to address each recommendation, wrote Jill Hruby, undersecretary for nuclear security and administrator for the NNSA. These actions, however, will not be completed until 2023.
Megan Gates is editor-in-chief of Security Technology. Connect with her at [email protected]. Follow her on Twitter: @mgngates.