Tuesday, October 25, 2011

DOE doing Little to Demonstrate or Inspire Cyber Security Confidence in the Sector it Regulates

I don't want to sound harsh or ungenerous, but the timing of this audit report, paired with its sad contents, is not great.

Long story short: known vulnerabilities in DOE systems are up; successful attacks endured by DOE systems are up, and DOE spokespersons are trying to cover it up / play it down:
We are concerned that a casual reader of this report might not fully understand that the findings, while important, do not represent demonstrated risks.
This from the agency's associate administrator for management and budget, in a letter to the DOE Inspector General.

As I said in a recent post, I'm now beating the bushes in search of energy sector exemplar organizations and am starting to find some ... two large Investor Owned Utilities (IOUs) so far. Would like to find similarly forward leaning examples of other types, including muni's, co-ops and Federal. 

IMHO DOE should be the model Federal organization when it comes to implementing and managing cyber security policy and controls and leading by example. That it's apparently another basement dweller, according to multiple recent audit results, only invites more scrutiny and more attacks.

Would love to see an energetic turnaround expert / change agent get in there, work on the culture and get them far better results next time. Sure you would too.

Here's the article in Reuters.