A review of federal records has revealed that the U.S. Department of Energy’s (DOE) computer systems were successfully hacked, risking the security of sensitive energy data and research.

This is cause for concern considering the potential for damage if that information is in the wrong hands. But it is even more troubling that the report, published Sept. 11 by USA TODAY, showed the Energy Department was successfully hacked not once, twice or three times, but 159 times between 2010 and 2014.

The article, the result of a Freedom of Information Act request, showed there were even more intrusion attempts. The cyberattack tally for the same timeframe was 1,131.

At 90, most of the 159 successful cyber intrusions targeted the department’s Office of Science, which directs scientific research and heads 10 federal energy laboratories.

The newspaper said the Energy Department would not say whether federal governments may have been involved in the cyberattacks and whether any sensitive data, specifically concerning the nuclear weapons stockpile or the U.S. power grid, were stolen or accessed.

But “The potential for an adversary to disrupt, shut down [power systems], or worse … is real here,” Scott White, professor of homeland security and security management and director of the computing security and technology program at Drexel University, said in the article. “It’s absolutely real.”

The report did not reveal the attack methods used. That information was redacted from the records released to the newspaper.

Andrew Gumbiner, spokesman for the Energy Department, told USA Today that it “seeks to identify indicators of compromise and other cybersecurity relevant information, which it then shares broadly amongst all DOE labs, plants, and sites as well as within the entire federal government.”

A federal oversight report, released in December 2013 after a July 2013 cybersecurity breach, shows the Energy Department is aware of its vulnerabilities and the need to do something about it. The federal report highlighted a number of areas that needed to be addressed. Among the technical and management issues cited, as stated in the federal report, were:

  • Frequent use of complete Social Security numbers as identifiers;
  • Permitting direct internet access to a sensitive system without adequate security controls;
  • Lack of assurance that required security planning and testing activities were conducted;
  • Permitting systems to operate knowing they had high-risk security vulnerabilities; and
  • Failing to assign the appropriate level of urgency to replacing end-of-life systems.

“Unclear lines of responsibility between and within program and staff offices” was also tagged as a contributing factor when it came to who was responsible for detecting and correcting cybersecurity issues.

The report came with a list of recommendations to improve security.

“The attackers in this case were able to use exploits commonly available on the internet to gain unfettered access to the relevant systems and exfiltrate large amounts of data—information that could be used to damage the financial and personal interests of many individuals,” Inspector General Gregory H. Friedman said in the report. “As noted, in many past Office of Inspector General Evaluation Reports completed pursuant to the Federal Information Security Management Act of 2002, weaknesses identical to those exploited in this case hold the potential for significant harm to the Department.”

The Energy Department’s fiscal year 2016 budget request includes $52 million for R&D to strengthen energy infrastructure against cyber threats. The funding, the Energy Department said, “establishes a virtual collaborative environment for conducting real-time advanced digital forensics analysis, which can be used to analyze untested and untrusted code, programs and websites without allowing the software to harm the host device.”

Cybersecurity is also among the six initiatives for which more than $1.2 billion was requested.

The U.S. government’s fiscal year 2016 budget highlighted the issue and noted the budget included funding for cybersecurity. Hopefully, those funds won’t get tied up. The U.S. House of Representatives passed the Energy and Water Development Appropriations Bill in May.

USA Today said the oversight and energy subcommittees of the House Committee on Science, Space and Technology will have a joint hearing Sept. 17 on this consistently, growing threat. Let’s hope the legislators don’t let politics get in the way of national security.

Velda Addison can be reached at vaddison@hartenergy.com.