Energy ramps up its cybersecurity
Energy ramps up its cybersecurity<@VM>Major programs
- By Patricia Daukantas
- Oct 31, 2001
'Some people have a tendency to destroy the evidence that's needed to do any investigation into their particular problem,' so forensics training is needed, Przysucha said.
Energy's office of cybersecurity develops computer and telecommunications security policies for the entire department, from its headquarters in Washington to the diverse field offices and national laboratories.
Public-key infrastructure and IT security training are two top priorities for the Energy Department as it recovers from the security lapses that sparked widespread criticism in 1999 and 2000.
John L. Przysucha, Energy's associate CIO for cybersecurity, said his office is setting up an online knowledge center where managers can discuss drafts of computer security policies.
Przysucha, a 12-year veteran at Energy and its former year 2000 program manager, said the office develops computer and telecommunications security policies for the entire department, from headquarters to the diverse field offices and national laboratories.
Two years ago, as a result of numerous security missteps at Energy's Los Alamos National Laboratory, Przysucha's office took over security policymaking for the department's classified and unclassified computers.
The cybersecurity office also funds the Computer Incident Advisory Capability group at Lawrence Livermore National Laboratory, which Przysucha called DOE's answer to a computer emergency response team.PKI in 2002
Przysucha's staff is starting its fiscal 2002 initiatives at fiscal 2001 funding levels. Since Oct. 1, the federal government had been running on a continuing resolution in the wake of the Sept. 11 terrorist attacks.
The department has already purchased 20,000 digital certificates from Entrust Technologies Inc. of Plano, Texas, Przysucha said.
During fiscal 2002, Energy will launch one or two systems'human resources and possibly procurement'that will use PKI to authenticate transactions.
Energy officials envision a pay and personnel system that lets workers view their annual leave statements and carry out certain transactions, Przysucha said.
'My training program far exceeded my expectations as far as the number of people that we were able to train in one fiscal year,' he said.
Przysucha's office has trained 2,000 workers in fiscal 2000 and 4,200 in fiscal 2001 through the SANS Institute of Bethesda, Md., and Energy-developed courses.
The in-house courses cover such topics as communications security, PKI and management of classified systems, Przysucha said. The department also has funded 24 security conferences.
Przysucha said his staff recently developed a cybersecurity forensics curriculum that will probably be offered to the department next year.Culture clashes
One goal of the forensics course will be to teach Energy employees what not to do in the event of a cyberattack. 'Some people have a tendency to destroy the evidence that's needed to do any investigation into their particular problem,' Przysucha said.
For example, a systems administrator might reload all the software onto a server and end up overwriting evidence of the attack, he said.
The cybersecurity knowledge center is being used on a limited basis right now, Przysucha said. It's designed to provide security policymakers with an online place to discuss issues.
The diversity of the Energy Department'it has a large scientific community, a major role in U.S. weapons research and environmental cleanup responsibilities'sometimes leads to culture clashes over security, Przysucha said.
'We've taken a very risk-based approach to our policy,' Przysucha said. 'Our risk is viewed differently at each site.
'If you're a weapons lab, certainly the risks are different than if you're [doing] open science. So our policy calls for a graded approach, not one-size-fits-all. It's very hard to balance that writing of policy, but that's the challenge that we have in this office.'
Energy will have some involvement with the new Homeland Security Office, Przysucha said, though he declined to provide further details.
He praised the recent designation of Richard A. Clarke as special adviser to the president for cyberspace security.Wireless IT Program. Energy uses land-based mobile radio networks for most of its mobile communications. Conventional single-channel systems are deployed in sparsely populated areas and typically use the VHF band. Trunked system architectures are deployed in most areas with a large number of Energy workers and typically use the UHF band.
Information Architecture Program. The program was Energy's latest step in the development of a systems architecture process for making IT investment decisions. The project's purposes were to identify the department's business functions and the cross-cutting information needed to carry them out; to define the applications and technology needed to store and manage the information; and to recommend a specific plan for moving forward.
Computer Accommodation Program. Energy provides accessibility services to employees with disabilities in compliance with Section 508. Since the program began in 1993, the number of employees with disabilities has increased dramatically, and the diversity of disabilities has broadened significantly. The program provides assistive technologies such as large monitors and speech recognition software for visually impaired users, ergonomic workstations for workers with physical disabilities and captioning devices for the hearing-impaired.