National Library of Energy BETA

Sample records for multiple security vulnerabilities

  1. U-169: Sympa Multiple Security Bypass Vulnerabilities

    Broader source: Energy.gov [DOE]

    Multiple vulnerabilities have been reported in Sympa, which can be exploited by malicious people to bypass certain security restrictions.

  2. V-119: IBM Security AppScan Enterprise Multiple Vulnerabilities...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    9: IBM Security AppScan Enterprise Multiple Vulnerabilities V-119: IBM Security AppScan Enterprise Multiple Vulnerabilities March 26, 2013 - 12:56am Addthis PROBLEM: IBM Security...

  3. T-551: Cisco Security Advisory: Multiple Cisco WebEx Player Vulnerabilities

    Broader source: Energy.gov [DOE]

    Multiple buffer overflow vulnerabilities exist in the WRF and ARF players. The vulnerabilities may lead to a crash of the player application or, in some cases, remote code execution could occur.

  4. T-681:IBM Lotus Symphony Multiple Unspecified Vulnerabilities

    Broader source: Energy.gov [DOE]

    Multiple unspecified vulnerabilities in IBM Lotus Symphony 3 before FP3 have unknown impact and attack vectors, related to "critical security vulnerability issues."

  5. V-083: Oracle Java Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    A Critical Patch Update is a collection of patches for multiple security vulnerabilities. The Critical Patch Update for Java SE also includes non-security fixes. Critical Patch Updates are cumulative and each advisory describes only the security fixes added since the previous Critical Patch Update and Security Alert.

  6. U-104: Adobe Flash Player Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    Multiple vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and compromise a user's system.

  7. V-097: Google Chrome Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    Multiple vulnerabilities have been reported in Google Chrome, where some have an unknown impact and others can be exploited by malicious people to bypass certain security restrictions and compromise a user's system.

  8. V-191: Apple Mac OS X Multiple Vulnerabilities | Department of...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    1: Apple Mac OS X Multiple Vulnerabilities V-191: Apple Mac OS X Multiple Vulnerabilities July 3, 2013 - 6:00am Addthis PROBLEM: Apple has issued a security update for Mac OS X...

  9. V-180: IBM Application Manager For Smart Business Multiple Vulnerabilities

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    | Department of Energy 0: IBM Application Manager For Smart Business Multiple Vulnerabilities V-180: IBM Application Manager For Smart Business Multiple Vulnerabilities June 18, 2013 - 12:38am Addthis PROBLEM: IBM Application Manager For Smart Business Multiple Vulnerabilities PLATFORM: IBM Application Manager For Smart Business 1.x ABSTRACT: A security issue and multiple vulnerabilities have been reported in IBM Application Manager For Smart Business REFERENCE LINKS: Security Bulletin

  10. U-198: IBM Lotus Expeditor Multiple Vulnerabilities | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    8: IBM Lotus Expeditor Multiple Vulnerabilities U-198: IBM Lotus Expeditor Multiple Vulnerabilities June 25, 2012 - 7:00am Addthis PROBLEM: Multiple vulnerabilities have been reported in IBM Lotus Expeditor. PLATFORM: IBM Lotus Expeditor 6.x ABSTRACT: The vulnerabilities can be exploited by malicious people to conduct cross-site scripting attacks, disclose potentially sensitive information, bypass certain security restrictions, and compromise a user's system.. Reference Links: Vendor Advisory

  11. V-092: Pidgin Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    Multiple vulnerabilities have been reported in Pidgin, which can be exploited by malicious people to manipulate certain data, cause a DoS (Denial of Service), and compromise a user's system.

  12. U-162: Drupal Multiple Vulnerabilities | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    2: Drupal Multiple Vulnerabilities U-162: Drupal Multiple Vulnerabilities May 4, 2012 - 7:00am Addthis PROBLEM: Drupal Multiple Vulnerabilities PLATFORM: The vulnerabilities are reported in 7.x versions prior to 7.13. ABSTRACT: Several vulnerabilities were reported in Drupal: Denial of Service, Access bypass, and Unvalidated form redirect reference LINKS: Security Advisory: DRUPAL-SA-CORE-2012-002 Bugtraq ID: 53359 Secunia Advisory SA49012 CVE-2012-1588 CVE-2012-1589 CVE-2012-1590 CVE-2012-1591

  13. V-122: IBM Tivoli Application Dependency Discovery Manager Java Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    Multiple security vulnerabilities exist in the Java Runtime Environments (JREs) that can affect the security of IBM Tivoli Application Dependency Discovery Manager

  14. V-096: Mozilla Thunderbird / SeaMonkey Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    A weakness and multiple vulnerabilities have been reported in Mozilla Thunderbird and SeaMonkey, which can be exploited by malicious people to disclose potentially sensitive information, conduct spoofing attacks, bypass certain security restrictions, and compromise a user's system.

  15. T-540: Sybase EAServer Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    Sybase EAServer is prone to a security-bypass vulnerability and a directory-traversal vulnerability. Attackers may exploit these issues to execute arbitrary code within the context of the application or to disclose sensitive information.

  16. Mitigations for Security Vulnerabilities Found in Control System...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Mitigations for Security Vulnerabilities Found in Control System Networks Mitigations for Security Vulnerabilities Found in Control System Networks Industry is aware of the need ...

  17. Common Cyber Security Vulnerabilities Observed in Control System...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Common Cyber Security Vulnerabilities Observed in Control System Assessments by the INL NSTB Program Common Cyber Security Vulnerabilities Observed in Control System Assessments by ...

  18. V-224: Google Chrome Multiple Vulnerabilities | Department of...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    4: Google Chrome Multiple Vulnerabilities V-224: Google Chrome Multiple Vulnerabilities August 22, 2013 - 1:05am Addthis PROBLEM: Multiple vulnerabilities have been reported in...

  19. V-121: Google Chrome Multiple Vulnerabilities | Department of...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    1: Google Chrome Multiple Vulnerabilities V-121: Google Chrome Multiple Vulnerabilities March 28, 2013 - 12:29am Addthis PROBLEM: Google Chrome Multiple Vulnerabilities PLATFORM:...

  20. V-207: Wireshark Multiple Denial of Service Vulnerabilities ...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    7: Wireshark Multiple Denial of Service Vulnerabilities V-207: Wireshark Multiple Denial of Service Vulnerabilities July 31, 2013 - 1:59am Addthis PROBLEM: Multiple vulnerabilities...

  1. V-059: MoinMoin Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    Multiple vulnerabilities have been reported in MoinMoin, which can be exploited by malicious users to conduct script insertion attacks and compromise a vulnerable system and by malicious people to manipulate certain data.

  2. CYBER/PHYSICAL SECURITY VULNERABILITY ASSESSMENT INTEGRATION

    SciTech Connect (OSTI)

    MacDonald, Douglas G.; Key, Brad; Clements, Samuel L.; Hutton, William J.; Craig, Philip A.; Patrick, Scott W.; Crawford, Cary E.

    2011-07-17

    This internally funded Laboratory-Directed R&D project by the Pacific Northwest National Laboratory, in conjunction with QinetiQ North America, is intended to identify and properly assess areas of overlap (and interaction) in the vulnerability assessment process between cyber security and physical protection. Existing vulnerability analysis (VA) processes and software tools exist, and these are heavily utilized in the determination of predicted vulnerability within the physical and cyber security domains. These determinations are normally performed independently of one another, and only interact on a superficial level. Both physical and cyber security subject matter experts have come to realize that though the various interactive elements exist, they are not currently quantified in most periodic security assessments. This endeavor aims to evaluate both physical and cyber VA techniques and provide a strategic approach to integrate the interdependent relationships of each into a single VA capability. This effort will also transform the existing suite of software currently utilized in the physical protection world to more accurately quantify the risk associated with a blended attack scenario. Performance databases will be created to support the characterization of the cyber security elements, and roll them into prototype software tools. This new methodology and software capability will enable analysts to better identify and assess the overall risk during a vulnerability analysis.

  3. V-158: BlackBerry Tablet OS Flash Player Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    Multiple vulnerabilities have been reported in BlackBerry Tablet OS, which can be exploited by malicious people to bypass certain security restrictions and compromise a user's system.

  4. U-197: Cisco Adaptive Security Appliances Denial of Service Vulnerability |

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Department of Energy 7: Cisco Adaptive Security Appliances Denial of Service Vulnerability U-197: Cisco Adaptive Security Appliances Denial of Service Vulnerability June 22, 2012 - 7:00am Addthis PROBLEM: A vulnerability has been reported in Cisco Adaptive Security Appliances (ASA), which can be exploited by malicious people to cause a DoS (Denial of Service). PLATFORM: Cisco Adaptive Security Appliance (ASA) 8.x Cisco ASA 5500 Series Adaptive Security Appliances ABSTRACT: The vulnerability

  5. V-187: Mozilla Firefox Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    These vulnerabilities can be exploited by malicious people to conduct cross-site scripting and spoofing attacks, disclose potentially sensitive information, bypass certain security restrictions, and compromise a user's system.

  6. V-162: Apache Struts "ParameterInterceptor" Security Bypass Vulnerability

    Broader source: Energy.gov [DOE]

    A vulnerability has been reported in Apache Struts, which can be exploited by malicious people to bypass certain security restrictions.

  7. U-146: Adobe Reader/Acrobat Multiple Vulnerabilities | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    46: Adobe Reader/Acrobat Multiple Vulnerabilities U-146: Adobe Reader/Acrobat Multiple Vulnerabilities April 12, 2012 - 8:30am Addthis PROBLEM: Multiple vulnerabilities have been reported in Adobe Reader and Adobe Acrobat. PLATFORM: Adobe Acrobat 9.x Adobe Acrobat X 10.x Adobe Reader 9.x Adobe Reader X 10.x ABSTRACT: Vulnerabilities can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, gain knowledge of potentially sensitive

  8. V-094: IBM Multiple Products Multiple Vulnerabilities | Department of

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Energy 94: IBM Multiple Products Multiple Vulnerabilities V-094: IBM Multiple Products Multiple Vulnerabilities February 19, 2013 - 1:41am Addthis PROBLEM: IBM Multiple Products Multiple Vulnerabilities PLATFORM: IBM Maximo Asset Management versions 7.5, 7.1, and 6.2 IBM Maximo Asset Management Essentials versions 7.5, 7.1, and 6.2 IBM SmartCloud Control Desk version 7.5 IBM Tivoli Asset Management for IT versions 7.2, 7.1, and 6.2 IBM Tivoli Change and Configuration Management Database

  9. V-126: Mozilla Firefox Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    Multiple vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to conduct spoofing and cross-site scripting attacks and compromise a user's system

  10. V-111: Multiple vulnerabilities have been reported in Puppet...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    vulnerable system. SOLUTION: Update to a fixed version. Addthis Related Articles V-090: Adobe Flash Player AIR Multiple Vulnerabilities V-083: Oracle Java Multiple...

  11. V-051: Oracle Solaris Java Multiple Vulnerabilities | Department...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Related Articles U-191: Oracle Java Multiple Vulnerabilities U-105:Oracle Java SE Critical Patch Update Advisory T-576: Oracle Solaris Adobe Flash Player Multiple Vulnerabilities...

  12. V-237: TYPO3 Security Bypass Vulnerabilities | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    7: TYPO3 Security Bypass Vulnerabilities V-237: TYPO3 Security Bypass Vulnerabilities September 9, 2013 - 6:00am Addthis PROBLEM: Some vulnerabilities have been reported in TYPO3 PLATFORM: TYPO3 6.x ABSTRACT: TYPO3 comes with the possibility to restrict editors to certain file actions (copy, delete, move etc.) and to restrict these actions to be performed in certain locations REFERENCE LINKS: Secunia Advisory SA54717 Security Focus ID 62257 IMPACT ASSESSMENT: Medium DISCUSSION: 1) Some errors

  13. V-106: Citrix Access Gateway Unspecified Security Bypass Vulnerability

    Broader source: Energy.gov [DOE]

    A vulnerability has been reported in Citrix Access Gateway, which can be exploited by malicious people to bypass certain security restrictions.

  14. V-005: ModSecurity Multipart Message Parsing Security Bypass Vulnerability

    Broader source: Energy.gov [DOE]

    SEC Consult has reported a vulnerability in ModSecurity, which can be exploited by malicious people to bypass certain security restrictions.

  15. V-211: IBM iNotes Multiple Vulnerabilities | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    1: IBM iNotes Multiple Vulnerabilities V-211: IBM iNotes Multiple Vulnerabilities August 5, 2013 - 6:00am Addthis PROBLEM: Multiple vulnerabilities have been reported in IBM Lotus iNotes PLATFORM: IBM iNotes 9.x ABSTRACT: IBM iNotes has two cross-site scripting vulnerabilities and an ActiveX Integer overflow vulnerability REFERENCE LINKS: Secunia Advisory SA54436 IBM Security Bulletin 1645503 CVE-2013-3027 CVE-2013-3032 CVE-2013-3990 IMPACT ASSESSMENT: High DISCUSSION: 1) Certain input related

  16. U-187: Adobe Flash Player Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    Adobe released security updates for Adobe Flash Player 11.2.202.235 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.8 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.9 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

  17. U-035: Adobe Flash Player Multiple Vulnerabilities | Department...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. Impact: Multiple vulnerabilities have been reported in Adobe ...

  18. U-013: HP Data Protector Multiple Unspecified Vulnerabilities

    Broader source: Energy.gov [DOE]

    Multiple vulnerabilities were reported in HP Data Protector. A remote user can execute arbitrary code on the target system.

  19. V-161: IBM Maximo Asset Management Products Java Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    Asset and Service Mgmt Products - Potential security exposure when using JavaTM based applications due to vulnerabilities in Java Software Developer Kits.

  20. Common Cyber Security Vulnerabilities Observed in Control System

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Assessments by the INL NSTB Program | Department of Energy Common Cyber Security Vulnerabilities Observed in Control System Assessments by the INL NSTB Program Common Cyber Security Vulnerabilities Observed in Control System Assessments by the INL NSTB Program This document presents results from 16 control system assessments performed under the NSTB program from 2003 through 2007. Information found in individual stakeholder reports is protected from disclosure. Researchers recognized that

  1. T-560: Cisco Security Advisory: Management Center for Cisco Security Agent Remote Code Execution Vulnerability

    Broader source: Energy.gov [DOE]

    The Management Center for Cisco Security Agent is affected by a vulnerability that may allow an unauthenticated attacker to perform remote code execution on the affected device.

  2. T-614: Cisco Unified Communications Manager Database Security Vulnerability

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    | Department of Energy 14: Cisco Unified Communications Manager Database Security Vulnerability T-614: Cisco Unified Communications Manager Database Security Vulnerability May 3, 2011 - 7:37am Addthis PROBLEM: Cisco Unified Communications Manager contains a vulnerability that could allow an authenticated, remote attacker to inject arbitrary script code on a targeted system. PLATFORM: Cisco Unified Communications Manager versions prior to 8.5(1), 8.0(3), 7.1(5)su1, and 6.1(5)su2 are

  3. Regulatory Guide on Conducting a Security Vulnerability Assessment

    SciTech Connect (OSTI)

    Ek, David R.

    2016-01-01

    This document will provide guidelines on conducting a security vulnerability assessment at a facility regulated by the Radiation Protection Centre. The guidelines provide a performance approach assess security effectiveness. The guidelines provide guidance for a review following the objectives outlined in IAEA NSS#11 for Category 1, 2, & 3 sources.

  4. U-171: DeltaV Products Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    Multiple vulnerabilities have been reported in DeltaV products, which can be exploited by malicious people to conduct cross-site scripting attacks, SQL injection attacks, cause a DoS (Denial of Service), and compromise a vulnerable system.

  5. V-208: Google Chrome Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    Some vulnerabilities have been reported in Google Chrome which allows attackers to access and compromise a user's system.

  6. V-131: Adobe Shockwave Player Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    This update addresses vulnerabilities that could allow an attacker to run malicious code on the affected system

  7. V-107: Wireshark Multiple Denial of Service Vulnerabilities

    Broader source: Energy.gov [DOE]

    Multiple vulnerabilities have been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service).

  8. CRITICAL INFRASTRUCTURE PROTECTION Multiple Efforts to Secure...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain CRITICAL INFRASTRUCTURE PROTECTION Multiple Efforts to Secure Control Systems Are Under Way, but ...

  9. V-157: Adobe Reader / Acrobat Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system

  10. U-179: IBM Java 7 Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    Vulnerabilities can be exploited by malicious users to disclose certain information and by malicious people to disclose potentially sensitive information, hijack a user's session, conduct DNS cache poisoning attacks, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.

  11. U-191: Oracle Java Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    The Critical Patch Update for Java SE also includes non-security fixes. Critical Patch Updates are cumulative and each advisory describes only the security fixes added since the previous Critical Patch Update. Thus, prior Critical Patch Update Advisories should be reviewed for information regarding earlier accumulated security fixes. This Critical Patch Update contains 14 new security fixes across Java SE products.

  12. U-234: Oracle MySQL User Login Security Bypass Vulnerability

    Broader source: Energy.gov [DOE]

    Oracle MySQL is prone to a security bypass vulnerability Attackers can exploit this issue to bypass certain security restrictions.

  13. V-200: Apache Struts DefaultActionMapper Redirection and OGNL Security Bypass Vulnerabilities

    Broader source: Energy.gov [DOE]

    The vulnerabilities can be exploited by malicious people to conduct spoofing attacks and bypass certain security restrictions

  14. U-173: Symantec Web Gateway Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    Several vulnerabilities were reported in Symantec Web Gateway. A remote user can include and execute arbitrary code on the target system. A remote user can conduct cross-site scripting attacks. A remote user can view/delete/upload files on the target system.

  15. T-542: SAP Crystal Reports Server Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    Multiple vulnerabilities in SAP Crystal Reports Server 2008, which can be exploited by malicious users to disclose potentially sensitive information and by malicious people to conduct cross-site scripting attacks, manipulate certain data, and compromise a user's system.

  16. V-186: Drupal Login Security Module Security Bypass and Denial...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    V-186: Drupal Login Security Module Security Bypass and Denial of Service Vulnerability ... Related Articles U-162: Drupal Multiple Vulnerabilities V-052: Drupal Core Access Bypass ...

  17. T-694: IBM Tivoli Federated Identity Manager Products Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability might cause the Java Runtime Environment to hang, be in infinite loop, and/or crash resulting in a denial of service exposure. This same hang might occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or third party written application.

  18. U-042: Mac RealPlayer Multiple Vulnerabilities | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    42: Mac RealPlayer Multiple Vulnerabilities U-042: Mac RealPlayer Multiple Vulnerabilities November 21, 2011 - 9:15am Addthis PROBLEM: Mac RealPlayer Multiple Vulnerabilities. PLATFORM: Versions 12.0.0.1701 and prior. ABSTRACT: Multiple vulnerabilities have been reported in Mac RealPlayer, which can be exploited by malicious people to compromise a user's system. reference LINKS: Secunia Advisory: SA46963 Secunia Vulnerability Report: Mac RealPlayer 12.x Secunia Advisory: SA46954 IMPACT

  19. Ultra Wideband (UWB) communication vulnerability for security applications.

    SciTech Connect (OSTI)

    Cooley, H. Timothy

    2010-07-01

    RF toxicity and Information Warfare (IW) are becoming omnipresent posing threats to the protection of nuclear assets, and within theatres of hostility or combat where tactical operation of wireless communication without detection and interception is important and sometimes critical for survival. As a result, a requirement for deployment of many security systems is a highly secure wireless technology manifesting stealth or covert operation suitable for either permanent or tactical deployment where operation without detection or interruption is important The possible use of ultra wideband (UWB) spectrum technology as an alternative physical medium for wireless network communication offers many advantages over conventional narrowband and spread spectrum wireless communication. UWB also known as fast-frequency chirp is nonsinusoidal and sends information directly by transmitting sub-nanosecond pulses without the use of mixing baseband information upon a sinusoidal carrier. Thus UWB sends information using radar-like impulses by spreading its energy thinly over a vast spectrum and can operate at extremely low-power transmission within the noise floor where other forms of RF find it difficult or impossible to operate. As a result UWB offers low probability of detection (LPD), low probability of interception (LPI) as well as anti-jamming (AJ) properties in signal space. This paper analyzes and compares the vulnerability of UWB to narrowband and spread spectrum wireless network communication.

  20. T-544: Cisco Security Advisory: Cisco Content Services Gateway Vulnerabilities

    Broader source: Energy.gov [DOE]

    Cisco IOS Software Release 12.4(24)MD1 on the Cisco CSG2 contains two vulnerabilities that can be exploited by a remote, unauthenticated attacker to create a denial of service condition that prevents traffic from passing through the CSG2. These vulnerabilities require only a single content service to be active on the Cisco CSG2 and can be exploited via crafted TCP packets. A three-way handshake is not required to exploit either of these vulnerabilities.

  1. V-152: Cisco Unified Customer Voice Portal (CVP) Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    Various components of Cisco Unified CVP are affected. These vulnerabilities can be exploited independently; however, more than one vulnerability could be exploited on the same device.

  2. U-273: Multiple vulnerabilities have been reported in Wireshark

    Broader source: Energy.gov [DOE]

    Vulnerabilities can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

  3. V-041: Red Hat CloudForms Multiple Vulnerabilities | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    1: Red Hat CloudForms Multiple Vulnerabilities V-041: Red Hat CloudForms Multiple Vulnerabilities December 6, 2012 - 4:01am Addthis PROBLEM: Red Hat CloudForms Multiple Vulnerabilities PLATFORM: CloudForms ABSTRACT: Multiple vulnerabilities have been reported in Red Hat CloudForms REFERENCE LINKS: RHSA-2012-1542-1 RHSA-2012-1543-1 Secunia Advisory SA51472 CVE-2012-1986 CVE-2012-1987 CVE-2012-1988 CVE-2012-2139 CVE-2012-2140 CVE-2012-2660 CVE-2012-2661 CVE-2012-2694 CVE-2012-2695 CVE-2012-3424

  4. U-228: BlackBerry Tablet OS Flash Player Multiple Vulnerabilities...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Addthis PROBLEM: BlackBerry Tablet OS Flash Player Multiple Vulnerabilities PLATFORM: Adobe Flash Player versions included with BlackBerry PlayBook tablet software versions...

  5. T-629: Avaya WinPDM Multiple Buffer Overflow Vulnerabilities

    Broader source: Energy.gov [DOE]

    Vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

  6. V-178: IBM Data Studio Web Console Java Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    IBM Data Studio Web Console uses the IBM Java Runtime Environment (JRE) and might be affected by vulnerabilities in the IBM JRE

  7. V-118: IBM Lotus Domino Multiple Vulnerabilities | Department...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    to version 9.0 or update to version 8.5.3 Fix Pack 4 when available Addthis Related Articles T-534: Vulnerability in the PDF distiller of the BlackBerry Attachment Service...

  8. U-186: IBM WebSphere Sensor Events Multiple Vulnerabilities | Department of

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Energy 86: IBM WebSphere Sensor Events Multiple Vulnerabilities U-186: IBM WebSphere Sensor Events Multiple Vulnerabilities June 8, 2012 - 7:00am Addthis PROBLEM: Multiple vulnerabilities have been reported in IBM WebSphere Sensor Events PLATFORM: IBM WebSphere Sensor Events 7.x ABSTRACT: Some vulnerabilites have unknown impacts and others can be exploited by malicious people to conduct cross-site scripting attacks. Reference Links: Secunia ID 49413 No CVE references. Vendor URL IMPACT

  9. T-543: Wireshark 0.8.20 through 1.2.8 Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    Wireshark is prone to multiple denial-of-service and buffer-overflow vulnerabilities. Exploiting these issues may allow attackers to crash the application and deny service to legitimate users. Attackers may also execute arbitrary code in the context of vulnerable users running the application.

  10. Application of artificial neural networks in power system security and vulnerability assessment

    SciTech Connect (OSTI)

    Qin Zhou; Davidson, J.; Fouad, A.A.

    1994-02-01

    In a companion paper the concept of system vulnerability is introduced as a new framework for power system dynamic security assessment. Using the TEF method of transient stability analysis, the energy margin [Delta]V is used as an indicator of the level of security, and its sensitivity to a changing system parameter p ([partial derivative][Delta]V/[partial derivative]p) as indicator of its trend with changing system conditions. These two indicators are combined to determine the degree of system vulnerability to contingent disturbances in a stability-limited power system. Thresholds for acceptable levels of the security indicator and its trend are related to the stability limits of a critical system parameter (plant generation limits). Operating practices and policies are used to determine these thresholds. In this paper the artificial neural networks (ANNs) technique is applied to the concept of system vulnerability within the recently developed framework, for fast pattern recognition and classification of system dynamic security status. A suitable topology for the neural network is developed, and the appropriate training method and input and output signals are selected. The procedure developed is successfully applied to the IEEE 50-generator test system. Data previously obtained by heuristic techniques are used for training the ANN.

  11. T-597: WordPress Multiple Security Vulnerabilities

    Broader source: Energy.gov [DOE]

    Attackers can exploit these issues to perform unauthorized actions in the context of the logged-in user, crash the affected application and therefore deny service to legitimate users, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials or launch other attacks.

  12. U-116: IBM Tivoli Provisioning Manager Express for Software Distribution Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    Multiple vulnerabilities have been reported in IBM Tivoli Provisioning Manager Express for Software Distribution, which can be exploited by malicious people to conduct SQL injection attacks and compromise a user's system

  13. T-528: Mozilla Firefox/Thunderbird/SeaMonkey Multiple HTML Injection Vulnerabilities

    Broader source: Energy.gov [DOE]

    Mozilla Firefox/Thunderbird/SeaMonkey Multiple HTML Injection Vulnerabilities. Mozilla Firefox, SeaMonkey, and Thunderbird are prone to multiple HTML-injection vulnerabilities. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

  14. CRITICAL INFRASTRUCTURE PROTECTION Multiple Efforts to Secure Control

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Systems Are Under Way, but Challenges Remain | Department of Energy CRITICAL INFRASTRUCTURE PROTECTION Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain CRITICAL INFRASTRUCTURE PROTECTION Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain GAO is making recommendations to the Department of Homeland Security (DHS) to develop a strategy for coordinating control systems security efforts and to enhance information sharing with relevant

  15. T-592: Cisco Security Advisory: Cisco Secure Access Control System Unauthorized Password Change Vulnerability

    Broader source: Energy.gov [DOE]

    Cisco Secure ACS operates as a centralized RADIUS and TACACS+ server, combining user authentication, user and administrator device access control, and policy control into a centralized identity networking solution.

  16. T-527: OpenSC Smart Card Serial Number Multiple Buffer Overflow Vulnerabilities

    Broader source: Energy.gov [DOE]

    OpenSC is prone to multiple buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied input. Attackers may leverage these issues to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

  17. Using Multiple Unmanned Systems for a Site Security Task

    SciTech Connect (OSTI)

    Matthew O. Anderson; Curtis W. Nielsen; Mark D. McKay; Derek C. Wadsworth; Ryan C. Hruska; John A. Koudelka

    2009-04-01

    Unmanned systems are often used to augment the ability of humans to perform challenging tasks. While the value of individual unmanned vehicles have been proven for a variety of tasks, it is less understood how multiple unmanned systems should be used together to accomplish larger missions such as site security. The purpose of this paper is to discuss efforts by researchers at the Idaho National Laboratory (INL) to explore the utility and practicality of operating multiple unmanned systems for a site security mission. This paper reviews the technology developed for a multi-agent mission and summarizes the lessons-learned from a technology demonstration.

  18. U-126: Cisco Adaptive Security Appliances Port Forwarder ActiveX Control Buffer Overflow Vulnerability

    Broader source: Energy.gov [DOE]

    A vulnerability was reported in Cisco ASA. A remote user can cause arbitrary code to be executed on the target user's system.

  19. V-197: Adobe ColdFusion 10 WebSockets Security Bypass Vulnerability

    Office of Energy Efficiency and Renewable Energy (EERE)

    The vulnerability is caused due to an unspecified error and can be exploited to invoke public methods on ColdFusion Components (CFC) using WebSockets

  20. A Busy Year Securing Vulnerable Nuclear Material and Making the World Safer

    Broader source: Energy.gov [DOE]

    NNSA assisted in reclaiming highly enriched uranium from the Ukraine to a secure facility in Russia.

  1. V-132: IBM Tivoli System Automation Application Manager Multiple

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Vulnerabilities | Department of Energy 2: IBM Tivoli System Automation Application Manager Multiple Vulnerabilities V-132: IBM Tivoli System Automation Application Manager Multiple Vulnerabilities April 12, 2013 - 6:00am Addthis PROBLEM: IBM has acknowledged multiple vulnerabilities in IBM Tivoli System Automation Application Manager PLATFORM: The vulnerabilities are reported in IBM Tivoli System Automation Application Manager versions 3.1, 3.2, 3.2.1, and 3.2.2 ABSTRACT: Multiple security

  2. U-214: HP Network Node Manager Java JDK / JRE Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    Vulnerabilities could be remotely exploited resulting in unauthorized information disclosure, modification, Denial of Service (DoS).

  3. Lessons about vulnerability assessments.

    SciTech Connect (OSTI)

    Johnston, R. G.

    2004-01-01

    The Vulnerability Assessment Team (VAT) at Los Alamos National Laboratory believes that physical security can only be optimized through the use of effective vulnerability assessments. As a result of conducting vulnerability assessments on hundreds of different security devices and systems in the last few years, we have identified some of the attributes of effective assessments. These, along with our recommendations and observations about vulnerability assessments, are summarized in this paper. While our work has primarily involved physical security (in contrast to, for example, computer, network, or information security), our experiences may have applicability to other types of security as well.

  4. T-697: Google Chrome Prior to 13.0.782.107 Multiple Security Vulnerabilities

    Broader source: Energy.gov [DOE]

    Attackers can exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks may also be possible.

  5. Public views on multiple dimensions of security : nuclear waepons, terrorism, energy, and the environment : 2007.

    SciTech Connect (OSTI)

    Herron, Kerry Gale; Jenkins-Smith, Hank C.

    2008-01-01

    We analyze and compare findings from identical national surveys of the US general public on nuclear security and terrorism administered by telephone and Internet in mid-2007. Key areas of investigation include assessments of threats to US security; valuations of US nuclear weapons and nuclear deterrence; perspectives on nuclear proliferation, including the specific cases of North Korea and Iran; and support for investments in nuclear weapons capabilities. Our analysis of public views on terrorism include assessments of the current threat, progress in the struggle against terrorism, preferences for responding to terrorist attacks at different levels of assumed casualties, and support for domestic policies intended to reduce the threat of terrorism. Also we report findings from an Internet survey conducted in mid 2007 that investigates public views of US energy security, to include: energy supplies and reliability; energy vulnerabilities and threats, and relationships among security, costs, energy dependence, alternative sources, and research and investment priorities. We analyze public assessments of nuclear energy risks and benefits, nuclear materials management issues, and preferences for the future of nuclear energy in the US. Additionally, we investigate environmental issues as they relate to energy security, to include expected implications of global climate change, and relationships among environmental issues and potential policy options.

  6. Security

    Broader source: Energy.gov [DOE]

    Security refers to the security of the stream of principal and interest repayments and what happens in the event that a secured loan defaults.

  7. V-234: EMC RSA Archer GRC Open Redirection Weakness and Security Bypass

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Security Issue | Department of Energy 4: EMC RSA Archer GRC Open Redirection Weakness and Security Bypass Security Issue V-234: EMC RSA Archer GRC Open Redirection Weakness and Security Bypass Security Issue September 4, 2013 - 6:00am Addthis PROBLEM: A weakness and a security issue have been reported in EMC RSA Archer GRC PLATFORM: EMC RSA Archer GRC 5.x ABSTRACT: This fixes multiple vulnerabilities, which can be exploited to bypass certain security restrictions and to conduct spoofing

  8. SCADA Vulnerability Assessments

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Vulnerability Assessments - Sandia Energy Energy Search Icon Sandia Home Locations Contact Us Employee Locator Energy & Climate Secure & Sustainable Energy Future Stationary Power Energy Conversion Efficiency Solar Energy Wind Energy Water Power Supercritical CO2 Geothermal Natural Gas Safety, Security & Resilience of the Energy Infrastructure Energy Storage Nuclear Power & Engineering Grid Modernization Battery Testing Nuclear Fuel Cycle Defense Waste Management Programs

  9. T-592: Cisco Security Advisory: Cisco Secure Access Control System...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Advisory: Cisco Secure Access Control System Unauthorized Password Change Vulnerability T-592: Cisco Security Advisory: Cisco Secure Access Control System Unauthorized Password ...

  10. security

    National Nuclear Security Administration (NNSA)

    exan-Calvin-Nelson-secures-recognition-for-expertise.aspx">Pantex website.

    Apex Gold discussion fosters international cooperation in run-up to 2016 Nuclear Security Summit...

  11. GAO-07-1036, CRITICAL INFRASTRUCTURE PROTECTION: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain

    Energy Savers [EERE]

    Congressional Requesters CRITICAL INFRASTRUCTURE PROTECTION Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain September 2007 GAO-07-1036 What GAO Found United States Government Accountability Office Why GAO Did This Study Highlights Accountability Integrity Reliability September 2007 CRITICAL INFRASTRUCTURE PROTECTION Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain Highlights of GAO-07-1036, a report to congressional requesters

  12. V-134: Cisco AnyConnect Secure Mobility Client Heap Overflow...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    V-134: Cisco AnyConnect Secure Mobility Client Heap Overflow Lets Local Users Gain ... AnyConnect VPN Client Two Vulnerabilities V-066: Adobe AcrobatReader Multiple Flaws ...

  13. Security Perimeter

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Security Perimeter Security Perimeter Protecting the Laboratory against threats and vulnerabilities. Contact Security Perimeter Coordinators Email The security perimeter helps to protect the Laboratory Vehicle Access Portal graphic The security perimeter is intended to protect the Laboratory against the possibility of terrorist attacks. At each point of the perimeter, access is controlled by vehicle access portals (VAPs) at the following locations: East Jemez Road VAPs (pdf) (shown above) West

  14. NSTB Summarizes Vulnerable Areas | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    control systems assessed between late 2004 and early 2006. These vulnerabilities ranged from conventional IT security issues to specific weaknesses in control system protocols. ...

  15. U-246: Tigase XMPP Dialback Protection Bypass Vulnerability

    Broader source: Energy.gov [DOE]

    A vulnerability has been reported in Tigase, which can be exploited by malicious people to bypass certain security restrictions.

  16. Vendor System Vulnerability Testing Test Plan

    SciTech Connect (OSTI)

    James R. Davidson

    2005-01-01

    The Idaho National Laboratory (INL) prepared this generic test plan to provide clients (vendors, end users, program sponsors, etc.) with a sense of the scope and depth of vulnerability testing performed at the INLís Supervisory Control and Data Acquisition (SCADA) Test Bed and to serve as an example of such a plan. Although this test plan specifically addresses vulnerability testing of systems applied to the energy sector (electric/power transmission and distribution and oil and gas systems), it is generic enough to be applied to control systems used in other critical infrastructures such as the transportation sector, water/waste water sector, or hazardous chemical production facilities. The SCADA Test Bed is established at the INL as a testing environment to evaluate the security vulnerabilities of SCADA systems, energy management systems (EMS), and distributed control systems. It now supports multiple programs sponsored by the U.S. Department of Energy, the U.S. Department of Homeland Security, other government agencies, and private sector clients. This particular test plan applies to testing conducted on a SCADA/EMS provided by a vendor. Before performing detailed vulnerability testing of a SCADA/EMS, an as delivered baseline examination of the system is conducted, to establish a starting point for all-subsequent testing. The series of baseline tests document factory delivered defaults, system configuration, and potential configuration changes to aid in the development of a security plan for in depth vulnerability testing. The baseline test document is provided to the System Provider,a who evaluates the baseline report and provides recommendations to the system configuration to enhance the security profile of the baseline system. Vulnerability testing is then conducted at the SCADA Test Bed, which provides an in-depth security analysis of the Vendorís system.b a. The term System Provider replaces the name of the company/organization providing the system being evaluated. This can be the system manufacturer, a system user, or a third party organization such as a government agency. b. The term Vendor (or Vendorís) System replaces the name of the specific SCADA/EMS being tested.

  17. T-574: Google Chrome Multiple Flaws Let Remote Users Execute Arbitrary Code

    Broader source: Energy.gov [DOE]

    Multiple vulnerabilities have been reported in Google Chrome, where some have an unknown impact while others can be exploited by malicious people bypass certain security restrictions, disclose system information, and compromise a user's system.

  18. V-162: Apache Struts "ParameterInterceptor" Security Bypass Vulnerabil...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    2: Apache Struts "ParameterInterceptor" Security Bypass Vulnerability V-162: Apache Struts "ParameterInterceptor" Security Bypass Vulnerability May 23, 2013 - 6:00am Addthis...

  19. V-188: Apache XML Security XPointer Expressions Processing Buffer...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    8: Apache XML Security XPointer Expressions Processing Buffer Overflow Vulnerability V-188: Apache XML Security XPointer Expressions Processing Buffer Overflow Vulnerability June...

  20. U-200: Red Hat Directory Server Information Disclosure Security...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    0: Red Hat Directory Server Information Disclosure Security Issue and Vulnerability U-200: Red Hat Directory Server Information Disclosure Security Issue and Vulnerability June 27,...

  1. Office of Radiological Security | Y-12 National Security Complex

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Office of Radiological ... Office of Radiological Security Read more about Y-12's contributions of the Global Threat Reduction Initiative to secure the world's most vulnerable...

  2. T-551: Cisco Security Advisory: Multiple Cisco WebEx Player Vulnerabil...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    The vulnerabilities may lead to a crash of the player application or, in some cases, ... in this document could result in a crash of the Cisco WebEx ARF Player or WRF ...

  3. Common Control System Vulnerability

    SciTech Connect (OSTI)

    Trent Nelson

    2005-12-01

    The Control Systems Security Program and other programs within the Idaho National Laboratory have discovered a vulnerability common to control systems in all sectors that allows an attacker to penetrate most control systems, spoof the operator, and gain full control of targeted system elements. This vulnerability has been identified on several systems that have been evaluated at INL, and in each case a 100% success rate of completing the attack paths that lead to full system compromise was observed. Since these systems are employed in multiple critical infrastructure sectors, this vulnerability is deemed common to control systems in all sectors. Modern control systems architectures can be considered analogous to today's information networks, and as such are usually approached by attackers using a common attack methodology to penetrate deeper and deeper into the network. This approach often is composed of several phases, including gaining access to the control network, reconnaissance, profiling of vulnerabilities, launching attacks, escalating privilege, maintaining access, and obscuring or removing information that indicates that an intruder was on the system. With irrefutable proof that an external attack can lead to a compromise of a computing resource on the organization's business local area network (LAN), access to the control network is usually considered the first phase in the attack plan. Once the attacker gains access to the control network through direct connections and/or the business LAN, the second phase of reconnaissance begins with traffic analysis within the control domain. Thus, the communications between the workstations and the field device controllers can be monitored and evaluated, allowing an attacker to capture, analyze, and evaluate the commands sent among the control equipment. Through manipulation of the communication protocols of control systems (a process generally referred to as ''reverse engineering''), an attacker can then map out the control system processes and functions. With the detailed knowledge of how the control data functions, as well as what computers and devices communicate using this data, the attacker can use a well known Man-in-the-Middle attack to perform malicious operations virtually undetected. The control systems assessment teams have used this method to gather enough information about the system to craft an attack that intercepts and changes the information flow between the end devices (controllers) and the human machine interface (HMI and/or workstation). Using this attack, the cyber assessment team has been able to demonstrate complete manipulation of devices in control systems while simultaneously modifying the data flowing back to the operator's console to give false information of the state of the system (known as ''spoofing''). This is a very effective technique for a control system attack because it allows the attacker to manipulate the system and the operator's situational awareness of the perceived system status. The three main elements of this attack technique are: (1) network reconnaissance and data gathering, (2) reverse engineering, and (3) the Man-in-the-Middle attack. The details of this attack technique and the mitigation techniques are discussed.

  4. Infrastructure Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    all of our reactor designs employ a concurrent engineering approach that addresses the integration of safety, operations, security, and safeguards from the conceptual design level. Capabilities include core design, thermal hydraulics, waste characterization, simulator development, and severe service and accident testing. Design assessments include: safety, security, vulnerability, siting, emergency planning, and fuel cycle impact. organization 6221 serves as a window to sister organizations

  5. T-565: Vulnerability in Microsoft Malware Protection Engine Could Allow Elevation of PrivilegeVulnerability

    Broader source: Energy.gov [DOE]

    Microsoft is releasing this security advisory to help ensure customers are aware that an update to the Microsoft Malware Protection Engine also addresses a security vulnerability reported to Microsoft.

  6. V-186: Drupal Login Security Module Security Bypass and Denial of Service

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Vulnerability | Department of Energy 6: Drupal Login Security Module Security Bypass and Denial of Service Vulnerability V-186: Drupal Login Security Module Security Bypass and Denial of Service Vulnerability June 26, 2013 - 1:28am Addthis PROBLEM: Drupal Login Security Module Security Bypass and Denial of Service Vulnerability PLATFORM: Login Security 6.x-1.x versions prior to 6.x-1.2. Login Security 7.x-1.x versions prior to 7.x-1.2. ABSTRACT: A security issue and a vulnerability have been

  7. U-190: Microsoft Security Bulletin MS12-037- Critical

    Broader source: Energy.gov [DOE]

    This security update resolves one publicly disclosed and twelve privately reported vulnerabilities in Internet Explorer.

  8. V-161: IBM Maximo Asset Management Products Java Multiple Vulnerabilit...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Articles U-179: IBM Java 7 Multiple Vulnerabilities V-145: IBM Tivoli Federated Identity Manager Products Java Multiple Vulnerabilities V-094: IBM Multiple Products Multiple...

  9. Energy vulnerability relationships

    SciTech Connect (OSTI)

    Shaw, B.R.; Boesen, J.L.

    1998-02-01

    The US consumption of crude oil resources has been a steadily growing indicator of the vitality and strength of the US economy. At the same time import diversity has also been a rapidly developing dimension of the import picture. In the early 1970`s, embargoes of crude oil from Organization of Producing and Exporting Countries (OPEC) created economic and political havoc due to a significant lack of diversity and a unique set of economic, political and domestic regulatory circumstances. The continued rise of imports has again led to concerns over the security of our crude oil resource but threats to this system must be considered in light of the diversity and current setting of imported oil. This report develops several important issues concerning vulnerability to the disruption of oil imports: (1) The Middle East is not the major supplier of oil to the United States, (2) The US is not vulnerable to having its entire import stream disrupted, (3) Even in stable countries, there exist vulnerabilities to disruption of the export stream of oil, (4) Vulnerability reduction requires a focus on international solutions, and (5) DOE program and policy development must reflect the requirements of the diverse supply. Does this increasing proportion of imported oil create a {open_quotes}dependence{close_quotes}? Does this increasing proportion of imported oil present a vulnerability to {open_quotes}price shocks{close_quotes} and the tremendous dislocations experienced during the 1970`s? Finally, what is the vulnerability of supply disruptions from the current sources of imported oil? If oil is considered to be a finite, rapidly depleting resource, then the answers to these questions must be {open_quotes}yes.{close_quotes} However, if the supply of oil is expanding, and not limited, then dependence is relative to regional supply sources.

  10. V-216: Drupal Monster Menus Module Security Bypass and Script...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    V-216: Drupal Monster Menus Module Security Bypass and Script Insertion Vulnerabilities ... Addthis Related Articles V-186: Drupal Login Security Module Security Bypass and Denial of ...

  11. Grid Cyber Vulnerability & Assessments

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Cyber Vulnerability & Assessments - Sandia Energy Energy Search Icon Sandia Home Locations Contact Us Employee Locator Energy & Climate Secure & Sustainable Energy Future Stationary Power Energy Conversion Efficiency Solar Energy Wind Energy Water Power Supercritical CO2 Geothermal Natural Gas Safety, Security & Resilience of the Energy Infrastructure Energy Storage Nuclear Power & Engineering Grid Modernization Battery Testing Nuclear Fuel Cycle Defense Waste Management

  12. Cyber-Based Vulnerability Assessments

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Cyber-Based Vulnerability Assessments - Sandia Energy Energy Search Icon Sandia Home Locations Contact Us Employee Locator Energy & Climate Secure & Sustainable Energy Future Stationary Power Energy Conversion Efficiency Solar Energy Wind Energy Water Power Supercritical CO2 Geothermal Natural Gas Safety, Security & Resilience of the Energy Infrastructure Energy Storage Nuclear Power & Engineering Grid Modernization Battery Testing Nuclear Fuel Cycle Defense Waste Management

  13. V-213: PuTTY SSH Handshake Integer Overflow Vulnerabilities ...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    source code repository Addthis Related Articles V-222: SUSE update for Filezilla V-157: Adobe Reader Acrobat Multiple Vulnerabilities V-066: Adobe AcrobatReader Multiple Flaws...

  14. Are Vulnerability Disclosure Deadlines Justified?

    SciTech Connect (OSTI)

    Miles McQueen; Jason L. Wright; Lawrence Wellman

    2011-09-01

    Vulnerability research organizations Rapid7, Google Security team, and Zero Day Initiative recently imposed grace periods for public disclosure of vulnerabilities. The grace periods ranged from 45 to 182 days, after which disclosure might occur with or without an effective mitigation from the affected software vendor. At this time there is indirect evidence that the shorter grace periods of 45 and 60 days may not be practical. However, there is strong evidence that the recently announced Zero Day Initiative grace period of 182 days yields benefit in speeding up the patch creation process, and may be practical for many software products. Unfortunately, there is also evidence that the 182 day grace period results in more vulnerability announcements without an available patch.

  15. U-149: Apache OFBiz Cross-Site Scripting and Code Execution Vulnerabilities

    Energy Savers [EERE]

    Server Cross-Site Scripting Vulnerability | Department of Energy 11: Cisco Security Response: Cisco TelePresence Video Communication Server Cross-Site Scripting Vulnerability U-011: Cisco Security Response: Cisco TelePresence Video Communication Server Cross-Site Scripting Vulnerability October 14, 2011 - 12:30pm Addthis PROBLEM: Cisco Security Response: Cisco TelePresence Video Communication Server Cross-Site Scripting Vulnerability PLATFORM: Version(s): VCS prior to 7.0 ABSTRACT: A

  16. Validating Cyber Security Requirements: A Case Study

    SciTech Connect (OSTI)

    Abercrombie, Robert K; Sheldon, Frederick T; Mili, Ali

    2011-01-01

    Vulnerabilities in a system may have widely varying impacts on system security. In practice, security should not be defined as the absence of vulnerabilities. In practice, security should not be quantified by the number of vulnerabilities. Security should be managed by pursuing a policy that leads us first to the highest impact vulnerabilities. In light of these observations, we argue in favor of shifting our focus from vulnerability avoidance/removal to measurable security attributes. To this effect, we recommend a logic be used for system security, which captures/represents security properties in quantifiable, verifiable, measurable terms so that it is possible to reason about security in terms of its observable/perceptible effects rather than its hypothesized causes. This approach is orthogonal to existing techniques for vulnerability avoidance, removal, detection, and recovery, in the sense that it provides a means to assess, quantify, and combine these techniques.

  17. Study of Security Attributes of Smart Grid Systems- Current Cyber Security Issues

    SciTech Connect (OSTI)

    Wayne F. Boyer; Scott A. McBride

    2009-04-01

    This document provides information for a report to congress on Smart Grid security as required by Section 1309 of Title XIII of the Energy Independence and Security Act of 2007. The security of any future Smart Grid is dependent on successfully addressing the cyber security issues associated with the nation’s current power grid. Smart Grid will utilize numerous legacy systems and technologies that are currently installed. Therefore, known vulnerabilities in these legacy systems must be remediated and associated risks mitigated in order to increase the security and success of the Smart Grid. The implementation of Smart Grid will include the deployment of many new technologies and multiple communication infrastructures. This report describes the main technologies that support Smart Grid and summarizes the status of implementation into the existing U.S. electrical infrastructure.

  18. V-135: Cisco ASA Multiple Bugs Let Remote Users Deny Service | Department

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    of Energy 5: Cisco ASA Multiple Bugs Let Remote Users Deny Service V-135: Cisco ASA Multiple Bugs Let Remote Users Deny Service April 16, 2013 - 12:21am Addthis PROBLEM: Cisco ASA Multiple Bugs Let Remote Users Deny Service PLATFORM: Cisco ASA Software for Cisco ASA 5500 Series Adaptive Security Appliances, Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, and Cisco ASA 1000V Cloud Firewall are affected by multiple vulnerabilities. Affected

  19. Apparatus and method supporting wireless access to multiple security layers in an industrial control and automation system or other system

    DOE Patents [OSTI]

    Chen, Yu-Gene T.

    2013-04-16

    A method includes receiving a message at a first wireless node. The first wireless node is associated with a first wired network, and the first wired network is associated with a first security layer. The method also includes transmitting the message over the first wired network when at least one destination of the message is located in the first security layer. The method further includes wirelessly transmitting the message for delivery to a second wireless node when at least one destination of the message is located in a second security layer. The second wireless node is associated with a second wired network, and the second wired network is associated with the second security layer. The first and second security layers may be associated with different security paradigms and/or different security domains. Also, the message could be associated with destinations in the first and second security layers.

  20. Infrastructure Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    ExcEptional sErvicE in thE national intErEst Investigating Containment Integrity Sandia is a nationally and internationally recognized leader in Nuclear Reactor containment research, supporting operations, lifetime extensions, and security and vulnerability assessments over a broad range of phenomena. Sandia's expertise includes evaluation of containment when subjected to high velocity impacts, enormous pressures and stresses, and attacks by saboteurs. Sandia's resources enable the completion of

  1. Infrastructure Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    to enhance the nation's security and prosperity through sustainable, transformative approaches to our most challenging energy, climate, and infrastructure problems. vision Important applications of these capabilities include performing assessment of facility vulnerabilities and resultant consequences of a range of attack scenarios related to nuclear facilities after 9/11. these comprehensive analyses were able to realistically represent the actual attack, the response of the facility to the

  2. V-125: Cisco Connected Grid Network Management System Multiple...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    5: Cisco Connected Grid Network Management System Multiple Vulnerabilities V-125: Cisco Connected Grid Network Management System Multiple Vulnerabilities April 3, 2013 - 1:44am...

  3. V-152: Cisco Unified Customer Voice Portal (CVP) Multiple Vulnerabilit...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    2: Cisco Unified Customer Voice Portal (CVP) Multiple Vulnerabilities V-152: Cisco Unified Customer Voice Portal (CVP) Multiple Vulnerabilities May 9, 2013 - 6:00am Addthis...

  4. V-145: IBM Tivoli Federated Identity Manager Products Java Multiple...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    V-145: IBM Tivoli Federated Identity Manager Products Java Multiple Vulnerabilities April ... Addthis Related Articles V-178: IBM Data Studio Web Console Java Multiple Vulnerabilities ...

  5. V-132: IBM Tivoli System Automation Application Manager Multiple...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    V-132: IBM Tivoli System Automation Application Manager Multiple Vulnerabilities April 12, ... T-694: IBM Tivoli Federated Identity Manager Products Multiple Vulnerabilities V-145: IBM ...

  6. V-205: IBM Tivoli System Automation for Multiplatforms Java Multiple...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Automation Application Manager Multiple Vulnerabilities V-145: IBM Tivoli Federated Identity Manager Products Java Multiple Vulnerabilities V-122: IBM Tivoli Application...

  7. Indirection and computer security.

    SciTech Connect (OSTI)

    Berg, Michael J.

    2011-09-01

    The discipline of computer science is built on indirection. David Wheeler famously said, 'All problems in computer science can be solved by another layer of indirection. But that usually will create another problem'. We propose that every computer security vulnerability is yet another problem created by the indirections in system designs and that focusing on the indirections involved is a better way to design, evaluate, and compare security solutions. We are not proposing that indirection be avoided when solving problems, but that understanding the relationships between indirections and vulnerabilities is key to securing computer systems. Using this perspective, we analyze common vulnerabilities that plague our computer systems, consider the effectiveness of currently available security solutions, and propose several new security solutions.

  8. Microsoft Word - MitigationsForVulnerabilitiesInCSNetworks.doc

    Energy Savers [EERE]

    6 by ISA - The Instrumentation, Systems and Automation Society. Presented at 16th Annual Joint ISA POWID/EPRI Controls and Instrumentation Conference; http://www.isa.org Mitigations for Security Vulnerabilities Found in Control System Networks May Permann John Hammer Computer Security Researcher Computer Security Researcher Communications & Cyber Security Communications & Cyber Security Idaho National Laboratory Idaho National Laboratory Idaho Falls, ID 83415 Idaho Falls, ID 83415 Kathy

  9. T-532: Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

    Broader source: Energy.gov [DOE]

    Microsoft is investigating new public reports of a vulnerability in the Windows Graphics Rendering Engine. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user.

  10. CIOs Uncensored: Security Smarts.

    SciTech Connect (OSTI)

    Johnson, Gerald R.

    2008-02-25

    This commentary for the CIOs Uncensored section of InformationWeek will discuss PNNLís ďdefense in depthĒ approach to cyber security. It will cover external and internal safeguards, as well as the all-important role of employees in the cyber security equation. For employees are your greatest vulnerability Ė and your last line of defense.

  11. NNSA: Securing Domestic Radioactive Material | National Nuclear...

    National Nuclear Security Administration (NNSA)

    2011 In April 2009, President Obama outlined an ambitious agenda to secure vulnerable nuclear material around the world within four years, calling the danger of a terrorist...

  12. Framework for SCADA Security Policy

    Energy Savers [EERE]

    Framework for SCADA Security Policy Dominique Kilman Jason Stamp dkilman@sandia.gov jestamp@sandia.gov Sandia National Laboratories Albuquerque, NM 87185-0785 Abstract - Modern automation systems used in infrastruc- ture (including Supervisory Control and Data Acquisition, or SCADA) have myriad security vulnerabilities. Many of these relate directly to inadequate security administration, which precludes truly effective and sustainable security. Adequate security management mandates a clear

  13. V-057: eXtplorer "ext_find_user()" Authentication Bypass Vulnerability

    Broader source: Energy.gov [DOE]

    A vulnerability has been reported in eXtplorer, which can be exploited by malicious people to bypass certain security restrictions.

  14. T-636: Wireshark Multiple Flaws Let Remote Users Deny Service

    Broader source: Energy.gov [DOE]

    Multiple vulnerabilities were reported in Wireshark. A remote user can cause denial of service conditions.

  15. Cyber Assessment Methods for SCADA Security | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Assessment Methods for SCADA Security Cyber Assessment Methods for SCADA Security This paper describes vulnerability assessment methodologies used in ongoing research and assessment activities designed to identify and resolve vulnerabilities so as to improve the security of the nation's critical infrastructure. The terrorist attacks of September 11, 2001 brought to light threats and vulnerabilities that face the United States. In response, the U.S. Government is directing the effort to secure

  16. V-216: Drupal Monster Menus Module Security Bypass and Script Insertion

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Vulnerabilities | Department of Energy 6: Drupal Monster Menus Module Security Bypass and Script Insertion Vulnerabilities V-216: Drupal Monster Menus Module Security Bypass and Script Insertion Vulnerabilities August 12, 2013 - 6:00am Addthis PROBLEM: Two vulnerabilities have been reported in the Monster Menus module for Drupal PLATFORM: Drupal Monster Menus Module 6.x and 7.x ABSTRACT: The vulnerabilities can be exploited by malicious users to bypass certain security restrictions and

  17. V-028: Splunk Multiple Cross-Site Scripting and Denial of Service...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    28: Splunk Multiple Cross-Site Scripting and Denial of Service Vulnerabilities V-028: Splunk Multiple Cross-Site Scripting and Denial of Service Vulnerabilities November 20, 2012 -...

  18. V-230: IBM TRIRIGA Application Platform Multiple Cross-Site Scripting...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    0: IBM TRIRIGA Application Platform Multiple Cross-Site Scripting Vulnerabilities V-230: IBM TRIRIGA Application Platform Multiple Cross-Site Scripting Vulnerabilities August 29, ...

  19. David Telles wins NNSA Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    David Telles wins NNSA Security Professional of the Year award May 7, 2009 LOS ALAMOS, New Mexico, May 7, 2009 - David M. Telles, who leads Los Alamos National Laboratory's Vulnerability Analysis Office, received a 2008 National Nuclear Security Administration Security Professional of the Year award. NNSA administrator Tom D'Agostino said, "Our security professionals dedicate themselves to protecting some of the nation's most vital strategic assets, and in so doing, help advance broader

  20. T-657: Drupal Prepopulate- Multiple vulnerabilities

    Broader source: Energy.gov [DOE]

    The module does not adequately validate user input leading to an cross-site scripting (XSS) possibility in certain circumstances.

  1. V-214: Mozilla Firefox Multiple Vulnerabilities | Department...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Firefox before 23.0 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors....

  2. U-100: Google Chrome Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    A remote user can create a specially crafted content that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with the privileges of the target user.

  3. President Obama Hosts Global Nuclear Security Summit | National Nuclear

    National Nuclear Security Administration (NNSA)

    Security Administration Hosts Global Nuclear Security Summit President Obama Hosts Global Nuclear Security Summit Washington, DC President Obama hosts a Global Nuclear Security Summit to facilitate discussion on the nature of the nuclear threat and develop steps that can be taken together to secure vulnerable materials, combat nuclear smuggling and deter, detect, and disrupt attempts at nuclear terrorism

  4. Facility Environmental Vulnerability Assessment

    SciTech Connect (OSTI)

    Van Hoesen, S.D.

    2001-07-09

    From mid-April through the end of June 2001, a Facility Environmental Vulnerability Assessment (FEVA) was performed at Oak Ridge National Laboratory (ORNL). The primary goal of this FEVA was to establish an environmental vulnerability baseline at ORNL that could be used to support the Laboratory planning process and place environmental vulnerabilities in perspective. The information developed during the FEVA was intended to provide the basis for management to initiate immediate, near-term, and long-term actions to respond to the identified vulnerabilities. It was expected that further evaluation of the vulnerabilities identified during the FEVA could be carried out to support a more quantitative characterization of the sources, evaluation of contaminant pathways, and definition of risks. The FEVA was modeled after the Battelle-supported response to the problems identified at the High Flux Beam Reactor at Brookhaven National Laboratory. This FEVA report satisfies Corrective Action 3A1 contained in the Corrective Action Plan in Response to Independent Review of the High Flux Isotope Reactor Tritium Leak at the Oak Ridge National Laboratory, submitted to the Department of Energy (DOE) ORNL Site Office Manager on April 16, 2001. This assessment successfully achieved its primary goal as defined by Laboratory management. The assessment team was able to develop information about sources and pathway analyses although the following factors impacted the team's ability to provide additional quantitative information: the complexity and scope of the facilities, infrastructure, and programs; the significantly degraded physical condition of the facilities and infrastructure; the large number of known environmental vulnerabilities; the scope of legacy contamination issues [not currently addressed in the Environmental Management (EM) Program]; the lack of facility process and environmental pathway analysis performed by the accountable line management or facility owner; and poor facility and infrastructure drawings. The assessment team believes that the information, experience, and insight gained through FEVA will help in the planning and prioritization of ongoing efforts to resolve environmental vulnerabilities at UT-Battelle--managed ORNL facilities.

  5. T-614: Cisco Unified Communications Manager Database Security...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    T-614: Cisco Unified Communications Manager Database Security Vulnerability May 3, 2011 - ... Configuration and Execute Arbitrary Code T-622: Adobe Acrobat and Reader Unspecified ...

  6. Center for Control System Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Control System Security Critical Infrastructure is at Risk As America's infrastructures have become more complex and interconnected, their operation and control has become more complicated as well. Automated control systems have been widely deployed to operate these infrastructures, and coupled with the networks they use to transfer data are a security vulnerability for the infrastructures they control. The Center for Control System Security at Sandia National Laboratories works with several

  7. U-011: Cisco Security Response: Cisco TelePresence Video Communication

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Server Cross-Site Scripting Vulnerability | Department of Energy 11: Cisco Security Response: Cisco TelePresence Video Communication Server Cross-Site Scripting Vulnerability U-011: Cisco Security Response: Cisco TelePresence Video Communication Server Cross-Site Scripting Vulnerability October 14, 2011 - 12:30pm Addthis PROBLEM: Cisco Security Response: Cisco TelePresence Video Communication Server Cross-Site Scripting Vulnerability PLATFORM: Version(s): VCS prior to 7.0 ABSTRACT: A

  8. Vulnerability Assessment for Cascading Failures in Electric Power Systems

    SciTech Connect (OSTI)

    Baldick, R.; Chowdhury, Badrul; Dobson, Ian; Dong, Zhao Yang; Gou, Bei; Hawkins, David L.; Huang, Zhenyu; Joung, Manho; Kim, Janghoon; Kirschen, Daniel; Lee, Stephen; Li, Fangxing; Li, Juan; Li, Zuyi; Liu, Chen-Ching; Luo, Xiaochuan; Mili, Lamine; Miller, Stephen; Nakayama, Marvin; Papic, Milorad; Podmore, Robin; Rossmaier, John; Schneider, Kevin P.; Sun, Hongbin; Sun, Kai; Wang, David; Wu, Zhigang; Yao, Liangzhong; Zhang, Pei; Zhang, Wenjie; Zhang, Xiaoping

    2008-09-10

    Cascading failures present severe threats to power grid security, and thus vulnerability assessment of power grids is of significant importance. Focusing on analytic methods, this paper reviews the state of the art of vulnerability assessment methods in the context of cascading failures in three categories: steady-state modeling based analysis; dynamic modeling analysis; and non-traditional modeling approaches. The impact of emerging technologies including phasor technology, high-performance computing techniques, and visualization techniques on the vulnerability assessment of cascading failures is then addressed, and future research directions are presented.

  9. Plutonium Vulnerability Management Plan

    SciTech Connect (OSTI)

    1995-03-01

    This Plutonium Vulnerability Management Plan describes the Department of Energy`s response to the vulnerabilities identified in the Plutonium Working Group Report which are a result of the cessation of nuclear weapons production. The responses contained in this document are only part of an overall, coordinated approach designed to enable the Department to accelerate conversion of all nuclear materials, including plutonium, to forms suitable for safe, interim storage. The overall actions being taken are discussed in detail in the Department`s Implementation Plan in response to the Defense Nuclear Facilities Safety Board (DNFSB) Recommendation 94-1. This is included as Attachment B.

  10. T-645: Microsoft Security Bulletin Advance Notification

    Broader source: Energy.gov [DOE]

    Microsoft provides the Microsoft Security Bulletin Advance Notification Service. This advance notification is intended to help our customers plan for effective deployment of security updates, and includes information about the number of new security updates being released, the software affected, severity levels of vulnerabilities, and information about any detection tools relevant to the updates.

  11. Infrastructure Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    the computational, physics, and engineering capability spans multiple physics phenomenologies, engineering disciplines, and brings to bear massively parallel processing computational power to solve very complex problems that result in realistic estimates of potential consequences resulting from these types of postulated accidents. the Sar that is developed must go through rigorous external review before it goes to the national Security Council for approval prior to launch. this process provides

  12. U-196: Cisco AnyConnect VPN Client Two Vulnerabilities | Department of

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Energy 96: Cisco AnyConnect VPN Client Two Vulnerabilities U-196: Cisco AnyConnect VPN Client Two Vulnerabilities June 21, 2012 - 7:00am Addthis PROBLEM: Two vulnerabilities have been reported in Cisco AnyConnect VPN Client, which can be exploited by malicious people to compromise a user's system. PLATFORM: Cisco AnyConnect VPN Client 2.x Cisco AnyConnect VPN Client 3.x ABSTRACT: The Cisco AnyConnect Secure Mobility Client is affected by the following vulnerabilities: Cisco AnyConnect Secure

  13. Framework for SCADA Security Policy (October 2005) | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Framework for SCADA Security Policy (October 2005) Framework for SCADA Security Policy (October 2005) Modern automation systems used in infrastruc-ture (including Supervisory Control and Data Acquisition, or SCADA) have myriad security vulnerabilities. Many of these relate directly to inadequate security administration, which precludes truly effective and sustainable security. Adequate security management mandates a clear administrative struc-ture and enforcement hierarchy. The security policy

  14. T-668: Vulnerability in a BlackBerry Enterprise Server component could allow information disclosure and partial denial of service

    Broader source: Energy.gov [DOE]

    This advisory describes a security issue in the BlackBerry Administration API component. Successful exploitation of the vulnerability could result in information disclosure and partial denial of service (DoS). The BlackBerry Administration API is a BlackBerry Enterprise Server component that is installed on the server that hosts the BlackBerry Administration Service. The BlackBerry Administration API contains multiple web services that receive API requests from client applications. The BlackBerry Administration API then translates requests into a format that the BlackBerry Administration Service can process.

  15. U-101: Mozilla Firefox / Thunderbird / SeaMonkey XBL Binding Use-After-Free Vulnerability

    Broader source: Energy.gov [DOE]

    A vulnerability has been reported in multiple Mozilla products, which can be exploited by malicious people to compromise a user's system.

  16. safety and security | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    safety and security

  17. Departmental Personnel Security- Clearance Automation

    Broader source: Energy.gov [DOE]

    The primary objective of the DOE Integrated Security System (eDISS+) Initiative is to support the integration of multiple DOE security systems and databases. This integrated environment provides...

  18. Cyber Security Testing and Training Programs for Industrial Control Systems

    SciTech Connect (OSTI)

    Daniel Noyes

    2012-03-01

    Service providers rely on industrial control systems (ICS) to manage the flow of water at dams, open breakers on power grids, control ventilation and cooling in nuclear power plants, and more. In today's interconnected environment, this can present a serious cyber security challenge. To combat this growing challenge, government, private industry, and academia are working together to reduce cyber risks. The Idaho National Laboratory (INL) is a key contributor to the Department of Energy National SCADA Test Bed (NSTB) and the Department of Homeland Security (DHS) Control Systems Security Program (CSSP), both of which focus on improving the overall security posture of ICS in the national critical infrastructure. In support of the NSTB, INL hosts a dedicated SCADA testing facility which consists of multiple control systems supplied by leading national and international manufacturers. Within the test bed, INL researchers systematically examine control system components and work to identify vulnerabilities. In support of the CSSP, INL develops and conducts training courses which are designed to increase awareness and defensive capabilities for IT/Control System professionals. These trainings vary from web-based cyber security trainings for control systems engineers to more advanced hands-on training that culminates with a Red Team/ Blue Team exercise that is conducted within an actual control systems environment. INL also provides staffing and operational support to the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Security Operations Center which responds to and analyzes control systems cyber incidents across the 18 US critical infrastructure sectors.

  19. Security Policy

    Broader source: Energy.gov [DOE]

    The Office of Security Policy analyzes, develops and interprets safeguards and security policy governing national security functions and the protection of related critical assets entrusted to the...

  20. Computer Security Risk Assessment

    Energy Science and Technology Software Center (OSTI)

    1992-02-11

    LAVA/CS (LAVA for Computer Security) is an application of the Los Alamos Vulnerability Assessment (LAVA) methodology specific to computer and information security. The software serves as a generic tool for identifying vulnerabilities in computer and information security safeguards systems. Although it does not perform a full risk assessment, the results from its analysis may provide valuable insights into security problems. LAVA/CS assumes that the system is exposed to both natural and environmental hazards and tomore¬†¬Ľ deliberate malevolent actions by either insiders or outsiders. The user in the process of answering the LAVA/CS questionnaire identifies missing safeguards in 34 areas ranging from password management to personnel security and internal audit practices. Specific safeguards protecting a generic set of assets (or targets) from a generic set of threats (or adversaries) are considered. There are four generic assets: the facility, the organization''s environment; the hardware, all computer-related hardware; the software, the information in machine-readable form stored both on-line or on transportable media; and the documents and displays, the information in human-readable form stored as hard-copy materials (manuals, reports, listings in full-size or microform), film, and screen displays. Two generic threats are considered: natural and environmental hazards, storms, fires, power abnormalities, water and accidental maintenance damage; and on-site human threats, both intentional and accidental acts attributable to a perpetrator on the facility''s premises.¬ę¬†less

  1. Security Specialist

    Broader source: Energy.gov [DOE]

    This position is located in the Office of Security Policy, Office of Security, Office of the Associate Under Secretary for Environment, Health, Safety, and Security (AU). The Office of Security...

  2. System and method for secure group transactions

    DOE Patents [OSTI]

    Goldsmith, Steven Y.

    2006-04-25

    A method and a secure system, processing on one or more computers, provides a way to control a group transaction. The invention uses group consensus access control and multiple distributed secure agents in a network environment. Each secure agent can organize with the other secure agents to form a secure distributed agent collective.

  3. Lessons Learned from Cyber Security Assessments of SCADA and Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Management Systems | Department of Energy Lessons Learned from Cyber Security Assessments of SCADA and Energy Management Systems Lessons Learned from Cyber Security Assessments of SCADA and Energy Management Systems Results from ten cyber security vulnerability assessments of process control, SCADA, and energy management systems were reviewed to identify common problem areas. In each vulnerability category, relative measures were assigned to the severity. PDF icon Lessons Learned from Cyber

  4. LESSONS LEARNED FROM CYBER SECURITY ASSESSMENTS OF SCADA AND ENERGY MANAGEMENT SYSTEMS

    SciTech Connect (OSTI)

    Ray Fink

    2006-10-01

    The results from ten cyber security vulnerability assessments of process control, SCADA and energy management systems, or components of those systems were reviewed to identify common problem areas. The common vulnerabilities ranged from conventional IT security issues to specific weaknesses in control system protocols. In each vulnerability category, relative measures were assigned to the severity of the vulnerability and ease with which an attacker could exploit the vulnerability. Suggested mitigations are identified in each category. Recommended mitigations having the highest impact on reducing vulnerability are listed for asset owners and system vendors.

  5. V-057: eXtplorer "ext_find_user()" Authentication Bypass Vulnerability |

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Department of Energy 57: eXtplorer "ext_find_user()" Authentication Bypass Vulnerability V-057: eXtplorer "ext_find_user()" Authentication Bypass Vulnerability December 28, 2012 - 6:00am Addthis December 28 2012 - 6:00am PROBLEM: eXtplorer "ext_find_user()" Authentication Bypass Vulnerability PLATFORM: eXtplorer 2.x ABSTRACT: A vulnerability has been reported in eXtplorer, which can be exploited by malicious people to bypass certain security restrictions.

  6. V-236: MediaWiki CentralAuth Extension Authentication Bypass Vulnerability

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    | Department of Energy 6: MediaWiki CentralAuth Extension Authentication Bypass Vulnerability V-236: MediaWiki CentralAuth Extension Authentication Bypass Vulnerability September 6, 2013 - 4:36am Addthis PROBLEM: A vulnerability has been reported in the CentralAuth extension for MediaWiki, which can be exploited by malicious people to bypass certain security restrictions. PLATFORM: MediaWiki CentralAuth Extension ABSTRACT: A vulnerability has been reported in the CentralAuth extension for

  7. U-011: Cisco Security Response: Cisco TelePresence Video Communication...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Response: Cisco TelePresence Video Communication Server Cross-Site Scripting Vulnerability U-011: Cisco Security Response: Cisco TelePresence Video Communication Server ...

  8. INL Cyber Security Research (2008) | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    INL Cyber Security Research (2008) INL Cyber Security Research (2008) Cybersecurity research at INL will help protect critical infrastructure control system computers against worms and other viruses. PDF icon INL Cyber Security Research (2008) More Documents & Publications Mitigations for Security Vulnerabilities Found in Control System Networks The NIAC Convergence of Physical and Cyber Technbologies and Related Security Management Challenges Working Group Final Report and Recommendations

  9. V-230: IBM TRIRIGA Application Platform Multiple Cross-Site Scripting

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Vulnerabilities | Department of Energy 0: IBM TRIRIGA Application Platform Multiple Cross-Site Scripting Vulnerabilities V-230: IBM TRIRIGA Application Platform Multiple Cross-Site Scripting Vulnerabilities August 29, 2013 - 4:10am Addthis PROBLEM: Multiple vulnerabilities have been reported in IBM TRIRIGA Application Platform, which can be exploited by malicious people to conduct cross-site scripting attacks. PLATFORM: IBM TRIRIGA Application Platform 2.x ABSTRACT: The vulnerabilities are

  10. Sandia National Laboratories: National Security Missions: International

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Homeland and Nuclear Security: Cyber and Infrastructure Security Cyber and Infrastructure Security Cyber Infrastructure Image We assess physical and cyber vulnerabilities under a common risk-management framework. We conduct large-scale analyses to understand infrastructure interdependencies and guide efforts to improve resiliency. We develop technologies for preventing disruption and enhancing recovery in vital cyber systems. We are committed to working with U.S. government agencies to

  11. Security Officer

    Broader source: Energy.gov [DOE]

    This position is located in the Security and Continuity of Operations (NN) organization of the Chief Administrative Office (N), Bonneville Power Administration. The Security and Continuity of...

  12. National Security and Cyber Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    National Security and Cyber Security National Security and Cyber Security National security depends on science and technology. The United States relies on Los Alamos National Laboratory for the best of both. No place on Earth pursues a broader array of world-class scientific endeavors. Contact thumbnail of Business Development Business Development Richard P. Feynman Center for Innovation (505) 665-9090 Email National security and weapons science at the laboratory spans essentially all the

  13. Regional Climate Vulnerabilities and Resilience Solutions | Department...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Regional Climate Vulnerabilities and Resilience Solutions Regional Climate Vulnerabilities and Resilience Solutions This interactive map is not viewable in your browser. Please ...

  14. Assessing Climate Change Impacts, Vulnerability and Adaptation...

    Open Energy Info (EERE)

    Climate Change Impacts, Vulnerability and Adaptation: The Case of Pantabangan-Carranglan Watershed Jump to: navigation, search Name Assessing Climate Change Impacts, Vulnerability...

  15. Method and tool for network vulnerability analysis

    DOE Patents [OSTI]

    Swiler, Laura Painton; Phillips, Cynthia A.

    2006-03-14

    A computer system analysis tool and method that will allow for qualitative and quantitative assessment of security attributes and vulnerabilities in systems including computer networks. The invention is based on generation of attack graphs wherein each node represents a possible attack state and each edge represents a change in state caused by a single action taken by an attacker or unwitting assistant. Edges are weighted using metrics such as attacker effort, likelihood of attack success, or time to succeed. Generation of an attack graph is accomplished by matching information about attack requirements (specified in "attack templates") to information about computer system configuration (contained in a configuration file that can be updated to reflect system changes occurring during the course of an attack) and assumed attacker capabilities (reflected in "attacker profiles"). High risk attack paths, which correspond to those considered suited to application of attack countermeasures given limited resources for applying countermeasures, are identified by finding "epsilon optimal paths."

  16. MODELING UNDERGROUND STRUCTURE VULNERABILITY IN JOINTED ROCK

    SciTech Connect (OSTI)

    R. SWIFT; D. STEEDMAN

    2001-02-01

    The vulnerability of underground structures and openings in deep jointed rock to ground shock attack is of chief concern to military planning and security. Damage and/or loss of stability to a structure in jointed rock, often manifested as brittle failure and accompanied with block movement, can depend significantly on jointed properties, such as spacing, orientation, strength, and block character. We apply a hybrid Discrete Element Method combined with the Smooth Particle Hydrodynamics approach to simulate the MIGHTY NORTH event, a definitive high-explosive test performed on an aluminum lined cylindrical opening in jointed Salem limestone. Representing limestone with discrete elements having elastic-equivalence and explicit brittle tensile behavior and the liner as an elastic-plastic continuum provides good agreement with the experiment and damage obtained with finite-element simulations. Extending the approach to parameter variations shows damage is substantially altered by differences in joint geometry and liner properties.

  17. GTRI: Removing Vulnerable Civilian Nuclear and Radiological Material |

    National Nuclear Security Administration (NNSA)

    National Nuclear Security Administration GTRI: Removing Vulnerable Civilian Nuclear and Radiological Material May 29, 2014 GTRI's Remove Program works around the world to remove excess nuclear and radiological materials that could be used for a nuclear weapon or radiological dispersal device (RDD), or "dirty bomb". Mission In 2004 NNSA established the Global Threat Reduction Initiative (GTRI) in the Office of Defense Nuclear Nonproliferation to, as quickly as possible, identify,

  18. V-069: BlackBerry Tablet OS Adobe Flash Player and Samba Multiple...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    9: BlackBerry Tablet OS Adobe Flash Player and Samba Multiple Vulnerabilities V-069: BlackBerry Tablet OS Adobe Flash Player and Samba Multiple Vulnerabilities January 15, 2013 -...

  19. Cyber Security Audit and Attack Detection Toolkit: National SCADA Test Bed

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    May 2008 | Department of Energy Audit and Attack Detection Toolkit: National SCADA Test Bed May 2008 Cyber Security Audit and Attack Detection Toolkit: National SCADA Test Bed May 2008 This project of the cyber security audit and attack detection toolkit is adding control system intelligence to widely deployed enterprise vulnerability scanners and security event managers While many energy utilities employ vulnerability scanners and security event managers (SEM) on their enterprise systems,

  20. U-117: Potential security vulnerability has been identified with...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Senders ABSTRACT: Remote attackers could execute arbitrary code by using a session on TCP port 9100 to upload a crafted firmware update. reference LINKS: Vendor Advisory...

  1. Safety, Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Safety, Security Safety, Security The Lab's mission is to develop and apply science and technology to ensure the safety, security, and reliability of the U.S. nuclear deterrent; reduce global threats; and solve other emerging national security and energy challenges. Contact Operator Los Alamos National Laboratory (505) 667-5061 We do not compromise safety for personal, programmatic, or operational reasons. Safety: we integrate safety, security, and environmental concerns into every step of our

  2. Securing Infrastructure from High Explosive Threats

    SciTech Connect (OSTI)

    Glascoe, L; Noble, C; Reynolds, J; Kuhl, A; Morris, J

    2009-03-20

    Lawrence Livermore National Laboratory (LLNL) is working with the Department of Homeland Security's Science and Technology Directorate, the Transportation Security Administration, and several infrastructure partners to characterize and help mitigate principal structural vulnerabilities to explosive threats. Given the importance of infrastructure to the nation's security and economy, there is a clear need for applied research and analyses (1) to improve understanding of the vulnerabilities of these systems to explosive threats and (2) to provide decision makers with time-critical technical assistance concerning countermeasure and mitigation options. Fully-coupled high performance calculations of structural response to ideal and non-ideal explosives help bound and quantify specific critical vulnerabilities, and help identify possible corrective schemes. Experimental validation of modeling approaches and methodologies builds confidence in the prediction, while advanced stochastic techniques allow for optimal use of scarce computational resources to efficiently provide infrastructure owners and decision makers with timely analyses.

  3. V-033: ownCloud Cross-Site Scripting and File Upload Vulnerabilities |

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Department of Energy 3: ownCloud Cross-Site Scripting and File Upload Vulnerabilities V-033: ownCloud Cross-Site Scripting and File Upload Vulnerabilities November 26, 2012 - 2:00am Addthis PROBLEM: ownCloud Cross-Site Scripting and File Upload Vulnerabilities PLATFORM: ownCloud 4.5.2, 4.5.1, 4.0.9 ABSTRACT: Multiple vulnerabilities have been reported in ownCloud REFERENCE LINKS: ownCloud Server Advisories Secunia Advisory SA51357 IMPACT ASSESSMENT: Medium DISCUSSION: 1) Input passed via the

  4. Secure key storage and distribution

    DOE Patents [OSTI]

    Agrawal, Punit

    2015-06-02

    This disclosure describes a distributed, fault-tolerant security system that enables the secure storage and distribution of private keys. In one implementation, the security system includes a plurality of computing resources that independently store private keys provided by publishers and encrypted using a single security system public key. To protect against malicious activity, the security system private key necessary to decrypt the publication private keys is not stored at any of the computing resources. Rather portions, or shares of the security system private key are stored at each of the computing resources within the security system and multiple security systems must communicate and share partial decryptions in order to decrypt the stored private key.

  5. V-043: Perl Locale::Maketext Module '_compile()' Multiple Code Injection

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Vulnerabilities | Department of Energy 3: Perl Locale::Maketext Module '_compile()' Multiple Code Injection Vulnerabilities V-043: Perl Locale::Maketext Module '_compile()' Multiple Code Injection Vulnerabilities December 10, 2012 - 1:00am Addthis PROBLEM: Perl Locale::Maketext Module Two Code Injection Vulnerabilities PLATFORM: Locale::Maketext 1.23 is affected; other versions also may be affected. ABSTRACT: Two vulnerabilities have been reported in Locale::Maketext module for Perl

  6. U-106: Citrix XenServer Multiple Flaws in Web Self Service Have Unspecified Impact

    Broader source: Energy.gov [DOE]

    A number of security vulnerabilities have been identified in the management web interface of Citrix XenServer Web Self Service.

  7. Water Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    SunShot Grand Challenge: Regional Test Centers Water Security HomeTag:Water Security Electricity use by water service sector and county. Shown are electricity use by (a) ...

  8. Cyber Assessment Methods for SCADA Security

    SciTech Connect (OSTI)

    Not Available

    2005-06-01

    The terrorist attacks of September 11, 2001 brought to light threats and vulnerabilities that face the United States. In response, the U.S. Government is directing the effort to secure the nation's critical infrastructure by creating programs to implement the National Strategy to Secure Cyberspace (1). One part of this effort involves assessing Supervisory Control and Data Acquisition (SCADA) systems. These systems are essential to the control of critical elements of our national infrastructure, such as electric power, oil, and gas production and distribution. Since their incapacitation or destruction would have a debilitating impact on the defense or economic security of the United States, one of the main objectives of this program is to identify vulnerabilities and encourage the public and private sectors to work together to design secure control systems that resolve these weaknesses. This paper describes vulnerability assessment methodologies used in ongoing research and assessment activities designed to identify and resolve vulnerabilities so as to improve the security of the nation's critical infrastructure.

  9. Cyber Assessment Methods For SCADA Security

    SciTech Connect (OSTI)

    May Robin Permann; Kenneth Rohde

    2005-06-01

    The terrorist attacks of September 11, 2001 brought to light threats and vulnerabilities that face the United States. In response, the U.S. Government is directing the effort to secure the nation's critical infrastructure by creating programs to implement the National Strategy to Secure Cyberspace (1). One part of this effort involves assessing Supervisory Control and Data Acquisition (SCADA) systems. These systems are essential to the control of critical elements of our national infrastructure, such as electric power, oil, and gas production and distribution. Since their incapacitation or destruction would have a debilitating impact on the defense or economic security of the United States, one of the main objectives of this program is to identify vulnerabilities and encourage the public and private sectors to work together to design secure control systems that resolve these weaknesses. This paper describes vulnerability assessment methodologies used in ongoing research and assessment activities designed to identify and resolve vulnerabilities so as to improve the security of the nation's critical infrastructure.

  10. National Security Facility (NSF) | Argonne National Laboratory

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    National Security Facility (NSF) National Security Facility (NSF) Argonne National Laboratory's National Security Facility (NSF) is a flexible, state-of-the-art secure user facility that contains multiple national security networks, video teleconference capability, high-resolution graphics support, a fully powered and cooled data center, multi-level training facilities, and conferencing facilities. The NSF provides tools and resources to enable and strengthen connections between government

  11. Cyber-Based Vulnerability Assessments

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Solar Energy Wind Energy Water Power Supercritical CO2 Geothermal Natural Gas Safety, Security & Resilience of the Energy Infrastructure Energy Storage Nuclear Power & Engineering ...

  12. Microgrid cyber security reference architecture.

    SciTech Connect (OSTI)

    Veitch, Cynthia K.; Henry, Jordan M.; Richardson, Bryan T.; Hart, Derek H.

    2013-07-01

    This document describes a microgrid cyber security reference architecture. First, we present a high-level concept of operations for a microgrid, including operational modes, necessary power actors, and the communication protocols typically employed. We then describe our motivation for designing a secure microgrid; in particular, we provide general network and industrial control system (ICS)-speci c vulnerabilities, a threat model, information assurance compliance concerns, and design criteria for a microgrid control system network. Our design approach addresses these concerns by segmenting the microgrid control system network into enclaves, grouping enclaves into functional domains, and describing actor communication using data exchange attributes. We describe cyber actors that can help mitigate potential vulnerabilities, in addition to performance bene ts and vulnerability mitigation that may be realized using this reference architecture. To illustrate our design approach, we present a notional a microgrid control system network implementation, including types of communica- tion occurring on that network, example data exchange attributes for actors in the network, an example of how the network can be segmented to create enclaves and functional domains, and how cyber actors can be used to enforce network segmentation and provide the neces- sary level of security. Finally, we describe areas of focus for the further development of the reference architecture.

  13. T-570: HP Security Bulletin- HP-UX Running OpenSSL, Remote Execution of Arbitrary Code, Denial of Service (DoS), Authentication Bypass

    Broader source: Energy.gov [DOE]

    A potential security vulnerability has been identified with HP-UX OpenSSL. This vulnerability could be exploited remotely to execute arbitrary code or create a Denial of Service (DoS) or an authentication bypass.

  14. Cyber Security Requirements for Risk Management

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    2004-02-19

    The Notice ensures that system owners consistently assess the threats to and vulnerabilities of systems in order to implement adequate security controls. The Notice will also ensure compliance with the requirements of DOE O 205.1, Department of Energy Cyber Security Management Program, dated 3-21-03, and protect DOE information and information systems from unauthorized access, use, disclosure, modification, or destruction. DOE N 205.15, dated 3/18/05, extends this directive until 3/18/06.

  15. U-277: Google Chrome Multiple Flaws Let Remote Users Execute...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Addthis PROBLEM: Google Chrome Multiple Flaws Let Remote Users Execute Arbitrary Code PLATFORM: Version(s): prior to 22.0.1229.92 ABSTRACT: Several vulnerabilities were...

  16. V-043: Perl Locale::Maketext Module '_compile()' Multiple Code...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    V-043: Perl Locale::Maketext Module 'compile()' Multiple Code Injection Vulnerabilities ... Arbitrary Code and View Arbitrary Files V-002: EMC NetWorker Module for Microsoft ...

  17. Radiological Security Partnership | National Nuclear Security

    National Nuclear Security Administration (NNSA)

    Administration Programs / Nonproliferation / Global Material Security / Radiological Security Radiological Security Partnership Radiological Security Partnership Secure Your Business, Your Community, and Your Country. Sign Up Today for Services Provided by the Radiological Security Partnership. RSP Logo Initiative of the Global Material Security Program Formerly the Global Threat Reduction Initiative RSP Registration RSP More Info Learn More Radiological Secur

  18. V-087: Adobe Flash Player Two Vulnerabilities

    Broader source: Energy.gov [DOE]

    Two vulnerabilities are reported as 0-day which can be exploited by malicious people to compromise a user's system.

  19. Global security

    SciTech Connect (OSTI)

    Lynch, Patrick

    2014-07-14

    Patrick Lynch helps technical staff, academic leaders and governments around the world improve the safety and security of their nuclear power programs.

  20. Infrastructure Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Solar Energy Wind Energy Water Power Supercritical CO2 Geothermal Natural Gas Safety, Security & Resilience of the Energy Infrastructure Energy Storage Nuclear Power & Engineering ...

  1. Global security

    ScienceCinema (OSTI)

    Lynch, Patrick

    2014-07-15

    Patrick Lynch helps technical staff, academic leaders and governments around the world improve the safety and security of their nuclear power programs.

  2. Infrastructure Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    From a Department of Defense (DoD) perspective, SMrs offer great advantage for energy security with stable fuel cost profiles, a secure installation for meeting base-load power demands with a robust, secured reactor design (i.e., energy security), potential to provide potable water and synthetic fuels, and a means to exceed DoD greenhouse gases (GhG) reduction goals. While presently SMrs are being proposed based on various reactor technologies, SMrs based on light-water reactor (lWr)

  3. physical security

    National Nuclear Security Administration (NNSA)

    5%2A en Physical Security Systems http:nnsa.energy.govaboutusourprogramsnuclearsecurityphysicalsecuritysystems

  4. Infrastructure Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    and Small Modular reactors projects. the collaboration takes place under the umbrella of a joint oUSnl "Center for Energy, Security and Society". the Center serves to...

  5. V-130: Microsoft Security Bulletin Advance Notification for April 2013

    Broader source: Energy.gov [DOE]

    Microsoft Security Bulletin Advance Notification for April 2013. Microsoft has posted 2 Critical Bulletins and 7 Important Bulletins. Bulletins with the Maximum Severity Rating and Vulnerability Impact of "Critical" may allow remote execution of code. Microsoft will host a webcast to address customer questions on the security bulletins on April 10, 2013, at 11:00 AM Pacific Time (US & Canada).

  6. U-057: Microsoft Security Bulletin Advance Notification for December 2011

    Broader source: Energy.gov [DOE]

    Microsoft Security Bulletin Advance Notification for December 2011. Microsoft has posted 3 Critical Bulletins and 11 Important bulletins. Bulletins with the Maximum Severity Rating and Vulnerability Impact of "Critical" may allow propagation of Internet worm without user action. Microsoft will host a webcast to address customer questions on the security bulletins on December 14, 2011, at 11:00 AM Pacific Time (US & Canada).

  7. V-154: Microsoft Security Bulletin Advance Notification for May 2013

    Broader source: Energy.gov [DOE]

    Microsoft Security Bulletin Advance Notification for May 2013. Microsoft has posted 2 Critical Bulletins and 8 Important Bulletins. Bulletins with the Maximum Severity Rating and Vulnerability Impact of "Critical" may allow remote execution of code. Microsoft will host a webcast to address customer questions on the security bulletins on May 15, 2013, at 11:00 AM Pacific Time (US & Canada).

  8. V-064: Microsoft Security Bulletin Advance Notification for January 2013

    Broader source: Energy.gov [DOE]

    Microsoft Security Bulletin Advance Notification for January 2013 . Microsoft has posted 2 Critical Bulletins and 5 Important Bulletins. Bulletins with the Maximum Severity Rating and Vulnerability Impact of "Critical" may allow remote execution of code. Microsoft will host a webcast to address customer questions on the security bulletins on January 9, 2013, at 11:00 AM Pacific Time (US & Canada).

  9. V-108: Microsoft Security Bulletin Advance Notification for March 2013

    Broader source: Energy.gov [DOE]

    Microsoft Security Bulletin Advance Notification for March 2013. Microsoft has posted 4 Critical Bulletins and 3 Important Bulletins. Bulletins with the Maximum Severity Rating and Vulnerability Impact of "Critical" may allow remote execution of code. Microsoft will host a webcast to address customer questions on the security bulletins on March 13, 2013, at 11:00 AM Pacific Time (US & Canada).

  10. V-175: Microsoft Security Bulletin Advance Notification for June 2013

    Broader source: Energy.gov [DOE]

    Microsoft Security Bulletin Advance Notification for June 2013. Microsoft has posted 1 Critical Bulletin and 4 Important Bulletins. Bulletins with the Maximum Severity Rating and Vulnerability Impact of "Critical" June allow remote execution of code. Microsoft will host a webcast to address customer questions on the security bulletins on June 12, 2013, at 11:00 AM Pacific Time (US & Canada).

  11. V-196: Microsoft Security Bulletin Advance Notification for July 2013

    Broader source: Energy.gov [DOE]

    Microsoft Security Bulletin Advance Notification for July 2013. Microsoft has posted 6 Critical Bulletin and 1 Important Bulletins. Bulletins with the Maximum Severity Rating and Vulnerability Impact of "Critical" July allow remote execution of code. Microsoft will host a webcast to address customer questions on the security bulletins on July 10, 2013, at 11:00 AM Pacific Time (US & Canada).

  12. V-042: Microsoft Security Bulletin Advance Notification for December 2012

    Broader source: Energy.gov [DOE]

    Microsoft Security Bulletin Advance Notification for December 2012. Microsoft has posted 5 Critical Bulletins and 2 Important Bulletins. Bulletins with the Maximum Severity Rating and Vulnerability Impact of "Critical" may allow remote execution of code. Microsoft will host a webcast to address customer questions on the security bulletins on December 12, 2012, at 11:00 AM Pacific Time (US & Canada).

  13. V-088: Microsoft Security Bulletin Advance Notification for February 2013

    Broader source: Energy.gov [DOE]

    Microsoft Security Bulletin Advance Notification for February 2013. Microsoft has posted 5 Critical Bulletins and 7 Important Bulletins. Bulletins with the Maximum Severity Rating and Vulnerability Impact of "Critical" may allow remote execution of code. Microsoft will host a webcast to address customer questions on the security bulletins on February 13, 2013, at 11:00 AM Pacific Time (US & Canada).

  14. V-023: Microsoft Security Bulletin Advance Notification for November 2012

    Broader source: Energy.gov [DOE]

    Microsoft Security Bulletin Advance Notification for November 2012. Microsoft has posted 4 Critical Bulletins and 1 Important Bulletins. Bulletins with the Maximum Severity Rating and Vulnerability Impact of "Critical" may allow remote execution of code.Microsoft will host a webcast to address customer questions on the security bulletins on November 14, 2012, at 11:00 AM Pacific Time (US & Canada).

  15. Vulnerability of critical infrastructures : identifying critical nodes.

    SciTech Connect (OSTI)

    Cox, Roger Gary; Robinson, David Gerald

    2004-06-01

    The objective of this research was the development of tools and techniques for the identification of critical nodes within critical infrastructures. These are nodes that, if disrupted through natural events or terrorist action, would cause the most widespread, immediate damage. This research focuses on one particular element of the national infrastructure: the bulk power system. Through the identification of critical elements and the quantification of the consequences of their failure, site-specific vulnerability analyses can be focused at those locations where additional security measures could be effectively implemented. In particular, with appropriate sizing and placement within the grid, distributed generation in the form of regional power parks may reduce or even prevent the impact of widespread network power outages. Even without additional security measures, increased awareness of sensitive power grid locations can provide a basis for more effective national, state and local emergency planning. A number of methods for identifying critical nodes were investigated: small-world (or network theory), polyhedral dynamics, and an artificial intelligence-based search method - particle swarm optimization. PSO was found to be the only viable approach and was applied to a variety of industry accepted test networks to validate the ability of the approach to identify sets of critical nodes. The approach was coded in a software package called Buzzard and integrated with a traditional power flow code. A number of industry accepted test networks were employed to validate the approach. The techniques (and software) are not unique to power grid network, but could be applied to a variety of complex, interacting infrastructures.

  16. Temperature-based Instanton Analysis: Identifying Vulnerability in Transmission Networks

    SciTech Connect (OSTI)

    Kersulis, Jonas; Hiskens, Ian; Chertkov, Michael; Backhaus, Scott N.; Bienstock, Daniel

    2015-04-08

    A time-coupled instanton method for characterizing transmission network vulnerability to wind generation fluctuation is presented. To extend prior instanton work to multiple-time-step analysis, line constraints are specified in terms of temperature rather than current. An optimization formulation is developed to express the minimum wind forecast deviation such that at least one line is driven to its thermal limit. Results are shown for an IEEE RTS-96 system with several wind-farms.

  17. An Overview of High-performance Parallel Big Data transfers over multiple network channels with Transport Layer Security (TLS) and TLS plus Perfect Forward Secrecy (PFS)

    SciTech Connect (OSTI)

    Fang, Chin; Corttrell, R. A.

    2015-05-06

    This Technical Note provides an overview of high-performance parallel Big Data transfers with and without encryption for data in-transit over multiple network channels. It shows that with the parallel approach, it is feasible to carry out high-performance parallel "encrypted" Big Data transfers without serious impact to throughput. But other impacts, e.g. the energy-consumption part should be investigated. It also explains our rationales of using a statistics-based approach for gaining understanding from test results and for improving the system. The presentation is of high-level nature. Nevertheless, at the end we will pose some questions and identify potentially fruitful directions for future work.

  18. security | National Nuclear Security Administration

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    security Apex Gold discussion fosters international cooperation in run-up to 2016 Nuclear Security Summit Participants in Apex Gold at Lawrence Livermore National Laboratory. What would national leaders do in the face of a transnational nuclear terrorism threat? Last week, ministers and other senior delegates from 37 nations, along with representatives from the International Atomic Energy Agency, the... Pantex Plant's Calvin Nelson honored as Analyst of the Year for Transportation Security

  19. V-081: Wireshark Multiple Vulnerabilities | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    High DISCUSSION: 1) Errors in the Bluetooth HCI, CSN.1, DCP-ETSI DOCSIS CM-STAUS, IEEE 802.3 Slow Protocols, MPLS, R3, RTPS, SDP, and SIP dissectors can be exploited to...

  20. U-002:Adobe Photoshop Elements Multiple Memory Corruption Vulnerabilities

    Broader source: Energy.gov [DOE]

    A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.

  1. T-626: Xen Multiple Buffer Overflow and Integer Overflow Vulnerabilities

    Broader source: Energy.gov [DOE]

    It was found that the xc_try_bzip2_decode() and xc_try_lzma_decode() decode routines did not correctly check for a possible buffer size overflow in the decoding loop. As well, several integer overflow flaws and missing error/range checking were found that could lead to an infinite loop. A privileged guest user could use these flaws to crash the guest or, possibly, execute arbitrary code in the privileged management domain (Dom0). (CVE-2011-1583)

  2. V-105: Google Chrome Multiple Vulnerabilities | Department of...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    navigation handling. 3) An error in Web Audio can be exploited to cause memory corruption. 4) A use-after-free error exists in SVG animations. 5) An error in Indexed DB can...

  3. U-202: Apple QuickTime Multiple Stack Overflow Vulnerabilities

    Broader source: Energy.gov [DOE]

    Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.

  4. U-022: Apple QuickTime Multiple Vulnerabilities

    Broader source: Energy.gov [DOE]

    A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.

  5. Process Control Systems in the Chemical Industry: Safety vs. Security

    SciTech Connect (OSTI)

    Jeffrey Hahn; Thomas Anderson

    2005-04-01

    Traditionally, the primary focus of the chemical industry has been safety and productivity. However, recent threats to our nationís critical infrastructure have prompted a tightening of security measures across many different industry sectors. Reducing vulnerabilities of control systems against physical and cyber attack is necessary to ensure the safety, security and effective functioning of these systems. The U.S. Department of Homeland Security has developed a strategy to secure these vulnerabilities. Crucial to this strategy is the Control Systems Security and Test Center (CSSTC) established to test and analyze control systems equipment. In addition, the CSSTC promotes a proactive, collaborative approach to increase industry's awareness of standards, products and processes that can enhance the security of control systems. This paper outlines measures that can be taken to enhance the cybersecurity of process control systems in the chemical sector.

  6. Secure Transportation of HEU in Romania

    SciTech Connect (OSTI)

    2009-07-06

    The National Nuclear Security Administration has announced the final shipments of Russian-origin highly enriched uranium (HEU) nuclear fuel from Romania. The material was removed and returned to Russia by air for storage at two secure nuclear facilities, making Romania the first country to remove all HEU since President Obama outlined his commitment to securing all vulnerable nuclear material around the world within four years. This was also the first time NNSA has shipped spent HEU by airplane, a development that will help accelerate efforts to meet the Presidents objective.

  7. V-134: Cisco AnyConnect Secure Mobility Client Heap Overflow Lets Local

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Users Gain Elevated Privileges | Department of Energy 4: Cisco AnyConnect Secure Mobility Client Heap Overflow Lets Local Users Gain Elevated Privileges V-134: Cisco AnyConnect Secure Mobility Client Heap Overflow Lets Local Users Gain Elevated Privileges April 15, 2013 - 1:30am Addthis PROBLEM: Cisco AnyConnect Secure Mobility Client Heap Overflow Lets Local Users Gain Elevated Privileges PLATFORM: Cisco AnyConnect Secure Mobility Client Cisco Secure Desktop ABSTRACT: Some vulnerabilities

  8. Infrastructure Security EXCEPTIONAL SERVICE IN THE NATIONAL INTEREST

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    5759P Nuclear Cyber Vulnerability Sandia National Laboratories has conducted cyber-based vulnerability assessments on multiple commercial digital I&C platforms being deployed in the nuclear industry for the purpose of identifying vulnerabilities and improving the design and implementation of these systems. The assessment methodology has been developed at Sandia and is used to determine the risk associated with the design, configuration and operation of cyber-based products. Threat

  9. DOE - NNSA/NFO -- National Security Technologies Contract Award

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Award NNSA/NFO Language Options U.S. DOE/NNSA - Nevada Field Office TechSource, Inc. Contract Award TechSource, Inc. is the security support contractor responsible for operating the Badge Office, managing the Vulnerability Assessment lab, maintaining OPSEC and security awareness programs, security clearances, and classified matter protection. The contract valued at approximately $12,383,205 was awarded on 5/28/2015. The contract period of performance is July 1, 2015 through June 30, 2016

  10. Software security for a network storage service

    SciTech Connect (OSTI)

    Haynes, R.A.; Kelly, S.M.

    1992-09-01

    In 1991, Sandia National Laboratories acquired a Network Storage Service (NSS) as a result of a fully competitive procurement. The Network Storage Service, which provides access to over a terabyte of data storage in a two-tiered hierarchy, had minimal software security features. Before the NSS could be placed into production, it had to be accredited by the Department of Energy, Sandia`s accrediting authority. Sandia was faced with implementing security features to allow the NSS to be operated in its secure computing network, which is a single security clearance, multiple data security level environment. This paper describes the software security design alternatives that were considered and what was ultimately implemented.

  11. Software security for a network storage service

    SciTech Connect (OSTI)

    Haynes, R.A.; Kelly, S.M.

    1992-01-01

    In 1991, Sandia National Laboratories acquired a Network Storage Service (NSS) as a result of a fully competitive procurement. The Network Storage Service, which provides access to over a terabyte of data storage in a two-tiered hierarchy, had minimal software security features. Before the NSS could be placed into production, it had to be accredited by the Department of Energy, Sandia's accrediting authority. Sandia was faced with implementing security features to allow the NSS to be operated in its secure computing network, which is a single security clearance, multiple data security level environment. This paper describes the software security design alternatives that were considered and what was ultimately implemented.

  12. Nuclear Security Enterprise | National Nuclear Security Administration

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    About Our Programs Defense Programs Nuclear Security Enterprise The Nuclear Security Enterprise (NSE) mission is to ensure the Nation sustains a safe, secure, and effective ...

  13. Secure Manufacturing | Y-12 National Security Complex

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Secure Manufacturing Secure Manufacturing The depth and breadth of Y-12's manufacturing capabilities and expertise enable Y-12 to address current and emerging national security...

  14. V-145: IBM Tivoli Federated Identity Manager Products Java Multiple

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Vulnerabilities | Department of Energy 45: IBM Tivoli Federated Identity Manager Products Java Multiple Vulnerabilities V-145: IBM Tivoli Federated Identity Manager Products Java Multiple Vulnerabilities April 30, 2013 - 12:09am Addthis PROBLEM: IBM Tivoli Federated Identity Manager Products Java Multiple Vulnerabilities PLATFORM: IBM Tivoli Federated Identity Manager versions 6.1, 6.2.0, 6.2.1, and 6.2.2. IBM Tivoli Federated Identity Manager Business Gateway versions 6.1.1, 6.2.0, 6.2.1

  15. Secure PVM

    SciTech Connect (OSTI)

    Dunigan, T.H.; Venugopal, N.

    1996-09-01

    This research investigates techniques for providing privacy, authentication, and data integrity to PVM (Parallel Virtual Machine). PVM is extended to provide secure message passing with no changes to the user`s PVM application, or, optionally, security can be provided on a message-by message basis. Diffe-Hellman is used for key distribution of a single session key for n-party communication. Keyed MD5 is used for message authentication, and the user may select from various secret-key encryption algorithms for message privacy. The modifications to PVM are described, and the performance of secure PVM is evaluated.

  16. Security Conditions

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    2004-07-08

    This Notice ensures that DOE uniformly meets the requirements of the Homeland Security Advisory System outlined in Homeland Security Presidential Directive-3, Threat Conditions and Associated Protective Measures, dated 3-11-02, and provides responses specified in Presidential Decision Directive 39, U.S. Policy on Counterterrorism (U), dated 6-21-95. It cancels DOE N 473.8, Security Conditions, dated 8-7-02. Extended until 7-7-06 by DOE N 251.64, dated 7-7-05 Cancels DOE N 473.8

  17. Special Training Materials | Y-12 National Security Complex

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    68 Special Report: IG-0868 August 29, 2012 Inquiry into the Security Breach at the National Nuclear Security Administration's Y-12 National Security Complex We initiated this inquiry to identify the circumstances surrounding the Y-12 National Security Complex breach because of the importance of ensuring the safe and secure storage of nuclear materials. Our review found that the Y-12 security incident represented multiple system failures on several levels. We identified troubling displays of

  18. Methodology for prioritizing cyber-vulnerable critical infrastructure equipment and mitigation strategies.

    SciTech Connect (OSTI)

    Dawson, Lon Andrew; Stinebaugh, Jennifer A.

    2010-04-01

    The Department of Homeland Security (DHS), National Cyber Security Division (NSCD), Control Systems Security Program (CSSP), contracted Sandia National Laboratories to develop a generic methodology for prioritizing cyber-vulnerable, critical infrastructure assets and the development of mitigation strategies for their loss or compromise. The initial project has been divided into three discrete deliverables: (1) A generic methodology report suitable to all Critical Infrastructure and Key Resource (CIKR) Sectors (this report); (2) a sector-specific report for Electrical Power Distribution; and (3) a sector-specific report for the water sector, including generation, water treatment, and wastewater systems. Specific reports for the water and electric sectors are available from Sandia National Laboratories.

  19. Personnel Security

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    2005-08-26

    The manual establishes the overall objectives and requirements for the Department of Energy Personnel Security Program. Cancels DOE M 472.1-1B. Canceled by DOE O 472.2.

  20. Infrastructure Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    3 - Sandia Energy Energy Search Icon Sandia Home Locations Contact Us Employee Locator Energy & Climate Secure & Sustainable Energy Future Stationary Power Energy Conversion Efficiency Solar Energy Wind Energy Water Power Supercritical CO2 Geothermal Natural Gas Safety, Security & Resilience of the Energy Infrastructure Energy Storage Nuclear Power & Engineering Grid Modernization Battery Testing Nuclear Fuel Cycle Defense Waste Management Programs Advanced Nuclear Energy Nuclear

  1. Information Security

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    2011-06-20

    The protection and control of classified information is critical to our nationís security. This Order establishes requirements and responsibilities for Department of Energy (DOE) Departmental Elements, including the National Nuclear Security Administration (NNSA), to protect and control classified information as required by statutes, regulation, Executive Orders, government-wide policy directives and guidelines, and DOE policy and directives. Cancels DOE M 470.4-4A Chg except for Section D.

  2. Infrastructure Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Sandia Energy Energy Search Icon Sandia Home Locations Contact Us Employee Locator Energy & Climate Secure & Sustainable Energy Future Stationary Power Energy Conversion Efficiency Solar Energy Wind Energy Water Power Supercritical CO2 Geothermal Natural Gas Safety, Security & Resilience of the Energy Infrastructure Energy Storage Nuclear Power & Engineering Grid Modernization Battery Testing Nuclear Fuel Cycle Defense Waste Management Programs Advanced Nuclear Energy Nuclear

  3. Security, LLC

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Two-hundred twenty-five nonprofit organizations receive monetary donations from Los Alamos National Security, LLC September 21, 2015 Recognizing employee and retiree volunteer efforts LOS ALAMOS, N.M., Sept. 21, 2015-More than 225 nonprofit organizations received $162,650 from Los Alamos National Security, LLC, which manages Los Alamos National Laboratory. The LANS contributions are determined by the number of volunteer hours logged by Laboratory employees and retirees through an organization

  4. Personnel Security

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    2011-07-27

    The Order establishes requirements for a successful, efficient and cost-effective personnel security program to ensure accurate, timely and equitable determinations of individualsí eligibility for access to classified information and fitness for placement or retention in national security positions. Cancels DOE M 470.4-5, DOE N 470.4 and DOE N 470.5. Admin Chg 1, 10-8-13.

  5. Secure Information Sharing

    Energy Science and Technology Software Center (OSTI)

    2005-09-09

    We are develoing a peer-to-peer system to support secure, location independent information sharing in the scientific community. Once complete, this system will allow seamless and secure sharing of information between multiple collaborators. The owners of information will be able to control how the information is stored, managed. ano shared. In addition, users will have faster access to information updates within a collaboration. Groups collaborating on scientific experiments have a need to share information and data.more¬†¬Ľ This information and data is often represented in the form of files and database entries. In a typical scientific collaboration, there are many different locations where data would naturally be stored. This makes It difficult for collaborators to find and access the information they need. Our goal is to create a lightweight file-sharing system that makes it¬íeasy for collaborators to find and use the data they need. This system must be easy-to-use, easy-to-administer, and secure. Our information-sharing tool uses group communication, in particular the InterGroup protocols, to reliably deliver each query to all of the current participants in a scalable manner, without having to discover all of their identities. We will use the Secure Group Layer (SGL) and Akenti to provide security to the participants of our environment, SGL will provide confldentiality, integrity, authenticity, and authorization enforcement for the InterGroup protocols and Akenti will provide access control to other resources.¬ę¬†less

  6. Macro Security Methodology for Conducting Facility Security and Sustainability Assessments

    SciTech Connect (OSTI)

    Herdes, Greg A.; Freier, Keith D.; Wright, Kyle A.

    2007-07-09

    Pacific Northwest National Laboratory (PNNL) has developed a macro security strategy that not only addresses traditional physical protection systems, but also focuses on sustainability as part of the security assessment and management process. This approach is designed to meet the needs of virtually any industry or environment requiring critical asset protection. PNNL has successfully demonstrated the utility of this macro security strategy through its support to the NNSA Office of Global Threat Reduction implementing security upgrades at international facilities possessing high activity radioactive sources that could be used in the assembly of a radiological dispersal device, commonly referred to as a ďdirty bombĒ. Traditional vulnerability assessments provide a snap shot in time of the effectiveness of a physical protection system without significant consideration to the sustainability of the component elements that make up the system. This paper describes the approach and tools used to integrate technology, plans and procedures, training, and sustainability into a simple, quick, and easy-to-use security assessment and management tool.

  7. Security | Y-12 National Security Complex

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Security Security The Y-12 National Security Complex places the highest priority on maintaining and improving its security posture. We employ security police officers, cyber security specialists, and other personnel to safeguard our security assets. Y-12 continuously monitors local and world events to prepare for potential risks to the site, our information and our employees. Security personnel also participate in numerous assessments each year to ensure readiness in protecting the site's vital

  8. National Nuclear Security Administration | National Nuclear Security...

    National Nuclear Security Administration (NNSA)

    National Nuclear Security Administration | National Nuclear Security Administration Facebook Twitter Youtube Flickr RSS People Mission Managing the Stockpile Preventing...

  9. Securing energy assets and infrastructure 2007

    SciTech Connect (OSTI)

    2006-06-15

    This report describes in detail the energy industry's challenges and solutions for protecting critical assets including oil and gas infrastructure, transmission grids, power plants, storage, pipelines, and all aspects of strategic industry assets. It includes a special section on cyber-terrorism and protecting control systems. Contents: Section I - Introduction; U.S Energy Trends; Vulnerabilities; Protection Measures. Section II - Sector-wise Vulnerabilities Assessments and Security Measures: Coal, Oil and Petroleum, Natural Gas, Electric Power, Cybersecurity and Control Systems, Key Recommendations; Section III - Critical Infrastructure Protection Efforts: Government Initiatives, Agencies, and Checklists.

  10. Radiological Security Partnership Information | National Nuclear Security

    National Nuclear Security Administration (NNSA)

    Administration Nonproliferation / Global Material Security / Radiological Security / Radiological Security Partnership Radiological Security Partnership Information Radioactive sources play an important role in a number of commercial, medical, and research facilities. The benefits of these sources must be balanced with proper security. The Department of Energy's (DOE) National Nuclear Security Administration (NNSA) is working with the Nuclear Regulatory Commission and state regulators,

  11. T-536: Cisco ASA Multiple Flaws Let Remote Users Deny Service and Bypass

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Security Controls | Department of Energy 6: Cisco ASA Multiple Flaws Let Remote Users Deny Service and Bypass Security Controls T-536: Cisco ASA Multiple Flaws Let Remote Users Deny Service and Bypass Security Controls January 18, 2011 - 2:30pm Addthis PROBLEM: Cisco ASA Multiple Flaws Let Remote Users Deny Service and Bypass Security Controls. PLATFORM: Cisco 5500 Series Adaptive Security Appliances (ASA) ABSTRACT: Cisco ASA 5500 Series Adaptive Security Appliances are affected by multiple

  12. US Energy Sector Vulnerabilities to Climate Change

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    ... However, regional variation does not imply regional ... Federal, state, and local governments and the ... climate-resilient, assessment of vulnerabilities in ...

  13. Mining Bug Databases for Unidentified Software Vulnerabilities

    SciTech Connect (OSTI)

    Dumidu Wijayasekara; Milos Manic; Jason Wright; Miles McQueen

    2012-06-01

    Identifying software vulnerabilities is becoming more important as critical and sensitive systems increasingly rely on complex software systems. It has been suggested in previous work that some bugs are only identified as vulnerabilities long after the bug has been made public. These vulnerabilities are known as hidden impact vulnerabilities. This paper discusses the feasibility and necessity to mine common publicly available bug databases for vulnerabilities that are yet to be identified. We present bug database analysis of two well known and frequently used software packages, namely Linux kernel and MySQL. It is shown that for both Linux and MySQL, a significant portion of vulnerabilities that were discovered for the time period from January 2006 to April 2011 were hidden impact vulnerabilities. It is also shown that the percentage of hidden impact vulnerabilities has increased in the last two years, for both software packages. We then propose an improved hidden impact vulnerability identification methodology based on text mining bug databases, and conclude by discussing a few potential problems faced by such a classifier.

  14. Vulnerability Analysis of Energy Delivery Control Systems

    Energy Savers [EERE]

    ... products alike, and the introduction of Web applications into SCADA systems has created ... vulnerabilities Most likely attack vector Web Human-Machine Interface (HMI) ...

  15. Proliferation Vulnerability Red Team report

    SciTech Connect (OSTI)

    Hinton, J.P.; Barnard, R.W.; Bennett, D.E.

    1996-10-01

    This report is the product of a four-month independent technical assessment of potential proliferation vulnerabilities associated with the plutonium disposition alternatives currently under review by DOE/MD. The scope of this MD-chartered/Sandia-led study was limited to technical considerations that could reduce proliferation resistance during various stages of the disposition processes below the Stored Weapon/Spent Fuel standards. Both overt and covert threats from host nation and unauthorized parties were considered. The results of this study will be integrated with complementary work by others into an overall Nonproliferation and Arms Control Assessment in support of a Secretarial Record of Decision later this year for disposition of surplus U.S. weapons plutonium.

  16. GTRI: Reducing Nuclear Threats | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    Fact Sheets GTRI: Reducing Nuclear Threats May 29, 2014 Mission In 2004 NNSA established the Global Threat Reduction Initiative (GTRI) in the Office of Defense Nuclear Nonproliferation to, as quickly as possible, identify, secure, remove and/or facilitate the disposition of high risk vulnerable nuclear and radiological materials around the world that pose a threat to the United States and the international community. GTRI's mission is to reduce and protect vulnerable nuclear and radiological

  17. Information Security

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    2007-06-29

    Establishes security requirements for the protection and control of information and matter required to be classified or controlled by statutes, regulations, or Department of Energy directives. Section E, Technical Surveillance Countermeasures Program, is Official Use Only. Please contact the DOE Office of Health, Safety and Security at 301-903-0292 if your official duties require you to have access to this part of the directive. Cancels: DOE M 471.2-1B, DOE M 471.2-1C, DOE M 471.2-4, and DOE O 471.2A

  18. Information Security

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    2005-08-26

    This Manual establishes security requirements for the protection and control of information and matter required to be classified or controlled by statutes, regulations, or Department of Energy directives. Attachment E, Technical Surveillance Countermeasures Program, is for Official Use Only. Contact the Office of Security and Safety Performance Assurance at 301-903-3653 if your official duties require you to have access to this part of the directive. Cancels: DOE M 471.2-1B, DOE M 471.2-1C, DOE M 471.2-4, and DOE O 471.2A.

  19. Information Security

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    2011-06-20

    The protection and control of classified information is critical to our nationís security. This Order establishes requirements and responsibilities for Department of Energy (DOE) Departmental Elements, including the National Nuclear Security Administration (NNSA), to protect and control classified information as required by statutes, regulation, Executive Orders, government-wide policy directives and guidelines, and DOE policy and directives. Cancels DOE M 470.4-4A Chg except for Section D. Admin Chg 1, dated 11-23-2012, cancels DOE O 471.6. Canceled by Admin Chg 2 dated 5-15-15.

  20. Computer Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Computer Security All JLF participants must fully comply with all LLNL computer security regulations and procedures. A laptop entering or leaving B-174 for the sole use by a US citizen and so configured, and requiring no IP address, need not be registered for use in the JLF. By September 2009, it is expected that computers for use by Foreign National Investigators will have no special provisions. Notify maricle1@llnl.gov of all other computers entering, leaving, or being moved within B 174. Use

  1. Defense Nuclear Security | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    Programs Defense Nuclear Security The Office of Defense Nuclear Security develops and implements NNSA security programs to protect, control, and account for materials, information, and facilities across the nuclear security enterprise. The Office of the Chief, Defense Nuclear Security (CDNS) executes responsibility for the overall direction and management of security programs employed across the nuclear security enterprise comprised of NNSA's operations and facilities. The CDNS is charged with

  2. Performing Energy Security Assessments: A How-To Guide for Federal Facility Managers

    Broader source: Energy.gov [DOE]

    Guide describes the best practices and recommended process for federal facility managers to prepare for the following sections of a facility’s energy security plan: vulnerability assessments, energy preparedness and operations plans, and remedial action plans.

  3. Y-12 National Security Compex | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    Y-12 National Security Compex

  4. T-620: Microsoft Security Bulletin Advance Notification for May 2011

    Broader source: Energy.gov [DOE]

    This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker set up a malicious Web page that invokes the Indexing Service through a call to its ActiveX component. This call could include a malicious URL and exploit the vulnerability, granting the attacker access to the client system with the privileges of the user browsing the Web page. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

  5. Security Conditions

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    2000-09-18

    To ensure that DOE uniformly meets the protection requirements specified in Presidential Decision Directive 39, "U.S. Policy on Counterterrorism (U)." Attachment 2 is no longer available online. Please e-mail your request for the Attachment to: Security.Directives@hq.doe.gov. DOE N 251.44, dated 05/06/02, extends this directive until 12/31/02.

  6. Personnel Security

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    2011-07-21

    The order establishes requirements that will enable DOE to operate a successful, efficient, cost-effective personnel security program that will ensure accurate, timely and equitable determinations of individualsí eligibility for access to classified information and Special Nuclear Material (SNM). Admin Chg 1, 10-8-13.

  7. Security Rulemaking | Department of Energy

    Office of Environmental Management (EM)

    Rulemaking Security Rulemaking Transportation Security Rulemaking Activities PDF icon Security Rulemaking More Documents & Publications Transportation Security Rulemaking...

  8. Defining and Computing a Valued Based Cyber-Security Measure

    SciTech Connect (OSTI)

    Aissa, Anis Ben; Abercrombie, Robert K; Sheldon, Frederick T; Mili, Ali

    2012-01-01

    In earlier work, we presented a value based measure of cybersecurity that quantifies the security of a system in concrete terms, specifically, in terms of how much each system stakeholder stands to lose (in dollars per hour of operation) as a result of security threats and system vulnerabilities; our metric varies according to the stakes that each stakeholder has in meeting each security requirement. In this paper, we discuss the specification and design of a system that collects, updates, and maintains all the information that pertains to estimating our cybersecurity measure, and offers stakeholders quantitative means to make security-related decisions.

  9. Defining and Computing a Value Based Cyber-Security Measure

    SciTech Connect (OSTI)

    Aissa, Anis Ben; Abercrombie, Robert K; Sheldon, Frederick T; Mili, Ali

    2011-01-01

    In past work, we presented a value based measure of cybersecurity that quantifies the security of a system in concrete terms, specifically, in terms of how much each system stakeholder stands to lose (in dollars per hour of operation) as a result of security threats and system vulnerabilities\\; our metric varies according to the stakes that each stakeholder has in meeting each security requirement. In this paper we discuss the specification and design of a system that collects, updates and maintains all the information that pertains to estimating our cybersecurity measure, and offers stakeholders quantitative means to make security-related decisions.

  10. Organizing electronic services into security taxonomies - revised

    SciTech Connect (OSTI)

    Smith, S.W.; Pedersen, P.S.

    1997-01-01

    With increasing numbers of commercial and government services being considered for electronic delivery, effective vulnerability analysis will become increasingly critical, Organizing sets of proposed electronic services into security taxonomies will be a key part of this work. However, brute force enumeration of services and risks is inefficient, and ad hoc methods require re-invention with each new set of services. Furthermore, both such approaches fail to communicate effectively the tradeoffs between vulnerabilities and features in a set of electronic services, and fail to scale to large sets of service. From our experience advising players considering electronic delivery, we have developed a general, systematic, and scalable methodology that addresses these concerns. In this paper, we present this methodology, and apply it to the example of electronic services offered via kiosks (since kiosk systems are representative of a wide range of security issues in electronic commerce).

  11. Beyond a series of security nets: Applying STAMP & STPA to port security

    DOE Public Access Gateway for Energy & Science Beta (PAGES Beta)

    Williams, Adam D.

    2015-11-17

    Port security is an increasing concern considering the significant role of ports in global commerce and today‚Äôs increasingly complex threat environment. Current approaches to port security mirror traditional models of accident causality -- ‚Äėa series of security nets‚Äô based on component reliability and probabilistic assumptions. Traditional port security frameworks result in isolated and inconsistent improvement strategies. Recent work in engineered safety combines the ideas of hierarchy, emergence, control and communication into a new paradigm for understanding port security as an emergent complex system property. The ‚ÄėSystem-Theoretic Accident Model and Process (STAMP)‚Äô is a new model of causality based on systemsmore¬†¬Ľ and control theory. The associated analysis process -- System Theoretic Process Analysis (STPA) -- identifies specific technical or procedural security requirements designed to work in coordination with (and be traceable to) overall port objectives. This process yields port security design specifications that can mitigate (if not eliminate) port security vulnerabilities related to an emphasis on component reliability, lack of coordination between port security stakeholders or economic pressures endemic in the maritime industry. As a result, this article aims to demonstrate how STAMP‚Äôs broader view of causality and complexity can better address the dynamic and interactive behaviors of social, organizational and technical components of port security.¬ę¬†less

  12. Beyond a series of security nets: Applying STAMP & STPA to port security

    SciTech Connect (OSTI)

    Williams, Adam D.

    2015-11-17

    Port security is an increasing concern considering the significant role of ports in global commerce and today‚Äôs increasingly complex threat environment. Current approaches to port security mirror traditional models of accident causality -- ‚Äėa series of security nets‚Äô based on component reliability and probabilistic assumptions. Traditional port security frameworks result in isolated and inconsistent improvement strategies. Recent work in engineered safety combines the ideas of hierarchy, emergence, control and communication into a new paradigm for understanding port security as an emergent complex system property. The ‚ÄėSystem-Theoretic Accident Model and Process (STAMP)‚Äô is a new model of causality based on systems and control theory. The associated analysis process -- System Theoretic Process Analysis (STPA) -- identifies specific technical or procedural security requirements designed to work in coordination with (and be traceable to) overall port objectives. This process yields port security design specifications that can mitigate (if not eliminate) port security vulnerabilities related to an emphasis on component reliability, lack of coordination between port security stakeholders or economic pressures endemic in the maritime industry. As a result, this article aims to demonstrate how STAMP‚Äôs broader view of causality and complexity can better address the dynamic and interactive behaviors of social, organizational and technical components of port security.

  13. Beyond a series of security nets: Applying STAMP & STPA to port security

    DOE Public Access Gateway for Energy & Science Beta (PAGES Beta)

    Williams, Adam D.

    2015-11-17

    Port security is an increasing concern considering the significant role of ports in global commerce and today‚Äôs increasingly complex threat environment. Current approaches to port security mirror traditional models of accident causality -- ‚Äėa series of security nets‚Äô based on component reliability and probabilistic assumptions. Traditional port security frameworks result in isolated and inconsistent improvement strategies. Recent work in engineered safety combines the ideas of hierarchy, emergence, control and communication into a new paradigm for understanding port security as an emergent complex system property. The ‚ÄėSystem-Theoretic Accident Model and Process (STAMP)‚Äô is a new model of causality based on systemsmore¬†¬Ľand control theory. The associated analysis process -- System Theoretic Process Analysis (STPA) -- identifies specific technical or procedural security requirements designed to work in coordination with (and be traceable to) overall port objectives. This process yields port security design specifications that can mitigate (if not eliminate) port security vulnerabilities related to an emphasis on component reliability, lack of coordination between port security stakeholders or economic pressures endemic in the maritime industry. As a result, this article aims to demonstrate how STAMP‚Äôs broader view of causality and complexity can better address the dynamic and interactive behaviors of social, organizational and technical components of port security.¬ę¬†less

  14. Cyber Security and Resilient Systems

    SciTech Connect (OSTI)

    Robert S. Anderson

    2009-07-01

    The Department of Energy (DOE) Idaho National Laboratory (INL) has become a center of excellence for critical infrastructure protection, particularly in the field of cyber security. It is one of only a few national laboratories that have enhanced the nation‚Äôs cyber security posture by performing industrial control system (ICS) vendor assessments as well as user on-site assessments. Not only are vulnerabilities discovered, but described actions for enhancing security are suggested ‚Äď both on a system-specific basis and from a general perspective of identifying common weaknesses and their corresponding corrective actions. These cyber security programs have performed over 40 assessments to date which have led to more robust, secure, and resilient monitoring and control systems for the US electrical grid, oil and gas, chemical, transportation, and many other sectors. In addition to cyber assessments themselves, the INL has been engaged in outreach to the ICS community through vendor forums, technical conferences, vendor user groups, and other special engagements as requested. Training programs have been created to help educate all levels of management and worker alike with an emphasis towards real everyday cyber hacking methods and techniques including typical exploits that are used. The asset owner or end user has many products available for its use created from these programs. One outstanding product is the US Department of Homeland Security (DHS) Cyber Security Procurement Language for Control Systems document that provides insight to the user when specifying a new monitoring and control system, particularly concerning security requirements. Employing some of the top cyber researchers in the nation, the INL can leverage this talent towards many applications other than critical infrastructure. Monitoring and control systems are used throughout the world to perform simple tasks such as cooking in a microwave to complex ones such as the monitoring and control of the next generation fighter jets or nuclear material safeguards systems in complex nuclear fuel cycle facilities. It is the intent of this paper to describe the cyber security programs that are currently in place, the experiences and successes achieved in industry including outreach and training, and suggestions about how other sectors and organizations can leverage this national expertise to help their monitoring and control systems become more secure.

  15. Climate Change and Infrastructure, Urban Systems, and Vulnerabilities

    SciTech Connect (OSTI)

    Wilbanks, Thomas J; Fernandez, Steven J

    2014-01-01

    This Technical Report on Climate Change and Infrastructure, Urban Systems, and Vulnerabilities has been prepared for the U.S. Department of Energy by the Oak Ridge National Laboratory in support of the U.S. National Climate Assessment (NCA). It is a summary of the currently existing knowledge base on its topic, nested within a broader framing of issues and questions that need further attention in the longer run. The report arrives at a number of assessment findings, each associated with an evaluation of the level of consensus on that issue within the expert community, the volume of evidence available to support that judgment, and the section of the report that provides an explanation for the finding. Cross-sectoral issues related to infrastructures and urban systems have not received a great deal of attention to date in research literatures in general and climate change assessments in particular. As a result, this technical report is breaking new ground as a component of climate change vulnerability and impact assessments in the U.S., which means that some of its assessment findings are rather speculative, more in the nature of propositions for further study than specific conclusions that are offered with a high level of confidence and research support. But it is a start in addressing questions that are of interest to many policymakers and stakeholders. A central theme of the report is that vulnerabilities and impacts are issues beyond physical infrastructures themselves. The concern is with the value of services provided by infrastructures, where the true consequences of impacts and disruptions involve not only the costs associated with the clean-up, repair, and/or replacement of affected infrastructures but also economic, social, and environmental effects as supply chains are disrupted, economic activities are suspended, and/or social well-being is threatened. Current knowledge indicates that vulnerability concerns tend to be focused on extreme weather events associated with climate change that can disrupt infrastructure services, often cascading across infrastructures because of extensive interdependencies threatening health and local economies, especially in areas where human populations and economic activities are concentrated in urban areas. Vulnerabilities are especially large where infrastructures are subject to multiple stresses, beyond climate change alone; when they are located in areas vulnerable to extreme weather events; and if climate change is severe rather than moderate. But the report also notes that there are promising approaches for risk management, based on emerging lessons from a number of innovative initiatives in U.S. cities and other countries, involving both structural and non-structural (e.g., operational) options.

  16. T-688: McAfee Security Bulletin - McAfee SaaS Endpoint Protection...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Security Bulletin - McAfee SaaS Endpoint Protection update fixes multiple ActiveX issues T-688: McAfee Security Bulletin - McAfee SaaS Endpoint Protection update fixes multiple...

  17. Energy Surety: A Matter of National Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Surety: A Matter of National Security The present electric grid is based on a foundation created over 100 years ago. The infrastructure is topologically fixed, power sources are centralized and dispatchable (completely controllable), the loads are largely predictable, and the control of power flow at the load is essentially open-loop making it vulnerable to terrorist attacks, natural disasters, infrastructure failures, and other disruptive events. Further, this grid model limits renewables and

  18. Nuclear security

    SciTech Connect (OSTI)

    Not Available

    1991-07-01

    This paper reports that despite an Executive Order limiting the authority to make original classification decisions to government officials, DOE has delegated this authority to a number of contractor employees. Although the number of original classification decisions made by these contractors is small, this neither negates nor diminishes the significance of the improper delegation of authority. If misclassification were to occur, particularly at the Top Secret level, U.S. national security interests could potentially be seriously affected and threatened. DOE's argument that the delegation of such authority is a long-standing policy and done on a selective basis does not legitimize the practice and does not relieve DOE of its responsibility to meet the requirements of the Executive Order. DOE needs to independently assess all original classification determinations made by contractors; otherwise, it cannot be sure that U.S. national security interests have been or are being adequately protected.

  19. GRiP - A flexible approach for calculating risk as a function of consequence, vulnerability, and threat.

    SciTech Connect (OSTI)

    Whitfield, R. G.; Buehring, W. A.; Bassett, G. W.

    2011-04-08

    Get a GRiP (Gravitational Risk Procedure) on risk by using an approach inspired by the physics of gravitational forces between body masses! In April 2010, U.S. Department of Homeland Security Special Events staff (Protective Security Advisors [PSAs]) expressed concern about how to calculate risk given measures of consequence, vulnerability, and threat. The PSAs believed that it is not 'right' to assign zero risk, as a multiplicative formula would imply, to cases in which the threat is reported to be extremely small, and perhaps could even be assigned a value of zero, but for which consequences and vulnerability are potentially high. They needed a different way to aggregate the components into an overall measure of risk. To address these concerns, GRiP was proposed and developed. The inspiration for GRiP is Sir Isaac Newton's Universal Law of Gravitation: the attractive force between two bodies is directly proportional to the product of their masses and inversely proportional to the squares of the distance between them. The total force on one body is the sum of the forces from 'other bodies' that influence that body. In the case of risk, the 'other bodies' are the components of risk (R): consequence, vulnerability, and threat (which we denote as C, V, and T, respectively). GRiP treats risk as if it were a body within a cube. Each vertex (corner) of the cube represents one of the eight combinations of minimum and maximum 'values' for consequence, vulnerability, and threat. The risk at each of the vertices is a variable that can be set. Naturally, maximum risk occurs when consequence, vulnerability, and threat are at their maximum values; minimum risk occurs when they are at their minimum values. Analogous to gravitational forces among body masses, the GRiP formula for risk states that the risk at any interior point of the box depends on the squares of the distances from that point to each of the eight vertices. The risk value at an interior (movable) point will be dominated by the value of one vertex as that point moves closer and closer to that one vertex. GRiP is a visualization tool that helps analysts better understand risk and its relationship to consequence, vulnerability, and threat. Estimates of consequence, vulnerability, and threat are external to GRiP; however, the GRiP approach can be linked to models or data that provide estimates of consequence, vulnerability, and threat. For example, the Enhanced Critical Infrastructure Program/Infrastructure Survey Tool produces a vulnerability index (scaled from 0 to 100) that can be used for the vulnerability component of GRiP. We recognize that the values used for risk components can be point estimates and that, in fact, there is uncertainty regarding the exact values of C, V, and T. When we use T = t{sub o} (where t{sub o} is a value of threat in its range), we mean that threat is believed to be in an interval around t{sub o}. Hence, a value of t{sub o} = 0 indicates a 'best estimate' that the threat level is equal to zero, but still allows that it is not impossible for the threat to occur. When t{sub o} = 0 but is potentially small and not exactly zero, there will be little impact on the overall risk value as long as the C and V components are not large. However, when C and/or V have large values, there can be large differences in risk given t{sub o} = 0, and t{sub o} = epsilon (where epsilon is small but greater than a value of zero). We believe this scenario explains the PSA's intuition that risk is not equal to zero when t{sub o} = 0 and C and/or V have large values. (They may also be thinking that if C has an extremely large value, it is unlikely that T is equal to 0; in the terrorist context, T would likely be dependent on C when C is extremely large.) The PSAs are implicitly recognizing the potential that t{sub o} = epsilon. One way to take this possible scenario into account is to replace point estimates for risk with interval values that reflect the uncertainty in the risk components. In fact, one could argue that T never equals zero for a man-made hazard. This

  20. Infrastructure Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy's National Nuclear Security Administration under contract DE-AC04-94AL85000. SAND2014-0672P Sandia National Laboratories is developing a thermal-to-electric power conversion technology that utilizes carbon dioxide (CO2) as the working fluid in a closed Brayton cycle. This technology possesses the capability to generate electricity at high efficiencies while reducing both costs and greenhouse gas emissions.

  1. Security system

    DOE Patents [OSTI]

    Baumann, Mark J.; Kuca, Michal; Aragon, Mona L.

    2016-02-02

    A security system includes a structure having a structural surface. The structure is sized to contain an asset therein and configured to provide a forceful breaching delay. The structure has an opening formed therein to permit predetermined access to the asset contained within the structure. The structure includes intrusion detection features within or associated with the structure that are activated in response to at least a partial breach of the structure.

  2. Information Security

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    2011-06-29

    This Order establishes requirements and responsibilities for Department of Energy (DOE) Departmental Elements, including the National Nuclear Security Administration (NNSA), to protect and control classified information as required by statutes, regulation, Executive Orders, government-wide policy directives and guidelines, and DOE policy and directives. (The original DOE O 471.6 canceled DOE M 470.4-4A, except for Section D). Admin Chg 2, dated 5-15-15, supersedes Admin Chg 1. Certified 5-21-2015.

  3. Security seal

    DOE Patents [OSTI]

    Gobeli, Garth W.

    1985-01-01

    Security for a package or verifying seal in plastic material is provided by a print seal with unique thermally produced imprints in the plastic. If tampering is attempted, the material is irreparably damaged and thus detectable. The pattern of the imprints, similar to "fingerprints" are recorded as a positive identification for the seal, and corresponding recordings made to allow comparison. The integrity of the seal is proved by the comparison of imprint identification records made by laser beam projection.

  4. Infrastructure Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    to enhance the nation's security and prosperity through sustainable, transformative approaches to our most challenging energy, climate, and infrastructure problems. vision applications to Systems assessment over the last three decades, Snl has developed and applied a Systems Engineering (SE) approach that includes performance assessment (pa) expertise to inform key decisions concerning radioactive waste management both in the US and internationally. the result of these efforts is a pa-based SE

  5. Security Rulemaking

    Office of Environmental Management (EM)

    Securing America's Clean Energy Future The Office of Energy Efficiency and Renewable Energy (EERE) invests in clean energy technologies that strengthen the economy, reduce dependence on foreign oil, and protect the environment. EERE leverages partnerships with the private sector, state and local governments, DOE national laboratories, and universities to transform the nation's economic engine to one powered by clean energy. EERE Programs 2011 Budget (in $ millions) EERE operates with $1.8

  6. Determining Vulnerability Importance in Environmental Impact Assessment

    SciTech Connect (OSTI)

    Toro, Javier; Duarte, Oscar; Requena, Ignacio; Zamorano, Montserrat

    2012-01-15

    The concept of vulnerability has been used to describe the susceptibility of physical, biotic, and social systems to harm or hazard. In this sense, it is a tool that reduces the uncertainties of Environmental Impact Assessment (EIA) since it does not depend exclusively on the value assessments of the evaluator, but rather is based on the environmental state indicators of the site where the projects or activities are being carried out. The concept of vulnerability thus reduces the possibility that evaluators will subjectively interpret results, and be influenced by outside interests and pressures during projects. However, up until now, EIA has been hindered by a lack of effective methods. This research study analyzes the concept of vulnerability, defines Vulnerability Importance and proposes its inclusion in qualitative EIA methodology. The method used to quantify Vulnerability Importance is based on a set of environmental factors and indicators that provide a comprehensive overview of the environmental state. The results obtained in Colombia highlight the usefulness and objectivity of this method since there is a direct relation between this value and the environmental state of the departments analyzed. - Research Highlights: Black-Right-Pointing-Pointer The concept of vulnerability could be considered defining Vulnerability Importance included in qualitative EIA methodology. Black-Right-Pointing-Pointer The use of the concept of environmental vulnerability could reduce the subjectivity of qualitative methods of EIA. Black-Right-Pointing-Pointer A method to quantify the Vulnerability Importance proposed provides a comprehensive overview of the environmental state. Black-Right-Pointing-Pointer Results in Colombia highlight the usefulness and objectivity of this method.

  7. Climate Change and National Security

    SciTech Connect (OSTI)

    Malone, Elizabeth L.

    2013-02-01

    Climate change is increasingly recognized as having national security implications, which has prompted dialogue between the climate change and national security communities ‚Äď with resultant advantages and differences. Climate change research has proven useful to the national security community sponsors in several ways. It has opened security discussions to consider climate as well as political factors in studies of the future. It has encouraged factoring in the stresses placed on societies by climate changes (of any kind) to help assess the potential for state stability. And it has shown that, changes such as increased heat, more intense storms, longer periods without rain, and earlier spring onset call for building climate resilience as part of building stability. For the climate change research community, studies from a national security point of view have revealed research lacunae, for example, such as the lack of usable migration studies. This has also pushed the research community to consider second- and third-order impacts of climate change, such as migration and state stability, which broadens discussion of future impacts beyond temperature increases, severe storms, and sea level rise; and affirms the importance of governance in responding to these changes. The increasing emphasis in climate change science toward research in vulnerability, resilience, and adaptation also frames what the intelligence and defense communities need to know, including where there are dependencies and weaknesses that may allow climate change impacts to result in security threats and where social and economic interventions can prevent climate change impacts and other stressors from resulting in social and political instability or collapse.

  8. U-170: Apple QuickTime Multiple Flaws Let Remote Users Execute Arbitrary Code

    Broader source: Energy.gov [DOE]

    Multiple vulnerabilities were reported in Apple QuickTime. A remote user can cause arbitrary code to be executed on the target user's system.

  9. U-143: Google Chrome Multiple Flaws Let Remote Users Execute Arbitrary Code

    Broader source: Energy.gov [DOE]

    Multiple vulnerabilities were reported in Google Chrome. A remote user can cause arbitrary code to be executed on the target user's system.

  10. U-133: Google Chrome Multiple Flaws Let Remote Users Execute Arbitrary Code

    Broader source: Energy.gov [DOE]

    Multiple vulnerabilities were reported in Google Chrome. A remote user can cause arbitrary code to be executed on the target user's system.

  11. Initial CTBT international monitoring system security findings and recommendations

    SciTech Connect (OSTI)

    Craft, R.L.; Draelos, T.J.

    1996-08-01

    An initial security evaluation of the proposed International Monitoring System (IMS) suggests safeguards at various points in the IMS to provide reliable information to the user community. Modeling the IMS as a network of information processing nodes provides a suitable architecture for assessing data surety needs of the system. The recommendations in this paper include the use of public-key authentication for data from monitoring stations and for commands issued to monitoring stations. Other monitoring station safeguards include tamper protection of sensor subsystems, preservation of data (i.e. short-term archival), and limiting the station`s network services. The recommendations for NDCs focus on the need to provide a backup to the IDC for data archival and data routing. Safeguards suggested for the IDC center on issues of reliability. The production of event bulletins should employ {open_quotes}two-man{close_quotes} procedures. As long as the data maintains its integrity, event bulletins can be produced by NDCs as well. The effective use of data authentication requires a sound key management system. Key management systems must be developed for the authentication of data, commands, and event bulletins if necessary. It is recommended that the trust placed in key management be distributed among multiple parties. The recommendations found in this paper offer safeguards for identified vulnerabilities in the IMS with regard to data surety. However, several outstanding security issues still exist. These issues include the need to formalize and obtain a consensus on a threat model and a trust model for the IMS. The final outstanding security issue that requires in-depth analysis concerns the IDC as a potential single point of failure in the current IMS design.

  12. Global Security | Y-12 National Security Complex

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    sector. Global Security Cooley joins Y-12's Global Security and Strategic Partnerships Manufacturing and Technical Services Nuclear Material Recovery Nuclear Detection and...

  13. Headquarters Security Quick Reference Book Headquarters Security...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Directive HSS Office of Health, Safety and Security HQ ... Regulations 707, a negative drug test result is required ... knowledgeable of security policy at HQ. Consult the HQFMSP ...

  14. physical security | National Nuclear Security Administration

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    physical security | National Nuclear Security Administration Facebook Twitter Youtube Flickr RSS People Mission Managing the Stockpile Preventing Proliferation Powering the Nuclear...

  15. defense nuclear security | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    nuclear security | National Nuclear Security Administration Facebook Twitter Youtube Flickr RSS People Mission Managing the Stockpile Preventing Proliferation Powering the Nuclear ...

  16. Information Security: Coordination of Federal Cyber Security...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Information Security: Coordination of Federal Cyber Security Research and Development GAO recommends that the Office of Science and Technology Policy establish timelines for ...

  17. Y-12 earns communications honors | Y-12 National Security Complex

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    earns communications ... Y-12 earns communications honors Posted: September 5, 2013 - 4:06pm The Y-12 National Security Complex received multiple communications awards during three...

  18. Y-12 earns communications honors | Y-12 National Security Complex

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    earns communications ... Y-12 earns communications honors Posted: June 27, 2012 - 9:38am The Y-12 National Security Complex received multiple communications awards during two...

  19. Control Systems Security Test Center - FY 2004 Program Summary

    SciTech Connect (OSTI)

    Robert E. Polk; Alen M. Snyder

    2005-04-01

    In May 2004, the US-CERT Control Systems Security Center (CSSC) was established at Idaho National Laboratory to execute assessment activities to reduce the vulnerability of the nationís critical infrastructure control systems to terrorist attack. The CSSC implements a program to accomplish the five goals presented in the US-CERT National Strategy for Control Systems Security. This report summarizes the first year funding of startup activities and program achievements that took place in FY 2004 and early FY 2005. This document was prepared for the US-CERT Control Systems Security Center of the National Cyber Security Division of the Department of Homeland Security (DHS). DHS has been tasked under the Homeland Security Act of 2002 to coordinate the overall national effort to enhance the protection of the national critical infrastructure. Homeland Security Presidential Directive HSPD-7 directs federal departments to identify and prioritize the critical infrastructure and protect it from terrorist attack. The US-CERT National Strategy for Control Systems Security was prepared by the National Cyber Security Division to address the control system security component addressed in the National Strategy to Secure Cyberspace and the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets. The US-CERT National Strategy for Control Systems Security identified five high-level strategic goals for improving cyber security of control systems.

  20. Colombia-Cartagena Vulnerability Assessment | Open Energy Information

    Open Energy Info (EERE)

    Colombia-Cartagena Vulnerability Assessment Jump to: navigation, search Name Colombia-CDKN-Cartagena Vulnerability Assessment AgencyCompany Organization Climate and Development...

  1. Colombia-Cartagena Vulnerability Assessment | Open Energy Information

    Open Energy Info (EERE)

    Colombia-Cartagena Vulnerability Assessment (Redirected from CDKN-Colombia-Cartagena Vulnerability Assessment) Jump to: navigation, search Name Colombia-CDKN-Cartagena...

  2. Potential Vulnerability of US Petroleum Refineries to Increasing...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Potential Vulnerability of US Petroleum Refineries to Increasing Water Temperature andor Reduced Water Availability Potential Vulnerability of US Petroleum Refineries to ...

  3. OLADE-Central America Climate Change Vulnerability Program |...

    Open Energy Info (EERE)

    Central America Climate Change Vulnerability Program Jump to: navigation, search Name OLADE-Central America Climate Change Vulnerability Program AgencyCompany Organization Latin...

  4. India-Vulnerability Assessment and Enhancing Adaptive Capacities...

    Open Energy Info (EERE)

    Vulnerability Assessment and Enhancing Adaptive Capacities to Climate Change Jump to: navigation, search Name India-Vulnerability Assessment and Enhancing Adaptive Capacities to...

  5. Tribal Energy System Vulnerabilities to Climate Change and Extreme...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    System Vulnerabilities to Climate Change and Extreme Weather Tribal Energy System Vulnerabilities to Climate Change and Extreme Weather This U.S. Department of Energy Office of ...

  6. Nuclear Fuel Cycle & Vulnerabilities (Technical Report) | SciTech...

    Office of Scientific and Technical Information (OSTI)

    Nuclear Fuel Cycle & Vulnerabilities Citation Details In-Document Search Title: Nuclear Fuel Cycle & Vulnerabilities The objective of safeguards is the timely detection of ...

  7. Nuclear Fuel Cycle & Vulnerabilities (Technical Report) | SciTech...

    Office of Scientific and Technical Information (OSTI)

    Technical Report: Nuclear Fuel Cycle & Vulnerabilities Citation Details In-Document Search Title: Nuclear Fuel Cycle & Vulnerabilities You are accessing a document from the ...

  8. Vulnerability Analysis of Energy Delivery Control Systems (September...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Systems (September 2011) Vulnerability Analysis of Energy Delivery Control Systems (September 2011) The Vulnerability Analysis of Energy Delivery Control Systems report, prepared ...

  9. Top 10 Vulnerabilities of Control Systems and Their Associated...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Top 10 Vulnerabilities of Control Systems and Their Associated Migitations (2006) Top 10 Vulnerabilities of Control Systems and Their Associated Migitations (2006) This document ...

  10. TOP 10 VULNERABILITIES OF CONTROL SYSTEMS AND THEIR ASSOCIATED...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    TOP 10 VULNERABILITIES OF CONTROL SYSTEMS AND THEIR ASSOCIATED MITIGATIONS TOP 10 VULNERABILITIES OF CONTROL SYSTEMS AND THEIR ASSOCIATED MITIGATIONS This document provides ...

  11. Assessing Vulnerabilities, Risks, and Consequences of Damage to Critical Infrastructure

    SciTech Connect (OSTI)

    Suski, N; Wuest, C

    2011-02-04

    Since the publication of 'Critical Foundations: Protecting America's Infrastructure,' there has been a keen understanding of the complexity, interdependencies, and shared responsibility required to protect the nation's most critical assets that are essential to our way of life. The original 5 sectors defined in 1997 have grown to 18 Critical Infrastructures and Key Resources (CIKR), which are discussed in the 2009 National Infrastructure Protection Plan (NIPP) and its supporting sector-specific plans. The NIPP provides the structure for a national program dedicated to enhanced protection and resiliency of the nation's infrastructure. Lawrence Livermore National Laboratory (LLNL) provides in-depth, multi-disciplinary assessments of threat, vulnerability, and consequence across all 18 sectors at scales ranging from specific facilities to infrastructures spanning multi-state regions, such as the Oil and Natural Gas (ONG) sector. Like many of the CIKR sectors, the ONG sector is comprised of production, processing, distribution, and storage of highly valuable and potentially dangerous commodities. Furthermore, there are significant interdependencies with other sectors, including transportation, communication, finance, and government. Understanding the potentially devastating consequences and collateral damage resulting from a terrorist attack or natural event is an important element of LLNL's infrastructure security programs. Our work began in the energy sector in the late 1990s and quickly expanded other critical infrastructure sectors. We have performed over 600 physical assessments with a particular emphasis on those sectors that utilize, store, or ship potentially hazardous materials and for whom cyber security is important. The success of our approach is based on building awareness of vulnerabilities and risks and working directly with industry partners to collectively advance infrastructure protection. This approach consists of three phases: The Pre-Assessment Phase brings together infrastructure owners and operators to identify critical assets and help the team create a structured information request. During this phase, we gain information about the critical assets from those who are most familiar with operations and interdependencies, making the time we spend on the ground conducting the assessment much more productive and enabling the team to make actionable recommendations. The Assessment Phase analyzes 10 areas: Threat environment, cyber architecture, cyber penetration, physical security, physical penetration, operations security, policies and procedures, interdependencies, consequence analysis, and risk characterization. Each of these individual tasks uses direct and indirect data collection, site inspections, and structured and facilitated workshops to gather data. Because of the importance of understanding the cyber threat, LLNL has built both fixed and mobile cyber penetration, wireless penetration and supporting tools that can be tailored to fit customer needs. The Post-Assessment Phase brings vulnerability and risk assessments to the customer in a format that facilitates implementation of mitigation options. Often the assessment findings and recommendations are briefed and discussed with several levels of management and, if appropriate, across jurisdictional boundaries. The end result is enhanced awareness and informed protective measures. Over the last 15 years, we have continued to refine our methodology and capture lessons learned and best practices. The resulting risk and decision framework thus takes into consideration real-world constraints, including regulatory, operational, and economic realities. In addition to 'on the ground' assessments focused on mitigating vulnerabilities, we have integrated our computational and atmospheric dispersion capability with easy-to-use geo-referenced visualization tools to support emergency planning and response operations. LLNL is home to the National Atmospheric Release Advisory Center (NARAC) and the Interagency Modeling and Atmospheric Assessment Center (IMAAC). NA

  12. DOE/DHS INDUSTRIAL CONTROL SYSTEM CYBER SECURITY PROGRAMS: A MODEL FOR USE IN NUCLEAR FACILITY SAFEGUARDS AND SECURITY

    SciTech Connect (OSTI)

    Robert S. Anderson; Mark Schanfein; Trond Bjornard; Paul Moskowitz

    2011-07-01

    Many critical infrastructure sectors have been investigating cyber security issues for several years especially with the help of two primary government programs. The U.S. Department of Energy (DOE) National SCADA Test Bed and the U.S. Department of Homeland Security (DHS) Control Systems Security Program have both implemented activities aimed at securing the industrial control systems that operate the North American electric grid along with several other critical infrastructure sectors (ICS). These programs have spent the last seven years working with industry including asset owners, educational institutions, standards and regulating bodies, and control system vendors. The programs common mission is to provide outreach, identification of cyber vulnerabilities to ICS and mitigation strategies to enhance security postures. The success of these programs indicates that a similar approach can be successfully translated into other sectors including nuclear operations, safeguards, and security. The industry regulating bodies have included cyber security requirements and in some cases, have incorporated sets of standards with penalties for non-compliance such as the North American Electric Reliability Corporation Critical Infrastructure Protection standards. These DOE and DHS programs that address security improvements by both suppliers and end users provide an excellent model for nuclear facility personnel concerned with safeguards and security cyber vulnerabilities and countermeasures. It is not a stretch to imagine complete surreptitious collapse of protection against the removal of nuclear material or even initiation of a criticality event as witnessed at Three Mile Island or Chernobyl in a nuclear ICS inadequately protected against the cyber threat.

  13. Personnel Security

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    2011-07-21

    The order establishes requirements that will enable DOE to operate a successful, efficient, cost-effective personnel security program that will ensure accurate, timely and equitable determinations of individuals’ eligibility for access to classified information and Special Nuclear Material (SNM). This limited revision will ensure that individuals holding dual citizenship receive proper consideration from a counterintelligence perspective prior to being granted access to classified matter or Special Nuclear Material. Pg Chg 1, 7-9-14 supersedes DOE O 472.2 Admin Chg 1.

  14. Radiological Security Program | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    Radiological Security Program Armenia Secures Dangerous Radioactive Sources in Cooperation with NNSA The Department of Energy's National Nuclear Security Administration (NNSA) joined the Republic of Armenia today to announce the safe and secure removal of three unused radioactive sources from two locations in Yerevan, Armenia. The successful completion of the radioactive source recovery campaign

  15. Security Notice | Y-12 National Security Complex

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Security Notice Security Notice Security Information This website is part of a federal computer system used to accomplish federal functions. Y-12 uses software programs to monitor this website for security purposes to ensure it remains available to all users and to protect information in the system. By accessing this website, you are expressly consenting to these monitoring activities. Unauthorized attempts to defeat or circumvent security features; to use the system for other than intended

  16. Global Material Security | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    Nonproliferation Global Material Security The mission of the Office of Global Material Security (GMS) is to help partner countries secure and account for nuclear weapons, weapons-useable nuclear and radiological materials, as well as to build capacity to deter, detect and interdict the illicit trafficking of such materials. GMS achieves its mission through three subprograms: International Nuclear Security Radiological Security Nuclear Smuggling Detection and Deterrence (formerly Second Line of

  17. International Nuclear Security | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    International Nuclear Security The International Nuclear Security program collaborates with partners world-wide to improve the security of proliferation-sensitive materials, particularly weapons-usable nuclear material in both civilian and non-civilian use in key countries. As part of these efforts, INS works with partner countries to: Upgrade and sustain physical security and material control and accounting systems; Develop national-level nuclear security infrastructure in areas such as

  18. U-278: Microsoft Security Bulletin Advance Notification for October 2012

    Broader source: Energy.gov [DOE]

    Microsoft Security Bulletin Advance Notification for October 2012. Microsoft has posted 1 Critical Bulletins and 6 Important Bulletins. Bulletins with the Maximum Severity Rating and Vulnerability Impact of "Critical" may allow remote execution of code. Microsoft is hosting a webcast to address customer questions on these bulletins on October 10, 2012, at 11:00 AM Pacific Time (US & Canada).

  19. U-256: Microsoft Security Bulletin Advance Notification for September 2012

    Broader source: Energy.gov [DOE]

    Microsoft Security Bulletin Advance Notification for September 2012. Microsoft has posted 0 Critical Bulletins and 2 Important Bulletins. Bulletins with the Maximum Severity Rating and Vulnerability Impact of "Critical" may allow remote execution of code. Microsoft is hosting a webcast to address customer questions on these bulletins on September 12, 2012, at 11:00 AM Pacific Time (US & Canada).

  20. U-209: Microsoft Security Bulletin Advance Notification for July 2012

    Broader source: Energy.gov [DOE]

    Microsoft Security Bulletin Advance Notification for July 2012. Microsoft has posted 3 Critical Bulletins and 6 Important Bulletins. Bulletins with the Maximum Severity Rating and Vulnerability Impact of "Critical" may allow remote execution of code. Microsoft is hosting a webcast to address customer questions on these bulletins on July 11, 2012, at 11:00 AM Pacific Time (US & Canada).

  1. U-145: Microsoft Security Bulletin Summary for April 2012

    Broader source: Energy.gov [DOE]

    Microsoft Security Bulletin Summary for April 2012. Microsoft has posted 4 Critical Bulletins and 2 Important bulletins. Bulletins with the Maximum Severity Rating and Vulnerability Impact of "Critical" may allow remote execution of code. Microsoft is hosting a webcast to address customer questions on these bulletins on April 11, 2012, at 11:00 AM Pacific Time (US & Canada).

  2. U-124: Microsoft Security Bulletin Advance Notification for March 2012

    Broader source: Energy.gov [DOE]

    Microsoft Security Bulletin Advance Notification for March 2012. Microsoft has posted 1 Critical Bulletin, 4 Important bulletins and 1 Moderate bulletin. Bulletins with the Maximum Severity Rating and Vulnerability Impact of "Critical" may allow remote execution of code. Microsoft is hosting a webcast to address customer questions on these bulletins on March 14, 2012, at 11:00 AM Pacific Time (US & Canada).

  3. U-164: Microsoft Security Bulletin Advance Notification for May 2012

    Broader source: Energy.gov [DOE]

    Microsoft Security Bulletin Advance Notification for May 2012. Microsoft has posted 3 Critical Bulletins and 4 Important Bulletins. Bulletins with the Maximum Severity Rating and Vulnerability Impact of "Critical" may allow remote execution of code. Microsoft is hosting a webcast to address customer questions on these bulletins on May 8, 2012, at 11:00 AM Pacific Time (US & Canada).

  4. U-103: Microsoft Security Bulletin Advance Notification for February 2012

    Broader source: Energy.gov [DOE]

    Microsoft Security Bulletin Advance Notification for February 2012. Microsoft has posted 6 Critical Bulletins and 5 Important bulletins. Bulletins with the Maximum Severity Rating and Vulnerability Impact of "Critical" may allow remote execution of code. Microsoft is hosting a webcast to address customer questions on these bulletins on February 15, 2012, at 11:00 AM Pacific Time (US & Canada).

  5. U-189: Microsoft Security Bulletin Advance Notification for June 2012

    Broader source: Energy.gov [DOE]

    Microsoft Security Bulletin Advance Notification for June2012. Microsoft has posted 3 Critical Bulletins and 4 Important Bulletins. Bulletins with the Maximum Severity Rating and Vulnerability Impact of "Critical" may allow remote execution of code. Microsoft is hosting a webcast to address customer questions on these bulletins on May 13, 2012, at 11:00 AM Pacific Time (US & Canada).

  6. U-235: Microsoft Security Bulletin Advance Notification for August 2012

    Broader source: Energy.gov [DOE]

    Microsoft Security Bulletin Advance Notification for August 2012. Microsoft has posted 5 Critical Bulletins and 4 Important Bulletins. Bulletins with the Maximum Severity Rating and Vulnerability Impact of "Critical" may allow remote execution of code. Microsoft is hosting a webcast to address customer questions on these bulletins on August 15, 2012, at 11:00 AM Pacific Time (US & Canada).

  7. NERSC Computer Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Security NERSC Computer Security NERSC computer security efforts are aimed at protecting NERSC systems and its users' intellectual property from unauthorized access or modification. Among NERSC's security goal are: 1. To protect NERSC systems from unauthorized access. 2. To prevent the interruption of services to its users. 3. To prevent misuse or abuse of NERSC resources. Security Incidents If you think there has been a computer security incident you should contact NERSC Security as soon as

  8. Energy Security Council

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    NSEC ¬Ľ Energy Security Council Energy Security Council Reliable, secure, sustainable carbon energy solutions for the nation. Contact Albert Migliori (505) 663-5627 Email David Morris (505) 665 6487 Email David Watkins (50)5 665-1144 Email Energy Security Council The Los Alamos National Laboratory Energy Security Council works to develop new ideas for reliable, secure and sustainable carbon neutral energy solutions for the nation. We serve as the portal to LANL's diverse energy security research

  9. Physical security and tamper-indicating devices

    SciTech Connect (OSTI)

    Johnston, R.G.; Garcia, A.R.E.

    1997-02-01

    Computer systems, electronic communications, digital data, and computer storage media are often highly vulnerable to physical tampering. Tamper-indicating devices, also called security seals, are widely used to detect physical tampering or unauthorized access. We studied 94 different security seals, both passive and electronic, developed either commercially or by the US government. Most of these seals are in wide-spread use, including for critical applications. We learned how to defeat all 94 seals using rapid, inexpensive, low-tech methods. Cost was not a good predictor of seal security. It appears to us that many of these seals can be dramatically improved with minor, low-cost modifications to either the seal or the use protocol.

  10. JC3 Bulletin Archive | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    "blue screen of death" after installation. April 12, 2013 V-132: IBM Tivoli System Automation Application Manager Multiple Vulnerabilities Multiple security vulnerabilities exist...

  11. JC3 | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    "blue screen of death" after installation. April 12, 2013 V-132: IBM Tivoli System Automation Application Manager Multiple Vulnerabilities Multiple security vulnerabilities exist...

  12. JC3 | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    ESX and ESXi March 29, 2013 V-122: IBM Tivoli Application Dependency Discovery Manager Java Multiple Vulnerabilities Multiple security vulnerabilities exist in the Java Runtime...

  13. JC3 Bulletin Archive | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    ESX and ESXi March 29, 2013 V-122: IBM Tivoli Application Dependency Discovery Manager Java Multiple Vulnerabilities Multiple security vulnerabilities exist in the Java Runtime...

  14. Best Practices for the Security of Radioactive Materials

    SciTech Connect (OSTI)

    Coulter, D.T.; Musolino, S.

    2009-05-01

    This work is funded under a grant provided by the US Department of Health and Human Services, Centers for Disease Control. The Department of Health and Mental Hygiene (DOHMH) awarded a contract to Brookhaven National Laboratory (BNL) to develop best practices guidance for Office of Radiological Health (ORH) licensees to increase on-site security to deter and prevent theft of radioactive materials (RAM). The purpose of this document is to describe best practices available to manage the security of radioactive materials in medical centers, hospitals, and research facilities. There are thousands of such facilities in the United States, and recent studies suggest that these materials may be vulnerable to theft or sabotage. Their malevolent use in a radiological-dispersion device (RDD), viz., a dirty bomb, can have severe environmental- and economic- impacts, the associated area denial, and potentially large cleanup costs, as well as other effects on the licensees and the public. These issues are important to all Nuclear Regulatory Commission and Agreement State licensees, and to the general public. This document outlines approaches for the licensees possessing these materials to undertake security audits to identify vulnerabilities in how these materials are stored or used, and to describe best practices to upgrade or enhance their security. Best practices can be described as the most efficient (least amount of effort/cost) and effective (best results) way of accomplishing a task and meeting an objective, based on repeatable procedures that have proven themselves over time for many people and circumstances. Best practices within the security industry include information security, personnel security, administrative security, and physical security. Each discipline within the security industry has its own 'best practices' that have evolved over time into common ones. With respect to radiological devices and radioactive-materials security, industry best practices encompass both physical security (hardware and engineering) and administrative procedures. Security regimes for these devices and materials typically use a defense-in-depth- or layered-security approach to eliminate single points of failure. The Department of Energy, the Department of Homeland Security, the Department of Defense, the American Society of Industrial Security (ASIS), the Security Industry Association (SIA) and Underwriters Laboratory (UL) all rovide design guidance and hardware specifications. With a graded approach, a physical-security specialist can tailor an integrated security-management system in the most appropriate cost-effective manner to meet the regulatory and non-regulatory requirements of the licensee or client.

  15. Headquarters Facilities Master Security Plan- Chapter 10, Security Awareness Program

    Broader source: Energy.gov [DOE]

    2016 Headquarters Facilities Master Security Plan - Chapter 10, Security Awareness Program Describes the DOE Headquarters Security Awareness Program

  16. Headquarters Facilities Master Security Plan- Chapter 8, Operations Security Program

    Broader source: Energy.gov [DOE]

    2016 Headquarters Facilities Master Security Plan - Chapter 8, Operations Security Program Describes the DOE Headquarters Operations Security (OPSEC) Program.

  17. Headquarters Facilities Master Security Plan- Chapter 14, Cyber Security

    Broader source: Energy.gov [DOE]

    2016 Headquarters Facilities Master Security Plan - Chapter 14, Cyber Security Describes the DOE Headquarters Cyber Security Program.

  18. Security for grids

    SciTech Connect (OSTI)

    Humphrey, Marty; Thompson, Mary R.; Jackson, Keith R.

    2005-08-14

    Securing a Grid environment presents a distinctive set of challenges. This paper groups the activities that need to be secured into four categories: naming and authentication; secure communication; trust, policy, and authorization; and enforcement of access control. It examines the current state of the art in securing these processes and introduces new technologies that promise to meet the security requirements of Grids more completely.

  19. Towards a Relation Extraction Framework for Cyber-Security Concepts

    SciTech Connect (OSTI)

    Jones, Corinne L; Bridges, Robert A; Huffer, Kelly M; Goodall, John R

    2015-01-01

    In order to assist security analysts in obtaining information pertaining to their network, such as novel vulnerabilities, exploits, or patches, information retrieval methods tailored to the security domain are needed. As labeled text data is scarce and expensive, we follow developments in semi-supervised NLP and implement a bootstrapping algorithm for extracting security entities and their relationships from text. The algorithm requires little input data, specifically, a few relations or patterns (heuristics for identifying relations), and incorporates an active learning component which queries the user on the most important decisions to prevent drifting the desired relations. Preliminary testing on a small corpus shows promising results, obtaining precision of .82.

  20. Headquarters Facilities Master Security Plan - Chapter 10, Security...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    receives hisher security clearance; the Annual Security Refresher Briefing, which must be completed each year by all those who hold a security clearance; and the Security ...

  1. Headquarters Facilities Master Security Plan- Chapter 3, Personnel Security

    Broader source: Energy.gov [DOE]

    2016 Headquarters Facilities Master Security Plan - Chapter 3, Personnel Security Describes DOE Headquarters Personnel Security procedures for acquiring, maintaining, and passing security clearances.

  2. Securing the United States' power infrastructure

    SciTech Connect (OSTI)

    Happenny, Sean F.

    2015-08-01

    The United States’ power infrastructure is aging, underfunded, and vulnerable to cyber attack. Emerging smart grid technologies may take some of the burden off of existing systems and make the grid as a whole more efficient, reliable, and secure. The Pacific Northwest National Laboratory (PNNL) is funding research into several aspects of smart grid technology and grid security, creating a software simulation tool that will allow researchers to test power distribution networks utilizing different smart grid technologies to determine how the grid and these technologies react under different circumstances. Demonstrating security in embedded systems is another research area PNNL is tackling. Many of the systems controlling the U.S. critical infrastructure, such as the power grid, lack integrated security and the networks protecting them are becoming easier to breach. Providing a virtual power substation network to each student team at the National Collegiate Cyber Defense Competition, thereby supporting the education of future cyber security professionals, is another way PNNL is helping to strengthen the security of the nation’s power infrastructure.

  3. Denial technology, the neglected security element

    SciTech Connect (OSTI)

    Mauney, C.H.

    1982-01-01

    Even though there has been an increased concern over providing adequate security during the past decade, and even though some aspects of existing security systems have been enhanced during this period, much remains to be done to provide that balance which is so necessary to have all elements function as an effective unit. The area that primarily has been neglected is the delay element - the part of the system which makes possible the needed time for the security force to respond after an intrustion is detected and prior to the adversary attaining his desired goal. The purpose of this paper is to address the vulnerabilities of a security system which exist without the proper delay elements and to suggest how current technology can provide, through the use of activated barriers, that needed delay time to bring the system into balance. Security managers desire reliability and effectiveness; plant managers require safety, non-interference with operations, cost considerate capability, and aesthetic application - these characteristics will be addressed in the context of providing the required delay. This paper, hopefully, will set the stage for dialogue between developer and user, yielding a mutally acceptable approach to balanced security protection.

  4. Nuclear Security Enterprise | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    Study options for ensuring the safety, security, and reliability of nuclear warheads on a ... required to ensure the long-term safety, security, and reliability of the nuclear arsenal.

  5. Lessons Learned from Cyber Security Assessments of SCADA and Energy Management Systems

    Energy Savers [EERE]

    U.S. Department of Energy Office of Electricity Delivery and Energy Reliability Enhancing control systems security in the energy sector NSTB September 2006 LESSONS LEARNED FROM CYBER SECURITY ASSESSMENTS OF SCADA AND ENERGY MANAGEMENT SYSTEMS Raymond K. Fink David F. Spencer Rita A. Wells NSTB INL/CON-06-11665 iii ABSTRACT Results from ten cyber security vulnerability assessments of process control, SCADA, and energy management systems, or components of those systems, were reviewed to identify

  6. Security Technologies for Open Networking Environments (STONE)

    SciTech Connect (OSTI)

    Muftic, Sead

    2005-03-31

    Under this project SETECS performed research, created the design, and the initial prototype of three groups of security technologies: (a) middleware security platform, (b) Web services security, and (c) group security system. The results of the project indicate that the three types of security technologies can be used either individually or in combination, which enables effective and rapid deployment of a number of secure applications in open networking environments. The middleware security platform represents a set of object-oriented security components providing various functions to handle basic cryptography, X.509 certificates, S/MIME and PKCS No.7 encapsulation formats, secure communication protocols, and smart cards. The platform has been designed in the form of security engines, including a Registration Engine, Certification Engine, an Authorization Engine, and a Secure Group Applications Engine. By creating a middleware security platform consisting of multiple independent components the following advantages have been achieved - Object-oriented, Modularity, Simplified Development, and testing, Portability, and Simplified extensions. The middleware security platform has been fully designed and a preliminary Java-based prototype has been created for the Microsoft Windows operating system. The Web services security system, designed in the project, consists of technologies and applications that provide authentication (i.e., single sign), authorization, and federation of identities in an open networking environment. The system is based on OASIS SAML and XACML standards for secure Web services. Its topology comprises three major components: Domain Security Server (DSS) is the main building block of the system Secure Application Server (SAS) Secure Client In addition to the SAML and XACML engines, the authorization system consists of two sets of components An Authorization Administration System An Authorization Enforcement System Federation of identities in multi-domain scenarios is supported by a set of security engines that represent the core of the Federated Identities Management Server, which is also an extension of the Domain Security Server. The Federated Identity Management server allows users to federate their identities or terminate the federation between the service provider and the identity provider. At the service provider web site, the users are offered a list of identity providers to which they can choose to federate their identities. After users federate their identity, they can perform Single Sign-On protocol in an environment of federated domains. The group security system consists of a number of security technologies under a unified architecture, which supports creation of secure groups and execution of secure group transactions and applications in an open networking environment. The system is based on extensions of the GSAKMP standard for group key distribution and management. The Top layer is the Security Infrastructure with the Security Management and Administration System components and protocols that provide security functions common to all secure network applications The Middle layer is the Secure Group Protocols and Applications layer, consisting of the Policy and Group Key Distribution Server and Web-based (thin) Client. The Bottom layer is the supporting Middleware Security Platform, the cryptographic platform already described above. The group security system is designed to perform the functions necessary to create secure groups and enable secure group applications. Specifically, the system can manage group roles, create and disseminate a group security policy, perform authentication and authorization of users using PKI certificates and Web services security, generate group keys, and recover from compromises. In accordance with the GSAKMP standard, the group security system must perform all the required group life-cycle functions: group definition, group establishment, group maintenance, and group removal. The group security system has been designed to support four roles: The Security Domain Administrator is responsible for providing security functions defined in the top layer The Server Administrator. The central component of the group security system is the Policy and Group Key Distribution Server The Group Officer (GO) authorizes the creation of groups at a specific Policy and Group Key Distribution Server The Group Member (user) is any entity that participates in group transactions. Secure Group Applications The group security system has been designed to support four secure group applications: A Secure Instant Messaging: with the Secure Instant Messaging application A Secure Whiteboard A Secure Document Sharing A Secure Document Archiving: During the project, the group security system architecture was fully designed and preliminary prototyping was carried out for some of its components.

  7. Security guide for subcontractors

    SciTech Connect (OSTI)

    Adams, R.C.

    1991-01-01

    This security guide of the Department of Energy covers contractor and subcontractor access to DOE and Mound facilities. The topics of the security guide include responsibilities, physical barriers, personnel identification system, personnel and vehicular access controls, classified document control, protecting classified matter in use, storing classified matter repository combinations, violations, security education clearance terminations, security infractions, classified information nondisclosure agreement, personnel security clearances, visitor control, travel to communist-controlled or sensitive countries, shipment security, and surreptitious listening devices.

  8. T-536: Cisco ASA Multiple Flaws Let Remote Users Deny Service...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    6: Cisco ASA Multiple Flaws Let Remote Users Deny Service and Bypass Security Controls T-536: Cisco ASA Multiple Flaws Let Remote Users Deny Service and Bypass Security Controls ...

  9. Information Technology Specialist (Security)

    Broader source: Energy.gov [DOE]

    A successful candidate in this position will serve as an Information Technology Specialist (Security) responsible for providing technical support in the information security environment which...

  10. Advancing Global Nuclear Security

    Broader source: Energy.gov [DOE]

    Today world leaders gathered at The Hague for the Nuclear Security Summit, a meeting to measure progress and take action to secure sensitive nuclear materials.

  11. Personnel Security Specialist

    Broader source: Energy.gov [DOE]

    This position is located in the Office of Associate Under Secretary for Environment, Health, Safety, and Security (AU), Office of Headquarters Personnel Security Operations. A successful candidate...

  12. National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    U.S. Department of Energy National Nuclear Security Administration Federal Equal ... of September 24, 2011 3 The Department of Energy (DOE) National Nuclear Security ...

  13. National Security, Weapons Science

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    National Security, Weapons Science National security depends on science and technology. The United States relies on Los Alamos National Laboratory for the best of...

  14. Personnel Security Activities

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    2003-03-25

    Establishes objectives, requirements and responsibilities for the Personnel Security Program and Personnel Security Assurance Program. Cancels DOE O 472.1B

  15. Chemical Safety Vulnerability Working Group Report

    SciTech Connect (OSTI)

    Not Available

    1994-09-01

    This report marks the culmination of a 4-month review conducted to identify chemical safety vulnerabilities existing at DOE facilities. This review is an integral part of DOE's efforts to raise its commitment to chemical safety to the same level as that for nuclear safety.

  16. Visualizing Cyber Security: Usable Workspaces

    SciTech Connect (OSTI)

    Fink, Glenn A.; North, Christopher L.; Endert, Alexander; Rose, Stuart J.

    2009-10-11

    An environment that supports cyber analytics work should enable multiple, simultaneous investigations, information foraging, and provide a solution space for organizing data. We describe our study of cyber security professionals and visualizations in a large, high-resolution display work environment. We discuss the tasks and needs of analysts that such an environment can support and present several prototypes designed to support these needs. We conclude with a usability evaluation of the prototypes and additional lessons learned.

  17. Radiological Security Partnership | Y-12 National Security Complex

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Administration Programs / Nonproliferation / Global Material Security / Radiological Security Radiological Security Partnership Radiological Security Partnership Secure Your Business, Your Community, and Your Country. Sign Up Today for Services Provided by the Radiological Security Partnership. RSP Logo Initiative of the Global Material Security Program Formerly the Global Threat Reduction Initiative RSP Registration RSP More Info Learn More Radiological Security Partnership Information

  18. Office of Security Assistance

    Broader source: Energy.gov [DOE]

    The Office of Security Assistance manages the Technology Deployment Program to improve the security posture of the Department of Energy and the protection of its assets and facilities through the deployment of new safeguards and security technologies and development of advanced technologies that reduce operating costs, save protective force lives, and improve security effectiveness.

  19. Personnel Security Manual

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    1998-05-22

    This Manual provides detailed requirements and procedures to supplement DOE O 472.1B, Personnel Security Activities, which establishes the overall objectives, requirements, and responsibilities for implementation and operation of the Personnel Security Program and the Personnel Security Assurance Program in the Department of Energy (DOE). This Manual addresses only the Personnel Security Program.

  20. Personnel Security Program Manual

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    2000-11-16

    provides detailed requirements and procedures to supplement DOE O 472.1B, PERSONNEL SECURITY ACTIVITIES, which establishes the overall objectives, requirements, and responsibilities for implementation and operation of the Personnel Security Program and the Personnel Security Assurance Program in the Department of Energy (DOE), including the National Nuclear Security Administration (NNSA). Cancels DOE M 472.1-1

  1. T-731:Symantec IM Manager Code Injection Vulnerability | Department...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    T-731:Symantec IM Manager Code Injection Vulnerability T-731:Symantec IM Manager Code Injection Vulnerability September 30, 2011 - 8:30am Addthis PROBLEM: Symantec IM Manager Code...

  2. U-122 Google Chrome Two Code Execution Vulnerabilities

    Broader source: Energy.gov [DOE]

    Two vulnerabilities have been reported in Google Chrome, which can be exploited by malicious people to compromise a user's system.

  3. V-116: Google Picasa BMP and TIFF Images Processing Vulnerabilities

    Broader source: Energy.gov [DOE]

    Two vulnerabilities have been discovered in Google Picasa, which can be exploited by malicious people to compromise a user's system

  4. T-564: Vulnerabilities in Citrix Licensing administration components

    Broader source: Energy.gov [DOE]

    The vulnerabilities impact all current versions of the Citrix Licensing Administration Console, formerly known as the License Management Console.

  5. Enhancing Energy Infrastructure Resiliency and Addressing Vulnerabilities

    Broader source: Energy.gov [DOE]

    Quadrennial Energy Review Task Force Secretariat and Energy Policy and Systems Analysis Staff, U. S. Department of Energy (DOE) Public Meeting on ‚ÄúEnhancing Resilience in Energy Infrastructure and Addressing Vulnerabilities‚ÄĚ On Friday, April 11, 2014, at 10 a.m. in room HVC-215 of the U.S. Capitol, the Department of Energy (DOE), acting as the Secretariat for the Quadrennial Energy Review Task Force, will hold a public meeting to discuss and receive comments on issues related to the Quadrennial Energy Review (QER). The meeting will focus on infrastructure vulnerabilities related to the electricity, natural gas and petroleum transmission, storage and distribution systems (TS&D). The meeting will consist of two facilitated panels of experts on identifying and addressing vulnerabilities within the nation‚Äôs energy TS&D infrastructure. Following the panels, an opportunity will be provided for public comment via an open microphone session. The meeting will be livestreamed at energy.gov/live

  6. T-594: IBM solidDB Password Hash Authentication Bypass Vulnerability

    Broader source: Energy.gov [DOE]

    This vulnerability could allow remote attackers to execute arbitrary code on vulnerable installations of IBM solidDB. Authentication is not required to exploit this vulnerability.

  7. US Energy Sector Vulnerabilities to Climate Change

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    On the cover: Trans-Alaska oil pipeline; aerial view of New Jersey refinery; coal barges on Mississippi River in St. Paul, Minnesota; power plant in Prince George's County, Maryland; Grand Coulee Dam in Washington State; corn field near Somers, Iowa; wind turbines in Texas. Photo credits: iStockphoto U.S. ENERGY SECTOR VULNERABILITIES TO CLIMATE CHANGE AND EXTREME WEATHER Acknowledgements This report was drafted by the U.S. Department of Energy's Office of Policy and International Affairs

  8. Guide to Critical Infrastructure Protection Cyber Vulnerability Assessment

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    | Department of Energy Critical Infrastructure Protection Cyber Vulnerability Assessment Guide to Critical Infrastructure Protection Cyber Vulnerability Assessment This document describes a customized process for cyber vulnerability assessment in compliance with the Critical Infrastructure Protection standards adopted by the North American Electric Reliability Corporation in 2006. This guide covers the planning, execution, and reporting process. PDF icon Guide to Critical Infrastructure

  9. Nuclear Security Summit | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    Nuclear Security Summit U.S. and China Continue Cooperative Partnership to Advance Safe, Secure Civil Nuclear Energy for Clean Energy Future DOE/NNSA Hosts 11th U.S.-China Peaceful Uses of Nuclear Technology Meeting at Savannah River National Laboratory in Aiken, South Carolina (Aiken, South Carolina) - On May 10-11, 2016 the U.S. Department of Energy's (DOE) National Nuclear Security Administration (NNSA) and the China... Statement on Signing of the Administrative Arrangement to the Agreement

  10. Radiological Security | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    About / Our Programs / Nonproliferation / Global Material Security Radiological Security The program collaborates with domestic and international partners to address the threat of illicit use of high-priority radiological materials in the United States and abroad. The Radiological Security program accomplishes its mission by removing and disposing of excess or orphaned radioactive sources; promoting the replacement of radioactive sources with non-isotopic technologies, where feasible; and

  11. Security Forms | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    Security Forms U.S. Department of Energy / U.S. Nuclear Regulatory Commission Nuclear Materials Management & Safeguards System Security Forms Federal Information Processing Standards Publications (FIPS PUBS) FIPS-Associated Documents FIPS 140-2 Security Requirements for Cryptograhic Modules FIPS 185 Escrowed Encryption Standard (EES) FIPS 186-2 Digital Signature Standard (DSS) From Microsoft From VeriSign Managing Contacts' Digital Certificates with Netscape Communicator Managing Contacts'

  12. National Nuclear Security Administration | National Nuclear Security

    National Nuclear Security Administration (NNSA)

    Administration Rights / Workforce Statistics National Nuclear Security Administration FY15 Year End Report Semi Annual Report FY14 Year End Report Semi Annual Report

  13. nuclear security | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    25M NNSA Grant for Nuclear Science and Security Research Working With PNNL Mentors, Engineering Students Deliver Prototype Safeguards Fixtures Shaping the future of nuclear ...

  14. Tag: security | Y-12 National Security Complex

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    our website, please follow these instructions. More... Category: Security Emergency Vocabulary These are terms you might hear during an emergency situation. More... Category:...

  15. Nuclear Security 101 | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    Twenty-eight nations have plans to eliminate all current stocks of HEU by the end of 2013. Upgrading security measures, including physical protection, material control and ...

  16. Physical Security Systems | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    Announces 2014 Security Professional of the Year Awards Michael Lempke receives NNSA's Gold Medal of Excellence NNSA's Nevada Field Office Transfers Two Armored Vehicles to FBI...

  17. Energy Vulnerability Assessment for the US Pacific Islands. Technical Appendix 2

    SciTech Connect (OSTI)

    Fesharaki, F.; Rizer, J.P.; Greer, L.S.

    1994-05-01

    The study, Energy Vulnerability Assessment of the US Pacific Islands, was mandated by the Congress of the United States as stated in House Resolution 776-220 of 1992, Section 1406. The resolution states that the US Secretary of Energy shall conduct a study of the implications of the unique vulnerabilities of the insular areas to an oil supply disruption. Such study shall outline how the insular areas shall gain access to vital oil supplies during times of national emergency. The resolution defines insular areas as the US Virgin Islands, Puerto Rico, Guam, American Samoa, the Commonwealth of the Northern Mariana Islands, and Palau. The US Virgin Islands and Puerto Rico are not included in this report. The US Department of Energy (USDOE) has broadened the scope of the study contained in the House Resolution to include emergency preparedness and response strategies which would reduce vulnerability to an oil supply disruption as well as steps to ameliorate adverse economic consequences. This includes a review of alternative energy technologies with respect to their potential for reducing dependence on imported petroleum. USDOE has outlined the four tasks of the energy vulnerability assessment as the following: (1) for each island, determine crude oil and refined product demand/supply, and characterize energy and economic infrastructure; (2) forecast global and regional oil trade flow patterns, energy demand/supply, and economic activities; (3) formulate oil supply disruption scenarios and ascertain the general and unique vulnerabilities of these islands to oil supply disruptions; and (4) outline emergency preparedness and response options to secure oil supplies in the short run, and reduce dependence on imported oil in the longer term.

  18. T-534: Vulnerability in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server

    Broader source: Energy.gov [DOE]

    BlackBerry advisory describes a security issue that the BlackBerry Attachment Service component of the BlackBerry Enterprise Server is susceptible to. The issue relates to a known vulnerability in the PDF distiller component of the BlackBerry Attachment Service that affects how the BlackBerry Attachment Service processes PDF files.

  19. Cyber-Security Considerations for the Smart Grid

    SciTech Connect (OSTI)

    Clements, Samuel L.; Kirkham, Harold

    2010-07-26

    The electrical power grid is evolving into the ‚Äúsmart grid‚ÄĚ. The goal of the smart grid is to improve efficiency and availability of power by adding more monitoring and control capabilities. These new technologies and mechanisms are certain to introduce vulnerabilities into the power grid. In this paper we provide an overview of the cyber security state of the electrical power grid. We highlight some of the vulnerabilities that already exist in the power grid including limited capacity systems, implicit trust and the lack of authentication. We also address challenges of complexity, scale, added capabilities and the move to multipurpose hardware and software as the power grid is upgraded. These changes create vulnerabilities that did not exist before and bring increased risks. We conclude the paper by showing that there are a number mitigation strategies that can help keep the risk at an acceptable level.

  20. port security | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    port security NNSA Transfers Responsibility for Radiation Detection System to China Customs SHANGHAI, CHINA - Today, the Nuclear Security Administration's (NNSA) Principal Assistant Deputy Administrator for Defense Nuclear Nonproliferation (DNN), David Huizenga, participated in a ceremony commemorating the transition of a radiation detection system at the Port of Yangshan to the General

  1. Kansas City National Security Campus | National Nuclear Security...

    National Nuclear Security Administration (NNSA)

    Operations Acquisition and Project Management M & O Support Department Kansas City National Security Campus Kansas City National Security Campus National Security Campus ...

  2. Using Operational Security (OPSEC) to Support a Cyber Security...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    a Cyber Security Culture in Control Systems Environments Using Operational Security (OPSEC) to Support a Cyber Security Culture in Control Systems Environments This document ...

  3. SECURITY AND CYBER REPORTS | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    SECURITY AND CYBER REPORTS SECURITY AND CYBER REPORTS Office of Security Assessments Office of Security Assessments - Report Titles

  4. Security - DOE Directives, Delegations, and Requirements

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Security by Website Administrator Back

  5. U.S.-China Cooperation on Nuclear Security | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    -China Cooperation on Nuclear Security U.S.-China Cooperation on Nuclear Security January 20, 2011 - 3:34pm Addthis Damien LaVera Damien LaVera Deputy Director, Office of Public Affairs What does this mean for me? The Center of Excellence on Nuclear Security was established to help support the global effort to secure vulnerable nuclear material around the world. NNSA and the Department of Defense are working with our partners in China to develop a center that will provide a central site for

  6. Office of Information Security

    Broader source: Energy.gov [DOE]

    The Office of Information Security is responsible for implementation of the Classified Matter Protection and Control Program (CMPC), the Operations Security Program (OPSEC) and the Facility Clearance Program and the Survey Program for Headquarters

  7. nevada national security site

    National Nuclear Security Administration (NNSA)

    7%2A en Nevada National Security Site operator recognized for green fleet http:www.nnsa.energy.govblognevada-national-security-site-operator-recognized-green-fleet

    The...

  8. Office of Security Policy

    Broader source: Energy.gov [DOE]

    The Office of Security Policy is the central source within the Department of Energy for the development and analysis of safeguards and security policies and standards affecting facilities, nuclear materials, personnel, and classified information.

  9. Defining and Computing a Valued Based Cyber Security Measure

    SciTech Connect (OSTI)

    Aissa, Anis Ben; Abercrombie, Robert K; Sheldon, Frederick T; Mili, Ali

    2011-01-01

    In earlier works (Ben-Aissa et al. 2010; Abercrombie et al. 2008; Sheldon et al. 2009), we presented a value based measure of cybersecurity that quantifies the security of a system in concrete terms, specifically, in terms of how much each system stakeholder stands to lose (in dollars per hour of operation) as a result of security threats and system vulnerabilities; our metric varies according to the stakes that each stakeholder has in meeting each security requirement. In this paper, we discuss the specification and design of a system that collects, updates, and maintains all the information that pertains to estimating our cybersecurity measure, and offers stakeholders quantitative means to make security-related decisions.

  10. Y-12 National Security Complex

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Home Y-12 National Security Complex Home Nuclear Deterrence Global Security Naval Reactors Partnerships Security News Search form Search... Search Latest News | CNS, UT chemical...

  11. Secure Control Systems for the Energy Sector

    SciTech Connect (OSTI)

    Smith, Rhett; Campbell, Jack; Hadley, Mark

    2012-03-31

    Schweitzer Engineering Laboratories (SEL) will conduct the Hallmark Project to address the need to reduce the risk of energy disruptions because of cyber incidents on control systems. The goals is to develop solutions that can be both applied to existing control systems and designed into new control systems to add the security measures needed to mitigate energy network vulnerabilities. The scope of the Hallmark Project contains four primary elements: 1. Technology transfer of the Secure Supervisory Control and Data Acquisition (SCADA) Communications Protocol (SSCP) from Pacific Northwest National Laboratories (PNNL) to Schweitzer Engineering Laboratories (SEL). The project shall use this technology to develop a Federal Information Processing Standard (FIPS) 140-2 compliant original equipment manufacturer (OEM) module to be called a Cryptographic Daughter Card (CDC) with the ability to directly connect to any PC enabling that computer to securely communicate across serial to field devices. Validate the OEM capabilities with another vendor. 2. Development of a Link Authenticator Module (LAM) using the FIPS 140-2 validated Secure SCADA Communications Protocol (SSCP) CDC module with a central management software kit. 3. Validation of the CDC and Link Authenticator modules via laboratory and field tests. 4. Creation of documents that record the impact of the Link Authenticator to the operators of control systems and on the control system itself. The information in the documents can assist others with technology deployment and maintenance.

  12. National Security Science Archive

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    NSS Archive National Security Science Latest Issue:April 2016 past issues All Issues ¬Ľ submit National Security Science Archive National Security Science magazine showcases the importance, breadth, and depth of the Laboratory's scientific and technical work that is used to solve key challenges to U.S. national security. NSS April 2016 April 2016 viewer | web | print NSS July 2014 July 2015 viewer | web | print NSS July 2014 December 2014 viewer | web | print NSS July 2014 July 2014 viewer | web

  13. Lemnos Interoperable Security Program

    Energy Savers [EERE]

    Lemnos Interoperable Security Program Creating common language and metrics for describing functions of network security tools and testing for interoperability As energy control systems employ more Internet-based features and routable communication methods, the need grows for enhanced security functions, such as frewalls, virtual private networks (VPNs), and intrusion detection systems. When purchasing network security products, today's control systems users cannot adequately compare products

  14. Security Risk Assessment

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Sandia Home Locations Contact Us Employee Locator Energy & Climate Secure & Sustainable Energy ... Hydrogen Infrastructure Hydrogen Production Market Transformation Fuel Cells ...

  15. PNNL: Security & Privacy

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Security & Privacy Thank you for visiting the Pacific Northwest National Laboratory (PNNL) website (pnnl.gov) and reviewing our security and privacy policies. The following policies apply to all pages and sites in the pnnl.gov domain, unless otherwise noted. Security Notice This website is part of a Federal computer system used to accomplish Federal functions. The Department of Energy monitors this website for security purposes to ensure it remains available to all users and to protect

  16. Lab announces security changes

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Lab announces security changes Lab announces security changes The Laboratory is implementing several changes to its security procedures as the result of a recent security assessment conducted jointly by the Department of Defense and Department of Energy. February 23, 2012 Aerial view of Los Alamos National Laboratory Aerial view of Los Alamos National Laboratory. Contact Kevin Roark Communications Office (505) 665-9202 Email LOS ALAMOS, New Mexico, February 23, 2012-Los Alamos National

  17. Security, Safety and Health

    Energy Savers [EERE]

    Security Through Innovation Security Through Innovation December 2, 2014 - 2:28pm Addthis Security, in all forms, can thrive through innovation. With a mission scope that encompasses technology, energy, science, and nuclear security, the Department of Energy (DOE) has been on the forefront of producing ground-breaking solutions to safeguard our nation's precious resources. DOE is working to develop and pioneer the next generation of technology solutions to protect our critical infrastructure.

  18. Energy Security Center

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Energy Security Center Energy Security Center Developing new ideas for reliable, secure, and sustainable carbon neutral energy solutions for the nation-the portal to LANL's diverse energy security research enterprise. Contact Leader Steven Buelow (505) 663 5629 Email Program Administrator Jutta Kayser (505) 663-5649 Email Research focus areas Materials and concepts for clean energy Science for renewable energy sources Superconducting cables Energy storage Fuel cells Mitigating impacts of global

  19. Personnel Security Program Manual

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    2001-07-12

    This Manual provides detailed requirements and procedures to supplement DOE O 472.1B, Personnel Security Activities, which establishes the overall objectives, requirements, and responsibilities for implementation and operation of the Personnel Security Program and the Personnel Security Assurance Program in the Department of Energy (DOE), including the National Nuclear Security Administration (NNSA). Extended until 7-7-06 by DOE N 251.64, dated 7-7-05 Cancels: DOE M 472.1-1A.

  20. Vulnerability Analysis of Energy Delivery Control Systems

    Energy Savers [EERE]

    0-18381 Vulnerability Analysis of Energy Delivery Control Systems September 2011 Idaho National Laboratory Idaho Falls, Idaho 83415 http://www.inl.gov Prepared for the U.S. Department of Energy Office of Electricity Delivery and Energy Reliability Under DOE Idaho Operations Office Contract DE-AC07-05ID14517 The INL is a U.S. Department of Energy National Laboratory operated by Battelle Energy Alliance DISCLAIMER This information was prepared as an account of work sponsored by an agency of the

  1. T-550: Apache Denial of Service Vulnerability

    Office of Energy Efficiency and Renewable Energy (EERE)

    Apache 'APR-util' is prone to a vulnerability that may allow attackers to cause a denial-of-service condition. Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, may allow remote users to cause a Denial of Service (DoS - memory consumption).

  2. Decisions regarding how to secure and invest in our

    Energy Savers [EERE]

    Decisions regarding how to secure and invest in our Nation's energy infrastructure are often complex. Limited resources and investment returns, tight budgets, and lack of information can hinder the process of how to best maintain or improve existing infrastructure or build new energy facilities and systems. Threats or hazards that can impact energy infrastructure and the consequences of those impacts must be known to reduce vulnerabilities. Risk assessment can help to inform decision making when

  3. Control Systems Security Publications Library | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Publications Library Control Systems Security Publications Library Publications Library Repository of documents, listed by topic. (Some of the documents in this section require Adobe Acrobat Reader. You can download a free copy of the Reader by visiting Adobe.) VULNERABILITY REPORTS PERIODICAL ARTICLES ENERGY SECTOR ROADMAP AND ROADMAP IMPLEMENTATION DOE NSTB PROGRAM PLANNING AND RESOURCE DOCUMENTS PROJECT FACT SHEETS TRAINING MATERIALS AND RECOMMENDED PRACTICES ASSESSMENT AND TECHNICAL

  4. Infrastructure Security EXCEPTIONAL SERVICE IN THE NATIONAL INTEREST

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Sandia is a nationally and internationally recognized leader in Nuclear Reactor containment research, supporting operations, lifetime extensions, security and vulnerability assessments, over a broad range of phenomena. Sandia's expertise includes evaluation of containment when subjected to high velocity impacts, enormous pressures and stresses, and attacks by saboteurs. Sandia's resources enable the completion of a complex scientific investigation in its entirety. Its engineers are capable of

  5. Security of databases

    SciTech Connect (OSTI)

    Yeh, Y.S.

    1985-01-01

    In this thesis, the security of databases using cryptographic methods is considered. An algebra for encrypted relational databases is considered and examined. Other database cryptosystems are presented, namely multilevel secure databases including three different approaches; multikey multilevel, cumulative key multilevel, and permutational multilevel secure databases. Finally, entity-relationship encryption is examined.

  6. Multiplicity Counting

    SciTech Connect (OSTI)

    Geist, William H.

    2015-12-01

    This set of slides begins by giving background and a review of neutron counting; three attributes of a verification item are discussed: 240Pueff mass; őĪ, the ratio of (őĪ,n) neutrons to spontaneous fission neutrons; and leakage multiplication. It then takes up neutron detector systems ‚Äď theory & concepts (coincidence counting, moderation, die-away time); detector systems ‚Äď some important details (deadtime, corrections); introduction to multiplicity counting; multiplicity electronics and example distributions; singles, doubles, and triples from measured multiplicity distributions; and the point model: multiplicity mathematics.

  7. Safeguards and Security and Cyber Security RM | Department of Energy

    Energy Savers [EERE]

    Safeguards and Security and Cyber Security RM Safeguards and Security and Cyber Security RM The SSCS RM is a tool that assists the DOE federal project review teams in evaluating the technical sufficiency of the project SSCS activities at CD-0 through CD-4. PDF icon Safeguards and Security and Cyber Security RM More Documents & Publications Safeguards and Security Program, acronyms and abbereviations - DOE M 470.4-7 Safeguards and Security Glossary - DOE M 470.4-7 References, Canceled -7

  8. Data management for geospatial vulnerability assessment of interdependencies in US power generation

    SciTech Connect (OSTI)

    Shih, C.Y.; Scown, C.D.; Soibelman, L.; Matthews, H.S.; Garrett, J.H.; Dodrill, K.; McSurdy, S.

    2009-09-15

    Critical infrastructures maintain our society's stability, security, and quality of life. These systems are also interdependent, which means that the disruption of one infrastructure system can significantly impact the operation of other systems. Because of the heavy reliance on electricity production, it is important to assess possible vulnerabilities. Determining the source of these vulnerabilities can provide insight for risk management and emergency response efforts. This research uses data warehousing and visualization techniques to explore the interdependencies between coal mines, rail transportation, and electric power plants. By merging geospatial and nonspatial data, we are able to model the potential impacts of a disruption to one or more mines, rail lines, or power plants, and visually display the results using a geographical information system. A scenario involving a severe earthquake in the New Madrid Seismic Zone is used to demonstrate the capabilities of the model when given input in the form of a potentially impacted area. This type of interactive analysis can help decision makers to understand the vulnerabilities of the coal distribution network and the potential impact it can have on electricity production.

  9. Evaluating operating system vulnerability to memory errors.

    SciTech Connect (OSTI)

    Ferreira, Kurt Brian; Bridges, Patrick G.; Pedretti, Kevin Thomas Tauke; Mueller, Frank; Fiala, David; Brightwell, Ronald Brian

    2012-05-01

    Reliability is of great concern to the scalability of extreme-scale systems. Of particular concern are soft errors in main memory, which are a leading cause of failures on current systems and are predicted to be the leading cause on future systems. While great effort has gone into designing algorithms and applications that can continue to make progress in the presence of these errors without restarting, the most critical software running on a node, the operating system (OS), is currently left relatively unprotected. OS resiliency is of particular importance because, though this software typically represents a small footprint of a compute node's physical memory, recent studies show more memory errors in this region of memory than the remainder of the system. In this paper, we investigate the soft error vulnerability of two operating systems used in current and future high-performance computing systems: Kitten, the lightweight kernel developed at Sandia National Laboratories, and CLE, a high-performance Linux-based operating system developed by Cray. For each of these platforms, we outline major structures and subsystems that are vulnerable to soft errors and describe methods that could be used to reconstruct damaged state. Our results show the Kitten lightweight operating system may be an easier target to harden against memory errors due to its smaller memory footprint, largely deterministic state, and simpler system structure.

  10. Secure Transportation Management

    SciTech Connect (OSTI)

    Gibbs, P. W.

    2014-10-15

    Secure Transport Management Course (STMC) course provides managers with information related to procedures and equipment used to successfully transport special nuclear material. This workshop outlines these procedures and reinforces the information presented with the aid of numerous practical examples. The course focuses on understanding the regulatory framework for secure transportation of special nuclear materials, identifying the insider and outsider threat(s) to secure transportation, organization of a secure transportation unit, management and supervision of secure transportation units, equipment and facilities required, training and qualification needed.

  11. safeguards and security | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    safeguards and security ProForce marks 65 years protecting Sandia resources, facilities, ... Over the past 65 years, the force has changed in size and structure but its mission has... ...

  12. NATIONAL SECURITY TECHNOLOGIES - NEVADA NATIONAL SECURITY SITE

    National Nuclear Security Administration (NNSA)

    - NEVADA NATIONAL SECURITY SITE FISCAL YEARS 2009 THRU 2015 SMALL BUSINESS PROGRAM RESULTS & FORECAST CATEGORY Total Procurement Total SB Small Disad. Bus Woman-Owned SB Hub-Zone ...

  13. Secure Storage | Y-12 National Security Complex

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    material that it protects. Y-12 is the "Fort Knox" of uranium. We oversee the secure management and storage of strategic and special nuclear materials that have been removed...

  14. Social vulnerability indicators as a sustainable planning tool

    SciTech Connect (OSTI)

    Lee, Yung-Jaan

    2014-01-15

    In the face of global warming and environmental change, the conventional strategy of resource centralization will not be able to cope with a future of increasingly extreme climate events and related disasters. It may even contribute to inter-regional disparities as a result of these events. To promote sustainable development, this study offers a case study of developmental planning in Chiayi, Taiwan and a review of the relevant literature to propose a framework of social vulnerability indicators at the township level. The proposed framework can not only be used to measure the social vulnerability of individual townships in Chiayi, but also be used to capture the spatial developmental of Chiayi. Seventeen social vulnerability indicators provide information in five dimensions. Owing to limited access to relevant data, the values of only 13 indicators were calculated. By simply summarizing indicators without using weightings and by using zero-mean normalization to standardize the indicators, this study calculates social vulnerability scores for each township. To make social vulnerability indicators more useful, this study performs an overlay analysis of social vulnerability and patterns of risk associated with national disasters. The social vulnerability analysis draws on secondary data for 2012 from Taiwan's National Geographic Information System. The second layer of analysis consists of the flood potential ratings of the Taiwan Water Resources Agency as an index of biophysical vulnerability. The third layer consists of township-level administrative boundaries. Analytical results reveal that four out of the 18 townships in Chiayi not only are vulnerable to large-scale flooding during serious flood events, but also have the highest degree of social vulnerability. Administrative boundaries, on which social vulnerability is based, do not correspond precisely to ďcross-administrative boundaries,Ē which are characteristics of the natural environment. This study adopts an exploratory approach that provides Chiayi and other government agencies with a foundation for sustainable strategic planning for environmental change. The final section offers four suggestions concerning the implications of social vulnerability for local development planning. -- Highlights: ē This study proposes a framework of social vulnerability indicators at the township level in Chiayi County, Taiwan. ē Seventeen social vulnerability indicators are categorized into four dimensions. ē This study performs a three-layer overlay analysis of social vulnerability and natural disaster risk patterns. ē 4 out of the 18 townships not only have potential for large-scale flooding, but also high degree of social vulnerability. ē This study provides a foundation for sustainable strategic planning to deal with environmental change. ē Four suggestions are proposed regarding the implications of social vulnerability for local development planning.

  15. Information Security | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    Information Security Information security deals with requirements for the protection and control of information and matter required to be classified or controlled by statutes, regulations, or NNSA and Department of Energy (DOE) directives. Classified Matter Protection and Control ensures the protection and control of classified matter. It includes briefing and training requirements for personnel who work with classified on identifying, marking, reproducing, protecting, handling, transmitting,

  16. Review of Enabling Technologies to Facilitate Secure Compute Customization

    SciTech Connect (OSTI)

    Aderholdt, Ferrol; Caldwell, Blake A; Hicks, Susan Elaine; Koch, Scott M; Naughton, III, Thomas J; Pelfrey, Daniel S; Pogge, James R; Scott, Stephen L; Shipman, Galen M; Sorrillo, Lawrence

    2014-12-01

    High performance computing environments are often used for a wide variety of workloads ranging from simulation, data transformation and analysis, and complex workflows to name just a few. These systems may process data for a variety of users, often requiring strong separation between job allocations. There are many challenges to establishing these secure enclaves within the shared infrastructure of high-performance computing (HPC) environments. The isolation mechanisms in the system software are the basic building blocks for enabling secure compute enclaves. There are a variety of approaches and the focus of this report is to review the different virtualization technologies that facilitate the creation of secure compute enclaves. The report reviews current operating system (OS) protection mechanisms and modern virtualization technologies to better understand the performance/isolation properties. We also examine the feasibility of running ``virtualized'' computing resources as non-privileged users, and providing controlled administrative permissions for standard users running within a virtualized context. Our examination includes technologies such as Linux containers (LXC [32], Docker [15]) and full virtualization (KVM [26], Xen [5]). We categorize these different approaches to virtualization into two broad groups: OS-level virtualization and system-level virtualization. The OS-level virtualization uses containers to allow a single OS kernel to be partitioned to create Virtual Environments (VE), e.g., LXC. The resources within the host's kernel are only virtualized in the sense of separate namespaces. In contrast, system-level virtualization uses hypervisors to manage multiple OS kernels and virtualize the physical resources (hardware) to create Virtual Machines (VM), e.g., Xen, KVM. This terminology of VE and VM, detailed in Section 2, is used throughout the report to distinguish between the two different approaches to providing virtualized execution environments. As part of our technology review we analyzed several current virtualization solutions to assess their vulnerabilities. This included a review of common vulnerabilities and exposures (CVEs) for Xen, KVM, LXC and Docker to gauge their susceptibility to different attacks. The complete details are provided in Section 5 on page 33. Based on this review we concluded that system-level virtualization solutions have many more vulnerabilities than OS level virtualization solutions. As such, security mechanisms like sVirt (Section 3.3) should be considered when using system-level virtualization solutions in order to protect the host against exploits. The majority of vulnerabilities related to KVM, LXC, and Docker are in specific regions of the system. Therefore, future "zero day attacks" are likely to be in the same regions, which suggests that protecting these areas can simplify the protection of the host and maintain the isolation between users. The evaluations of virtualization technologies done thus far are discussed in Section 4. This includes experiments with 'user' namespaces in VEs, which provides the ability to isolate user privileges and allow a user to run with different UIDs within the container while mapping them to non-privileged UIDs in the host. We have identified Linux namespaces as a promising mechanism to isolate shared resources, while maintaining good performance. In Section 4.1 we describe our tests with LXC as a non-root user and leveraging namespaces to control UID/GID mappings and support controlled sharing of parallel file-systems. We highlight several of these namespace capabilities in Section 6.2.3. The other evaluations that were performed during this initial phase of work provide baseline performance data for comparing VEs and VMs to purely native execution. In Section 4.2 we performed tests using the High-Performance Computing Conjugate Gradient (HPCCG) benchmark to establish baseline performance for a scientific application when run on the Native (host) machine in contrast with execution under Docker and KVM. Our tests verified prior studies showing roughly 2-4% overheads in application execution time & MFlops when running in hypervisor-base environments (VMs) as compared to near native performance with VEs. For more details, see Figures 4.5 (page 28), 4.6 (page 28), and 4.7 (page 29). Additionally, in Section 4.3 we include network measurements for TCP bandwidth performance over the 10GigE interface in our testbed. The Native and Docker based tests achieved >= ~9Gbits/sec, while the KVM configuration only achieved 2.5Gbits/sec (Table 4.6 on page 32). This may be a configuration issue with our KVM installation, and is a point for further testing as we refine the network settings in the testbed. The initial network tests were done using a bridged networking configuration. The report outline is as follows: - Section 1 introduces the report and clarifies the scope of the proj...

  17. Sandia Energy - Installation Energy Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Installation Energy Security Home Stationary Power Safety, Security & Resilience of Energy Infrastructure Grid Modernization Resilient Electric Infrastructures Military...

  18. Tribal Energy System Vulnerabilities to Climate Change and Extreme Weather

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    | Department of Energy System Vulnerabilities to Climate Change and Extreme Weather Tribal Energy System Vulnerabilities to Climate Change and Extreme Weather This U.S. Department of Energy Office of Indian Energy report assesses climate change and extreme weather vulnerabilities specific to tribal energy infrastructure and systems in the contiguous United States and Alaska. It includes information about the impacts from climate change and extreme weather events on both onsite and offsite

  19. TOP 10 VULNERABILITIES OF CONTROL SYSTEMS AND THEIR ASSOCIATED MITIGATIONS

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    | Department of Energy TOP 10 VULNERABILITIES OF CONTROL SYSTEMS AND THEIR ASSOCIATED MITIGATIONS TOP 10 VULNERABILITIES OF CONTROL SYSTEMS AND THEIR ASSOCIATED MITIGATIONS This document provides practices that can help mitigate the potential risks that can occur to some electricity sector organizations. Each organization decides for itself the risks it can accept and the practices it deems appropriate to manage those risks. PDF icon TOP 10 VULNERABILITIES OF CONTROL SYSTEMS AND THEIR

  20. T-578: Vulnerability in MHTML Could Allow Information Disclosure |

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Department of Energy 8: Vulnerability in MHTML Could Allow Information Disclosure T-578: Vulnerability in MHTML Could Allow Information Disclosure March 15, 2011 - 3:05pm Addthis PROBLEM: Microsoft Windows is prone to a vulnerability that may allow attackers to inject arbitrary script code into the current browser session. PLATFORM: Windows 2003 SP2, Vista SP2, 2008 SP2, XP SP3, 7; and prior service packs ABSTRACT: A vulnerability was reported in Microsoft MHTML. A remote user can conduct

  1. U-172: OpenOffice.org Two Vulnerabilities

    Broader source: Energy.gov [DOE]

    Two vulnerabilities have been reported in OpenOffice.org, which can be exploited by malicious people to compromise a user's system.

  2. AFTER A Framework for electrical power sysTems vulnerability...

    Open Energy Info (EERE)

    Germany) Jump to: navigation, search Project Name AFTER A Framework for electrical power sysTems vulnerability identification, dEfense and Restoration Country Germany Coordinates...

  3. AFTER A Framework for electrical power sysTems vulnerability...

    Open Energy Info (EERE)

    France) Jump to: navigation, search Project Name AFTER A Framework for electrical power sysTems vulnerability identification, dEfense and Restoration Country France Coordinates...

  4. V-062: Asterisk Two Denial of Service Vulnerabilities

    Broader source: Energy.gov [DOE]

    Two vulnerabilities have been reported in Asterisk, which can be exploited by malicious users and malicious people to cause a DoS (Denial of Service).

  5. AFTER A Framework for electrical power sysTems vulnerability...

    Open Energy Info (EERE)

    United Kingdom) Jump to: navigation, search Project Name AFTER A Framework for electrical power sysTems vulnerability identification, dEfense and Restoration Country United Kingdom...

  6. Tribal Energy System Vulnerabilities to Climate Change and Extreme...

    Broader source: Energy.gov (indexed) [DOE]

    Tribal Energy System Vulnerabilities to Climate Change and Extreme Weather ii NOTICE This ... States government or any agency thereof. energy.govindianenergy | indianenergy@hq.doe.go...

  7. AFTER A Framework for electrical power sysTems vulnerability...

    Open Energy Info (EERE)

    Ireland) Jump to: navigation, search Project Name AFTER A Framework for electrical power sysTems vulnerability identification, dEfense and Restoration Country Ireland Coordinates...

  8. AFTER A Framework for electrical power sysTems vulnerability...

    Open Energy Info (EERE)

    :"","inlineLabel":"","visitedicon":"" Display map Period 2011-2014 References EU Smart Grid Projects Map1 Overview AFTER addresses vulnerability evaluation and contingency...

  9. V-082: Novell GroupWise Client Two Vulnerabilities

    Broader source: Energy.gov [DOE]

    Two vulnerabilities have been reported in Novell GroupWise Client, which can be exploited by malicious people to compromise a user's system.

  10. U-086:Linux Kernel "/proc//mem" Privilege Escalation Vulnerability

    Broader source: Energy.gov [DOE]

    A vulnerability has been discovered in the Linux Kernel, which can be exploited by malicious, local users to gain escalated privileges.

  11. Vulnerability Analysis of Energy Delivery Control Systems - 2011...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Vulnerability Analysis of Energy Delivery Control Systems - 2011 Cybersecurity for energy ... (DOEOE) National Supervisory Control and Data Acquisition (SCADA) Test Bed ...

  12. What is Security? A perspective on achieving security

    SciTech Connect (OSTI)

    Atencio, Julian J.

    2014-05-05

    This presentation provides a perspective on achieving security in an organization. It touches upon security as a mindset, ability to adhere to rules, cultivating awareness of the reason for a security mindset, the quality of a security program, willingness to admit fault or acknowledge failure, peer review in security, science as a model that can be applied to the security profession, the security vision, security partnering, staleness in the security program, security responsibilities, and achievement of success over time despite the impossibility of perfection.

  13. U-117: Potential security vulnerability has been identified with certain HP printers and HP digital senders

    Broader source: Energy.gov [DOE]

    Remote attackers could execute arbitrary code by using a session on TCP port 9100 to upload a crafted firmware update.

  14. U-200: Red Hat Directory Server Information Disclosure Security Issue and Vulnerability

    Broader source: Energy.gov [DOE]

    If an LDAP user had changed their password, and the directory server had not been restarted since that change, an attacker able to bind to the directory server could obtain the plain text version of that user's password.

  15. U-188: MySQL User Login Security Bypass and Unspecified Vulnerability

    Broader source: Energy.gov [DOE]

    An error when verifying authentication attempts can be exploited to bypass the authentication mechanism.

  16. U-062: Pidgin SILC (Secure Internet Live Conferencing) Protocol Denial of Service Vulnerability

    Broader source: Energy.gov [DOE]

    An attacker can exploit these issues by constructing and submitting a specially crafted SILC message. Successful exploits will cause the affected application to crash.

  17. U-009:Microsoft Security Bulletin Summary for October 2011

    Broader source: Energy.gov [DOE]

    Microsoft released 8 bulletins to address vulnerabilities. This Microsoft bulletin contains 2 critical vulnerabilities.

  18. Protection of Use Control Vulnerabilities and Designs

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    1999-07-01

    This Manual establishes a general process and provides direction for controlling access and dissemination of Sigma 14 and 15 Weapon Data at the Department of Energy (DOE). It supplements DOE O 452.4, SECURITY AND CONTROL OF NUCLEAR EXPLOSIVES AND NUCLEAR WEAPONS, which establishes DOE requirements and responsibilities to prevent the deliberate unauthorized use of U.S. nuclear explosives and U.S. nuclear weapons. Canceled by DOE M 452.4-1A. Does not cancel other directives.

  19. Wide Area Security Region Final Report

    SciTech Connect (OSTI)

    Makarov, Yuri V.; Lu, Shuai; Guo, Xinxin; Gronquist, James; Du, Pengwei; Nguyen, Tony B.; Burns, J. W.

    2010-03-31

    This report develops innovative and efficient methodologies and practical procedures to determine the wide-area security region of a power system, which take into consideration all types of system constraints including thermal, voltage, voltage stability, transient and potentially oscillatory stability limits in the system. The approach expands the idea of transmission system nomograms to a multidimensional case, involving multiple system limits and parameters such as transmission path constraints, zonal generation or load, etc., considered concurrently. The security region boundary is represented using its piecewise approximation with the help of linear inequalities (so called hyperplanes) in a multi-dimensional space, consisting of system parameters that are critical for security analyses. The goal of this approximation is to find a minimum set of hyperplanes that describe the boundary with a given accuracy. Methodologies are also developed to use the security hyperplanes, pre-calculated offline, to determine system security margins in real-time system operations, to identify weak elements in the system, and to calculate key contributing factors and sensitivities to determine the best system controls in real time and to assist in developing remedial actions and transmission system enhancements offline . A prototype program that automates the simulation procedures used to build the set of security hyperplanes has also been developed. The program makes it convenient to update the set of security hyperplanes necessitated by changes in system configurations. A prototype operational tool that uses the security hyperplanes to assess security margins and to calculate optimal control directions in real time has been built to demonstrate the project success. Numerical simulations have been conducted using the full-size Western Electricity Coordinating Council (WECC) system model, and they clearly demonstrated the feasibility and the effectiveness of the developed technology. Recommendations for the future work have also been formulated.

  20. NNSA orders security enhancements

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Security Administration labs and sites get girls excited about engineering Wednesday, March 16, 2016 - 1:41pm Future engineers K. Potter, left, and T. Herrin at Y-12 National Security Complex's Introduce a Girl to Engineering event. NNSA workers across the nuclear security enterprise took advantage of "Introduce a girl to engineering day" to instill hundreds of young women with excitement for science, technology, engineering, and math (STEM) careers. This year's theme,

  1. National Security Science

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Science National Security Science Latest Issue:April 2016 past issues All Issues ¬Ľ submit National Security Science Showcasing Los Alamos National Laboratory's work on nuclear weapons and in science for national and global security April 2016 july 2015 The Hurt-Locker School Explosive Results Questing for the Holy Grail of High Explosives Learning from (Near) Disaster A Safer Liftoff Shake, Rattle, and Roll Manhattan Project National Historical Park Strategic Deterrent Forces Charting a

  2. Security | Argonne National Laboratory

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Security Enhancing national and homeland security requires technological advancements in everything from biosensors to risk assessments. Game-changing scientific discovery is required for the development of sensors, detectors and other technological advancements used to protect and defend our country. At Argonne, our highly collaborative community of scientists and engineers discover and develop critical security and defense technologies to prevent and mitigate events with the potential for mass

  3. National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    NNSA hosts CTBT inspectors at Nevada National Security Site Read more Y-12 honors its inventors for technology transfer Read more Sandia National Laboratories Contract Process Announced Read more NNSA honors two security professionals who protect U.S. nuclear enterprise Read more NNSA lab makes fire tornados to ensure weapon safety Read more Sandia's California site invites community to 60th anniversary Read more CTBT inspectors Tech Transfer Sandia Contract Security awards Fire tornados Sandia

  4. Alamos National Security, LLC

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Eleven nonprofit organizations receive community giving grants from Los Alamos National Security, LLC December 15, 2009 Los Alamos, New Mexico, December 15, 2009- Eleven local nonprofit organizations with projects supported by Los Alamos National Laboratory employee volunteers received $75,000 in Community Giving grants from Los Alamos National Security, LLC, the company that manages the Lab for the National Nuclear Security Administration. The organizations are located in Los Alamos, Espa√Īola,

  5. Security Risk Assessment

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Security Risk Assessment - Sandia Energy Energy Search Icon Sandia Home Locations Contact Us Employee Locator Energy & Climate Secure & Sustainable Energy Future Stationary Power Energy Conversion Efficiency Solar Energy Wind Energy Water Power Supercritical CO2 Geothermal Natural Gas Safety, Security & Resilience of the Energy Infrastructure Energy Storage Nuclear Power & Engineering Grid Modernization Battery Testing Nuclear Fuel Cycle Defense Waste Management Programs Advanced

  6. The theory of diversity and redundancy in information system security : LDRD final report.

    SciTech Connect (OSTI)

    Mayo, Jackson R.; Torgerson, Mark Dolan; Walker, Andrea Mae; Armstrong, Robert C.; Allan, Benjamin A.; Pierson, Lyndon George

    2010-10-01

    The goal of this research was to explore first principles associated with mixing of diverse implementations in a redundant fashion to increase the security and/or reliability of information systems. Inspired by basic results in computer science on the undecidable behavior of programs and by previous work on fault tolerance in hardware and software, we have investigated the problem and solution space for addressing potentially unknown and unknowable vulnerabilities via ensembles of implementations. We have obtained theoretical results on the degree of security and reliability benefits from particular diverse system designs, and mapped promising approaches for generating and measuring diversity. We have also empirically studied some vulnerabilities in common implementations of the Linux operating system and demonstrated the potential for diversity to mitigate these vulnerabilities. Our results provide foundational insights for further research on diversity and redundancy approaches for information systems.

  7. National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    The Department of Energy (DOE), the National Nuclear Security Administration (NNSA) and the University of California (UC) have agreed on new management and operations contracts for ...

  8. Security Forms and Information

    Broader source: Energy.gov [DOE]

    Homeland Security Presidential Directive HSPD-12 established new policy for a common identification standard for Federal Employees and contractors. As of October 27, 2005, all new Federal employees...

  9. Sandia Energy - Water Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Energy & Climate Secure & Sustainable Energy Future Stationary Power Energy Conversion Efficiency Solar Energy Wind Energy Water Power Supercritical CO2 Geothermal Natural Gas...

  10. SecuritySmart

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    House); * TA-00, Bldg. 760 (Legal Counsel); and * TA-3, Bldg. 1411 (Occupational Medicine). All other buildings in non-secure areas must be individually accounted for in...

  11. National Nuclear Security Administration

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    aspects relating to the Materials Security and Consolidation Project includine Energy Systems Acquisition Advisory Board equivalents, Critical Decisions, and Quarterly Project...

  12. Oil Security Metrics Model

    SciTech Connect (OSTI)

    Greene, David L.; Leiby, Paul N.

    2005-03-06

    A presentation to the IWG GPRA USDOE, March 6, 2005, Washington, DC. OSMM estimates oil security benefits of changes in the U.S. oil market.

  13. National Nuclear Security Administration

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    or 1-888-246-2460 using the following timeframes

    using the following timeframes

    //A * ~ w r_ra (b11 II V &. l,4t~Cf..-"i National Nuclear Security Administration DOE/NV--325-Rev. lOa February 2015 Nevada National Security Site Waste Acceptance Criteria Prepared by U.S. Department of Energy National Nuclear Security Administration Nevada Field Office . Environmental Management Operations February 2015 Nevada National Security Site Waste Acceptance Criteria Disclaimer Notice

  14. Office of Radiological Security

    National Nuclear Security Administration (NNSA)

    of physical security of radiological materials;

  15. Provision of mobile and man-portable radiation detection equipment;
  16. Regional cooperation on safeguards...

  17. Cyber Security Architecture Guidelines

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    2001-03-08

    This Guide provides supplemental information on the implementation of cyber security architectures throughout the Department of Energy. Canceled by DOE N 205.18

  18. Supervisory Industrial Security Specialist

    Broader source: Energy.gov [DOE]

    A successful candidate in this position will serve as the Deputy Assistant Manager for Safeguards, Security, and Emergency Management sharing the overall responsibility for execution of the...

  19. Sandia Energy - Water Security

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Security Home Analysis Permalink Gallery Climate Change Is the Subject of a New Book Analysis, Climate, Global Climate & Energy, Monitoring, News, News & Events, Sensing, Sensing &...

  20. defense nuclear security

    National Nuclear Security Administration (NNSA)

    3%2A en Defense Nuclear Security http:www.nnsa.energy.govaboutusourprogramsnuclearsecurity

  21. Nuclear Security Summit

    National Nuclear Security Administration (NNSA)

    Joint Research Centre and the United States Department of Energy's National Nuclear Security Administration regarding the reduction of excess nuclear material http:...

  22. Nevada National Security Site

    National Nuclear Security Administration (NNSA)

    ... and Beyond - National Security - Non-Proliferation - Environmental Management Defense ... explosive devices and to detect the proliferation of weapons of mass destruction. * ...

  1. Security | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    ... or mentalpersonality disorders, alcohol abuse, use of illegal drugs or the abuse ... in the Human Reliability and Alcohol Abuse Within the Office Secure ...

  2. National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    preparedness Read More NSC leader recognized as community role model Read More Apex Gold discussion fosters international cooperation in run-up to 2016 Nuclear Security Summit...

  3. Security Council Approval of Kofi

    Energy Savers [EERE]

    Security Control Assessor Security Control Assessor Cyber-security-300x199.jpg The Security Control Assessor (SOA) is responsible for assessing the management, operational, assurance, and technical security controls implemented on an information system via security testing and evaluation (ST&E) methods. The SOA must be independent of system development, operation, and deficiency mitigation. PDF icon Security Control Assessor Core Competency Training Worksheet More Documents &

  4. T-622: Adobe Acrobat and Reader Unspecified Memory Corruption Vulnerability

    Broader source: Energy.gov [DOE]

    The vulnerability is due to an unspecified error in the affected software when it processes .pdf files. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious .pdf file. When viewed, the file could trigger a memory corruption error that could allow the attacker to execute arbitrary code on the system with the privileges of the user.

  5. T-616: PHP Stream Component Remote Denial of Service Vulnerability

    Broader source: Energy.gov [DOE]

    PHP is prone to a remote denial-of-service vulnerability because the proxy server fails to handle certain FTP requests. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Versions prior to PHP 5.3.6 are vulnerable.

  6. Office of Global Material Security | National Nuclear Security

    National Nuclear Security Administration (NNSA)

    Administration Global Material Security NNSA Co-Hosts Nuclear Security Summit Workshop on Maritime Security with UK WASHINGTON - This week, the Department of Energy's National Nuclear Security Administration (DOE/NNSA) and the U.K. Department of Energy and Climate Change concluded a workshop at Wilton Park, United Kingdom, on the growing challenge of securing the global maritime supply chain. In

  7. Protection of Use Control Vulnerabilities and Design

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    2004-03-11

    This manual establishes a general process and provides direction for controlling access to and disseminating Sigma 14 and 15 nuclear weapon data (NWD) at the Department of Energy (DOE). It supplements DOE O 452.4A, Security and Control of Nuclear Explosives and Nuclear Weapons, dated 12-17-01, which establishes DOE requirements and responsibilities to prevent the deliberate unauthorized use of U.S. nuclear explosives and nuclear weapons. Cancels DOE M 452.4-1. Canceled by DOE O 452.7, 5-14-2010

  8. Incidents of Security Concern

    SciTech Connect (OSTI)

    Atencio, Julian J.

    2014-05-01

    This presentation addresses incidents of security concern and an incident program for addressing them. It addresses the phases of an inquiry, and it divides incidents into categories based on severity and interest types based on whether security, management, or procedural interests are involved. A few scenarios are then analyzed according to these breakdowns.

  9. Water Security Toolkit

    Energy Science and Technology Software Center (OSTI)

    2012-09-11

    The Water Security Toolkit (WST) provides software for modeling and analyzing water distribution systems to minimize the potential impact of contamination incidents. WST wraps capabilities for contaminant transport, impact assessment, and sensor network design with response action plans, including source identification, rerouting, and decontamination, to provide a range of water security planning and real-time applications.

  10. Operations Security (OPSEC) Reminder

    Broader source: Energy.gov [DOE]

    DOE O 471.6, Section 4.f, Information Security Manual and the DOE Headquarters Facilities Master Security Plan, Section 8, OPSEC, require that each element review information before it is posted to their publicly accessible website to ensure the data does not contain Controlled Unclassified Information and/or sensitive (critical information).

  11. Secure video communications system

    DOE Patents [OSTI]

    Smith, Robert L.

    1991-01-01

    A secure video communications system having at least one command network formed by a combination of subsystems. The combination of subsystems to include a video subsystem, an audio subsystem, a communications subsystem, and a control subsystem. The video communications system to be window driven and mouse operated, and having the ability to allow for secure point-to-point real-time teleconferencing.

  12. Safeguards and Security Program

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    2010-12-29

    The Safeguards and Security Program ensures that the Department of Energy efficiently and effectively meets all its obligations to protect Special Nuclear Material, other nuclear materials, classified matter, sensitive information, government property, and the safety and security of employees, contractors, and the general public. Supersedes DOE P 470.1.

  13. Information Security Program

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    1992-10-19

    To establish the Department of Energy (DOE) Information Security Program and set forth policies, procedures and responsibilities for the protection and control of classified and sensitive information. The Information Security Program is a system of elements which serve to deter collection activities, This directive does not cancel another directive. Canceled by DOE O 471.2 of 9-28-1995.

  14. Safeguards and Security Program

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    2016-02-10

    The Safeguards and Security Program ensures that the Department of Energy efficiently and effectively meets all its obligations to protect Special Nuclear Material, other nuclear materials, classified matter, sensitive information, government property and facilities, and the safety and security of employees, contractors, and the general public. Supersedes DOE P 470.1A.

  15. Information Security Program

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    1997-03-27

    Establishes an Information Security Program for the protection and control of classified and sensitive information. Extended until 5-11-06 by DOE N 251.63, dated 5-11-05. DOE O 471.2A, Information Security Program, dated 3/27/1997, extended by DOE N 251.57, dated 4/28/2004. Cancels: DOE O 471.2

  16. international security policy | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    security policy Nuclear Verification Challenge: Maintain the U.S. ability to monitor and verify nuclear reduction agreements and detect violations of treaties and other nuclear nonproliferation commitments. Solution: Develop and deploy measures to ensure verifiable compliance with treaties and other international agreements,... International Nuclear Safeguards Challenge: Detect/deter undeclared nuclear materials and activities. Solution: Build capacity of the International Atomic Energy Agency

  17. international security | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    security Nuclear Verification Challenge: Maintain the U.S. ability to monitor and verify nuclear reduction agreements and detect violations of treaties and other nuclear nonproliferation commitments. Solution: Develop and deploy measures to ensure verifiable compliance with treaties and other international agreements,... International Nuclear Safeguards Challenge: Detect/deter undeclared nuclear materials and activities. Solution: Build capacity of the International Atomic Energy Agency and

  18. International Nuclear Security

    SciTech Connect (OSTI)

    Doyle, James E.

    2012-08-14

    This presentation discusses: (1) Definitions of international nuclear security; (2) What degree of security do we have now; (3) Limitations of a nuclear security strategy focused on national lock-downs of fissile materials and weapons; (4) What do current trends say about the future; and (5) How can nuclear security be strengthened? Nuclear security can be strengthened by: (1) More accurate baseline inventories; (2) Better physical protection, control and accounting; (3) Effective personnel reliability programs; (4) Minimize weapons-usable materials and consolidate to fewer locations; (5) Consider local threat environment when siting facilities; (6) Implement pledges made in the NSS process; and (7) More robust interdiction, emergency response and special operations capabilities. International cooperation is desirable, but not always possible.

  19. Headquarters Facilities Master Security Plan- Chapter 1, Physical Security

    Broader source: Energy.gov [DOE]

    2016 Headquarters Facilities Master Security Plan - Chapter 1, Physical Security Describes DOE Headquarters Physical Security procedures related to badges, inspections, access controls, visitor controls, and removal of government property.

  20. Information Security: Coordination of Federal Cyber Security Research and

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Development | Department of Energy Security: Coordination of Federal Cyber Security Research and Development Information Security: Coordination of Federal Cyber Security Research and Development GAO recommends that the Office of Science and Technology Policy establish timelines for developing a federal agenda for cyber security research. GAO also recommends that the Office of Management and Budget (OMB) issue guidance to agencies for providing cyber security research data to repositories. In

  1. Categorical Exclusion Determinations: Health, Safety, and Security...

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Health, Safety, and Security Categorical Exclusion Determinations: Health, Safety, and Security Categorical Exclusion Determinations issued by Health, Safety, and Security. ...

  2. National Security Technology Center | Y-12 National Security...

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    to NSTC. Global Security Cooley joins Y-12's Global Security and Strategic Partnerships Manufacturing and Technical Services Nuclear Material Recovery Nuclear Detection and...

  3. Office of Radiological Security | National Nuclear Security Administra...

    National Nuclear Security Administration (NNSA)

    Gallery Photo Gallery Jobs Apply for Our Jobs Our Jobs Working at NNSA Blog Home Office of Radiological Security Office of Radiological Security NNSA Provides Tajikistan...

  4. Tag: global security | Y-12 National Security Complex

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Global Security Global Security Analysis and Training Program Sr. Manager Toby Williams describes the GSAT program and its important role to combat radiological terrorism....

  5. Tag: Global Security | Y-12 National Security Complex

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    Global Security Global Security Analysis and Training Program Sr. Manager Toby Williams describes the GSAT program and its important role to combat radiological terrorism....

  6. PSH-15-0003 - In the Matter of Personnel Security Hearing | Department of

    Energy Savers [EERE]

    Energy 3 - In the Matter of Personnel Security Hearing PSH-15-0003 - In the Matter of Personnel Security Hearing On July 15, 2015, an OHA Administrative Judge issued a decision finding that the DOE should not restore an individual's security clearance after he determined that the individual had not resolved all of the security concerns at issue in the case. The case involved multiple allegations, including that the individual: (1) had admitted to another government agency that he had

  7. hrp | National Nuclear Security Administration

    National Nuclear Security Administration (NNSA)

    hrp Personnel Security Program NNSA is responsible for managing national nuclear security and supports several key program areas including Defense, Nuclear Nonproliferation, Naval Reactors, Emergency Operations, Infrastructure and Environment, Nuclear Security, Management and Administration and the Office of the Administrator.

  8. Departmental Cyber Security Management Policy

    Broader source: Directives, Delegations, and Requirements [Office of Management (MA)]

    2001-05-08

    The Departmental Cyber Security Management (DCSM) Policy was developed to further clarify and support the elements of the Integrated Safeguards and Security Management (ISSM) Policy regarding cyber security. Certified 9-23-10. No cancellation.

  9. Office of Departmental Personnel Security

    Office of Energy Efficiency and Renewable Energy (EERE)

    The Office of Departmental Personnel Security serves as the central leader and advocate vested with the authority to ensure consistent and effective implementation of personnel security programs Department-wide (including for the National Nuclear Security Administration (NNSA).

  10. T-557: Microsoft Office Excel Office Art Object Parsing Remote Code Execution Vulnerability

    Broader source: Energy.gov [DOE]

    This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Excel. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

  11. Security Review Processing Form | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Security Review Processing Form Security Review Processing Form Security Review Process - Please review carefully. Security Acknowledge Form - Complete and return immediately. ...

  12. Security and Cyber Guidance | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Security and Cyber Guidance Security and Cyber Guidance Appraisal Process Guides Security Evaluations Appraisal Process Guide - April 2008 Cyber Security Evaluations Appraisal ...

  13. Security Control Assessor | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Security Control Assessor Security Control Assessor Cyber-security-300x199.jpg The Security Control Assessor (SOA) is responsible for assessing the management, operational, ...

  14. Automated Vulnerability Detection for Compiled Smart Grid Software

    SciTech Connect (OSTI)

    Prowell, Stacy J; Pleszkoch, Mark G; Sayre, Kirk D; Linger, Richard C

    2012-01-01

    While testing performed with proper experimental controls can provide scientifically quantifiable evidence that software does not contain unintentional vulnerabilities (bugs), it is insufficient to show that intentional vulnerabilities exist, and impractical to certify devices for the expected long lifetimes of use. For both of these needs, rigorous analysis of the software itself is essential. Automated software behavior computation applies rigorous static software analysis methods based on function extraction (FX) to compiled software to detect vulnerabilities, intentional or unintentional, and to verify critical functionality. This analysis is based on the compiled firmware, takes into account machine precision, and does not rely on heuristics or approximations early in the analysis.

  15. PRIVACY/SECURITY NOTICE

    Broader source: All U.S. Department of Energy (DOE) Office Webpages (Extended Search)

    PRIVACY/SECURITY NOTICE By continuing to use this system you indicate your awareness of and consent to the following terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. SECURITY NOTICE This Web site is part of a Federal computer system used to accomplish Federal functions. The Department of Energy monitors this Web site for security purposes to ensure it remains available to all users and to protect information in the system. The system

  16. Nevada National Security Site

    National Nuclear Security Administration (NNSA)

    Nevada National Security Site Proud Past, Exciting Future Nevada National Security Site Pre-Proposal Meeting November 19, 2015 Agenda * 8:30 am Welcome * 9:00 am Overview of NNSS and NFO * 10:00 am Break * 10:30 am NNSS Video * 11:00 am Questions * 11:30 am Lunch * 1:00 pm Solicitation Overview * 2:15 pm Break * 2:45 pm Questions * 4:00 pm Conclusion The Nevada National Security Site * Large geographically diverse outdoor laboratory - 1,360 square miles of federally owned and controlled land -

  17. Headquarters Facilities Master Security Plan

    Energy Savers [EERE]

    0-1 Chapter 10 Security Awareness Program This chapter describes the DOE HQ Security Awareness Program. It implements the requirements of: Ôā∑ Title 32, CFR, Part 2001, Classified National Security Information Ôā∑ Executive Order 13526, Classified National Security Information Ôā∑ DOE Order 470.4B, Safeguards and Security (S&S) Program, Appendix B. Section 3 Ôā∑ DOE Order 475.2A, Identifying Classified Information Ôā∑ DOE Order 475.1, Counterintelligence Program The Security Awareness

  18. Microsoft Word - BPD Security - PM

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Building Performance Database Security (Updated 2015-02) The Department of Energy (DOE) ... controls to ensure the security of data stored in the Building Performance Database (BPD). ...

  19. BPD Security | Department of Energy

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    Information related to the Building Performance Database (BPD) security and software controls. PDF icon Building Performance Database (BPD) Security More Documents & Publications ...

  20. Chapter_3_Personnel_Security

    Office of Energy Efficiency and Renewable Energy (EERE) Indexed Site

    ... Security Acknowledgement * DOE F 472.1, Fair Credit Reporting Act Release Authorization ... Security Acknowledgement * DOE F 472.1, Fair Credit Reporting Act Release Authorization ...