The government board that investigates industrial chemical accidents does not keep track of computer systems it has outsourced to contractors, which could jeopardize information confidentiality, a federal inspection has found.
The perpetrators behind many notorious data breaches exploited similar vulnerabilities. The U.S. Chemical Safety and Hazard Investigation Board, or CSB, handles sensitive details on manufacturing facilities and the location of hazardous materials.
A new audit by the Environmental Protection Agency inspector general criticizes the board for lacking a complete catalog of contractor-run systems, as well as databases maintained by other federal agencies. Data applications running in the cloud also have not been inventoried.
Among the board’s probes into disasters is a Monday report on an explosion at West Fertilizer Co. in Texas that killed 15 people and devastated a town near Dallas. The board found that communities across the state remain in danger of "a catastrophic incident" like the 2013 incident because of insufficient rules for the storage of fertilizer.
EPA Inspector General Arthur Elkins, in a report released Wednesday, cast doubt on the protection of the board’s files and sensitive data.
"The agency needs process improvements" to its contractor security plan, among other things, and "as such, questions exist as to whether CSB is doing all it can to protect the confidentiality, integrity and availability of information technology resources and stored data,” he said.
Target exposed customer payment card data and the Office of Personnel Management compromised personal employee data when their respective contractors were hacked. Suspected Chinese cyberspies used a compromised password from a background check provider to creep into OPM's network. Crooks reportedly penetrated a heating and air conditioning vendor's computer to gain credentials to reach Target’s payment system.
Board members agreed with the inspection's general findings, but made some finer points to explain the missing list of data repositories overseen by outsiders.
Other government agencies operate the board's financial and human resources systems, so those data services were not logged, board chairman and member Vanessa Allen Sutherland said in a Jan. 11 letter responding to a draft audit.
"We will work to add these" to an updated security plan "and acquire the necessary supporting documentation regarding the servicing agency’s implementation of security controls," she added.
Elkins, the inspector general, also found fault with two security controls for internal networks, including the process for logging in and the rules on employee training.
Unauthorized users can access the board's systems if they know the right password, because computers are not set up for two-step authentication that would require additional ID, like a smart card. In addition the board does not have policies or procedures that spell out specialized training requirements for IT security professionals.
Allen said the board is in the planning stages of activating the stronger sign-on technology and will evaluate language for new guidance that stipulates unique instructions for cyber staff.