Officials tell internal watchdogs securing devices like printers and flash drives is just hard, expensive and inhibits collaboration.
The Department of Energy’s inspector general found that none of the agency’s science offices it reviewed had fully implemented guidance for securing peripheral devices with one official saying it was technically infeasible or “extremely difficult” to comply.
Peripheral devices such as printers, scanners, copiers, fax machines, voice-over-internet-protocol phones, thumb drives and external hard drives often hold sensitive information and can be used to deliver malware to the network. They are subject to security requirements such as those outlined in “DOE Information Technology and Cybersecurity Policy Memorandum: Removable Media Security,” which was issued by the office of the chief information officer in 2018.
The IG’s office examined four DOE offices of science for compliance with the memorandum and issued a summary of its findings this week.
“Our review disclosed access control weaknesses at two Science locations in which peripheral devices had not been securely configured to protect against unauthorized access,” the report reads. “In addition, none of the four sites reviewed fully implemented security standards found within the removable media policy issued by the Office of the Chief Information Officer, including requiring that all mass storage devices provide encryption, ensuring onboard antivirus capability, and using only Government furnished devices.”
Officials interviewed by the IG’s office gave a number of reasons for not complying and even pushed back on the guidance.
“Science officials expressed concerns with the overall process in which the Office of the Chief Information Officer issued security standards, policies, and/or directives,” the IG’s office wrote.
Science officials specifically said complying with the guidance was costly, negatively affects collaboration, or would introduce other risks and would therefore be “unjustified.”
According to the IG’s office, “an official at one site indicated that various security standards had not been met because they were either technically not feasible or extremely difficult to implement.”
The stakes are high as adversaries target critical infrastructure such as electric utilities. While the science officials said they took other measures to mitigate risks, the IG’s office fears the compliance failures indicate it will be even harder to keep up with new threats.
“Without improvements to ensure that updated security requirements are implemented to the extent feasible, the sites reviewed might not keep pace with the challenges facing an ever changing cybersecurity landscape,” wrote the IG’s office. “Although site officials indicated that they had implemented compensating controls to mitigate identified weaknesses, the confidentiality, integrity, and availability of systems and data could be directly impacted by the vulnerabilities discovered by our test work.”