[ISN] DOE IG reviews security at Oak Ridge

From: InfoSec News (alerts@private)
Date: Wed Jan 09 2008 - 00:16:55 PST


http://www.gcn.com/online/vol1_no1/45646-1.html

By Trudy Walsh
GCN.com
01/08/08

Additional security protocol training for employees, better information 
sharing with local counterintelligence officials and periodic review of 
laptop PC security procedures are among the recommendations made by the 
Energy Departments inspector general after an investigation into a 
security breach at the departments Y-12 National Security Complex in Oak 
Ridge, Tenn.

According to the IGs report [1], in 2006 an unauthorized laptop with 
wireless capability was taken into a "limited area at the Y-12 nuclear 
weapons plant. Limited areas are defined as "secure work areas that 
employ physical controls to prevent unauthorized access to classified 
matter or special nuclear material," the report states.

DOE prohibits any equipment capable of transmitting data wirelessly. 
Posted at the entrance to the Y-12 limited area is a large sign that 
lists the items prohibited from the area without prior approval. Second 
on that list, after firearms, is "Electronic equipment with data 
exchange port capable of being connected to automate information systems 
equipment (i.e., personal computers, PDAs)."

Four main security violations occurred, the IG said:

    * On Oct. 24, 2006, Y-12 employees discovered a contractor from Oak 
      Ridge National Laboratory had brought an unclassified laptop with 
      wireless capability into a Y-12 limited area without following 
      proper protocols.

    * Y-12 cybersecurity staff did not properly secure the laptop, and 
      the user left the area with the computer, contrary to Energy 
      policy. The laptop was not retrieved by the department until 
      almost an hour later. Because the laptop could have been tampered 
      with during that time, it could not be collected as best evidence.

    * Energy requires that within 32 hours of an incident of security 
      concern, a written report be submitted to the Headquarters 
      Operations Center. The written report was not made until six days 
      after the incident was discovered.

    * Subsequent inquiries revealed that as many as 37 additional 
      laptops may have been brought into the limited area by ORNL 
      employees without following proper security protocols.

The report notes that as soon as the manager of the Y-12 site office 
heard about the incident, he required that the individuals involved in 
the Oct. 24 incident be removed from the site and that their 
unclassified computer accounts be suspended. ORNL officials also 
notified the inspection team that they had initiated corrective plans 
and revisions to local security procedures.

Further review by the IG team revealed that nine of the 38 laptops that 
had been taken into the limited area without authorization had later 
been taken on foreign travel; six of those nine had wireless capability; 
and two of those six had been to countries that are on Energy's [2] 
sensitive countries list. A forensic evaluation of the 38 laptops also 
showed that all contained malware, which could potentially be used by 
hackers to obtain unauthorized information.

According to the IG, ORNL management agreed with the recommendations of 
the report, and has implemented corrective actions to prevent future 
breaches. The report added that the IG would evaluate the adequacy of 
these corrective measures in the future.

[1] http://www.ig.energy.gov/documents/IG-0785.pdf
[2] http://www.wipp.energy.gov/proc/pdf/SensitiveFNC.pdf


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Wed Jan 09 2008 - 00:36:00 PST