The Department of Energy (DoE) Inspector General (IG) warned in a July 6 summary of findings that department’s Office of Science lacked proper peripheral device security, leaving the agency exposed to the possibility of network compromise.
Peripheral devices – such as printers, scanners, external hard drives, and fax machines – are connected to the agency’s organizational networks to process data and information. Because the devices are integrated with other aspects of the IT systems, a lack of proper security could subject the agency to malware, expose sensitive information, or allow unauthorized access.
In an IG review of four Office of Science locations, several access control and configuration weaknesses were identified. Two locations reviewed lacked proper peripheral device security to protect against unauthorized access and none of the sites had fully implemented security standards within removable media policies.
“The issues identified occurred, in part, because sites had not fully documented or implemented procedures to ensure that peripheral devices were appropriately secured prior to connection to the internal network environment,” the summary reads. “In addition, officials had not tested peripheral devices for vulnerabilities at an organization-defined frequency.”
Science officials that spoke with auditors expressed concerns over the Office of the CIO’s security standards and that the department’s removable media security policy was not feasible to implement.
Without improvements, the IG wrote that DoE may not be able to keep pace with the challenges posed by the “everchanging cybersecurity landscape.” Because of the sensitive nature of the report, IG is only publicly releasing the summary of its findings, not the full report that has been provided to DoE officials.