Multiple Department of Energy research labs lack adequate security controls to safeguard devices like printers and USB drives, leaving the facilities susceptible to data theft, according to an inspector general investigation.
“The confidentiality, integrity and availability of systems and data could be directly impacted by the vulnerabilities discovered by our test work,” the DOE inspector general said in a memo released last week.
The watchdog did not name the four DOE field sites it reviewed, but said they were part of DOE’s Office of Science. That office spans at least 10 research labs that are doing sensitive research on everything from supercomputing to the supply chain of health equipment to combat the coronavirus.
An official at one DOE site complained that the department’s security standards were “technically not feasible or extremely difficult to implement,” according to the inspector general. In another case, site officials said that following the standards would cost too much, hurt collaboration or “would likely be unjustified by the risk presented to the site,” the investigation found.
The so-called peripheral devices — which also include scanners and external hard drives — that the watchdog reviewed aren’t part of the core design of an IT network, but can affect a network’s security if exploited. All four DOE field sites that the watchdog reviewed failed to fully implement the department’s security policies for USB sticks and other removable media.
“Absent effective implementation of access controls, the weaknesses noted during our review could allow an attacker or malicious user to make unauthorized changes to information technology peripheral devices and disclose sensitive information,” the watchdog said.