The Energy Department IG has raised a warning about security of peripheral devices that can be attached to agency IT, saying that it found weaknesses related to access controls and configuration settings in a review of four of the department’s Office of Science locations.
Thumb drives, external hard drives and other peripheral devices be used to introduce viruses or malware to the network, inadvertently expose sensitive information, be subject to loss or theft, or allow unauthorized access to networks or data, noted a report that was largely not publicly released on security grounds.
It added that after prior reports finding issues with such devices—a common concern across the government—the department in 2018 issued new guidance requiring that all mass storage devices provide encryption, ensuring onboard antivirus capability, and using only government-furnished devices. However, it said the follow-up review found that none of the four locations had fully implemented those policies.
It said that officials at the sites said that the standards were “either technically not feasible or extremely difficult to implement” or that implementation “would be very costly, hinder collaboration, or would likely be unjustified by the risk presented to the site.”
“Without improvements to ensure that updated security requirements are implemented to the extent feasible, the sites reviewed might not keep pace with the challenges facing an ever-changing cybersecurity landscape. Further, absent effective implementation of access controls, the weaknesses noted during our review could allow an attacker or malicious user to make unauthorized changes to information technology peripheral devices and disclose sensitive information,” it said.
Audit: Energy Department Drug Testing Falls Short