Commerce Unit's BYOD ProblemIG Sees Risks in Personally Owned PCs Accessing NOAA Systems
A bring-your-own-device problem jeopardized the information systems at the National Oceanic and Atmospheric Administration, an inspector general's audit reveals. And the device that gave NOAA's incident response team headaches wasn't a smart phone or tablet but an old-fashioned personal computer.
NOAA is a Commerce Department scientific agency focused on tracking and analyzing the conditions of the ocean and atmosphere; it oversees the National Weather Service.
The agency's experience with the "perils of allowing personally owned devices access to its systems" - as a Commerce Department inspector general report puts it - occurred last year when an attacker removed data from a computer system supporting NOAA's National Environmental Satellite, Data and Information Service, or NESDIS, the unit that acquires and manages environmental data from satellites.
The data was exfiltrated to a suspicious, external IP address through a remote connection established with a contractor's personally owned PC that NOAA's computer incident response team members believe was infected with malware, according to the IG audit. But the PC's owner stymied response team investigators by refusing to give NOAA permission to conduct a forensic examination of the computer.
"This highlights the risk of using personal computers to remotely access government information systems, as well as hindrances to incident response efforts," Allen Crawley, assistant inspector general for systems acquisition and IT security, says in the report.
While the IG audit says NOAA can continue to allow the use of personally owned computers to access government systems, it stresses that NOAA should follow the Commerce Department's telework policy that addresses use of such devices.
Michael Devany, Commerce Department undersecretary for operations, doesn't deny the incident occurred, but suggests the IG is overblowing it. He calls the IG's characterization of the situation as "misleading," adding that the breached system in question was not one of the systems the IG office audited.
"The system affected was not even a high-impact system and was subject to a different security controls baseline than the high-impact systems that were in the scope of this audit," he says.
Devany requested that the IG remove the incident from the audit report, which the IG declined to do.
Crawley acknowledges the security incident did not occur on one of the systems which were the focus of the IG's audit, but says it's very relevant to the IG's findings related to remote access. As stated in the report, Crawley says, "this incident highlights the risk of using personal computers to remotely access government information systems, as well as hindrances to incident response efforts."
In the audit, Crawley explains that NESDIS's telework policy does not provide critical guidance on the appropriate use of personally owned computers. Though NESDIS officials contend their staff members follow Commerce Department policies regarding remote access by teleworkers, the assistant IG describes the satellite service's policies as "ambiguous," adding that they contradict the department's telework policy. NESDIS's policy fails to specify the circumstances when personal computers can be authorized to remotely access its information systems, resulting in NESDIS's staff not having clear guidance on this matter, he says.
"By allowing access by personal computers, NESDIS is jeopardizing the security of its information systems," Crawley says.
The IG report recommends that NOAA needs to take steps to ensure that NESDIS's telework policy complies with departmental procedures regarding the use of personal devices for remote access. It also proposes that NOAA implement the necessary security mechanisms to secure against remote access from personally owned computers. Commerce concurs with the recommendations.
Risk of Cyber-Attacks
The audit, required by the Federal Information Security Management Act, the law that governs federal government IT security, identifies other problems with the security of the NESDIS IT systems. Among the findings:
- Information systems connected to NESDIS's critical satellite ground support systems increase the risk of cyber-attacks. Mission-critical satellite ground support systems have interconnections with systems where the flow of information is not restricted, which could provide a cyber-attacker with access to these critical assets.
- NESDIS's inconsistent implementation of mobile device protections increases the likelihood of a malware infection. In its review of selected Microsoft Windows components on four NESDIS systems, the IG found that an unauthorized mobile device had been connected to Polar-orbiting Operational Environmental Satellites, Geostationary Operational Environmental Satellites and the Environmental Satellite Processing Center. And, Geostationary Operational Environmental Satellites and the Environmental Satellite Processing Center did not consistently ensure that Windows' autorun feature was disabled.
- Critical security controls remain unimplemented in NESDIS's information systems. The IG reviewed four NESDIS information systems and found that NESDIS did not appropriately remediate vulnerabilities, implement required remote access security mechanisms and implement the secure configuration settings control on IT products.
- Improvements are needed to provide assurance that independent security control assessments are sufficiently rigorous. The IG found that nearly half of the independent assessments of security controls have deficiencies and may not have provided NOAA's authorizing official with an accurate implementation status of the system's security controls.
The IG made 13 recommendations and the Commerce Department concurred with all of them.