After site shutdown, EPA seeps back onto the Net

After site shutdown, EPA seeps back onto the Net

With a new firewall, stronger management and restoration criteria, 80 percent of site is back online

By Christopher J. Dorobek

GCN Staff

Nearly five months after the Environmental Protection Agency had to sever its connection with the Internet due to security concerns, the agency is taking information assurance more seriously, the EPA's information technology security chief says.

But EPA must institutionalize security practices to avoid a serious breach, said George A. Bonina, director of EPA's Information Security Staff, who joined the agency in January.

EPA shut down its Internet connection in February after an audit by the General Accounting Office found serious security problems [GCN, March 6, Page 1].

Only 80 percent of EPA's systems are again providing Internet links, Bonina said. Systems that are still offline are more complex to effectively secure. They include those that support dial-up connections and passive outbound File Transfer Protocol services, he said.

IT surpassed EPA's ability to secure its data, George A. Bonina says.

Since the shutdown, EPA has worked to change its attitude toward security, he said. The agency used to consider all information available unless there was a specific reason it should not be public, he said. Now, information must be considered secure unless officials determine it should be made public, he said recently during a presentation to the Federal Webmasters Forum in Washington.

'We were not asleep at the switch,' Bonina said. The agency had conducted risk assessments and implemented advisories from the CERT Coordination Center at Carnegie Mellon University, he said. EPA had also installed strong security for its mainframe environment and had created private networks for confidential business information. The agency had a firewall between its public access servers and the rest of the EPA network, and it had planned to install a more robust firewall and an intrusion detection system, he said.

In fact, after GAO conducted the in-depth audit of the agency's security practices, it told the EPA that the agency had an effective security plan on paper, Bonina said. It wasn't until GAO conducted penetration tests that the holes became apparent.

The EPA's problems developed because technological changes surpassed the agency's ability to secure its data, he said.

The agency's business has changed since the 1970s and 1980s, when EPA focused on implementing and enforcing environmental laws. In the late 1980s and early 1990s, the agency began giving the public access to environmental information.

The Emergency Planning and Community Right-To-Know Act required EPA to publish information about toxic releases. The theory was that if the data were available publicly, companies would be more likely to cut toxic releases. The result has been a dramatic reduction in the amount of toxic material being released into the environment, Bonina said.

Changes in EPA's business practices mirrored the evolution of its IT shop. From the 1970s until 1990, the agency used comparatively secure mainframes, essentially forming a virtual private network, he said.

In the early 1990s, EPA started the transition to a client-server architecture. The agency has nearly 2,000 servers around the country, many of them at EPA's National Computing Center in Research Triangle Park, N.C.

EPA joined the Internet arena in the mid-1990s, making its information accessible to anyone in the world.

EPA officials expected the results of the GAO audit to be bleak, but the findings were severe, Bonina said. GAO auditors easily gained root access to EPA's network.

GAO said EPA had ineffective perimeter defenses, inadequate system access controls, weak network and operating system controls, poor password protections, and weak security planning and risk assessment.

Down she goes

EPA decided to disconnect the agency from the Internet, Bonina said.

EPA quickly set out to put its new firewall in place. At the same time, the agency established clear criteria for restoring service: protect its confidential business information, meet financial and legal obligations, restore employee productivity, and re-establish public access.

EPA's senior management identified the highest priority systems and services, and the IT staff focused on that list.

The agency also implemented more stringent management practices for passwords and server administration, and established a formal risk assessment process, he said.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.