DOE IG reviews security at Oak Ridge
- By Trudy Walsh
- Jan 08, 2008
Additional security protocol training for employees, better information sharing with local counterintelligence officials and periodic review of laptop PC security procedures are among the recommendations made by the Energy Department's inspector general after an investigation into a security breach at the department's Y-12 National Security Complex in Oak Ridge, Tenn.
According to the IG's report
, in 2006 an unauthorized laptop with wireless capability was taken into a "limited area' at the Y-12 nuclear weapons plant. Limited areas are defined as "secure work areas that employ physical controls to prevent unauthorized access to classified matter or special nuclear material," the report states.
DOE prohibits any equipment capable of transmitting data wirelessly. Posted at the entrance to the Y-12 limited area is a large sign that lists the items prohibited from the area without prior approval. Second on that list, after firearms, is "Electronic equipment with data exchange port capable of being connected to automate information systems equipment (i.e., personal computers, PDAs)."
Four main security violations occurred, the IG said:
- On Oct. 24, 2006, Y-12 employees discovered a contractor from Oak Ridge National Laboratory had brought an unclassified laptop with wireless capability into a Y-12 limited area without following proper protocols.
- Y-12 cybersecurity staff did not properly secure the laptop, and the user left the area with the computer, contrary to Energy policy. The laptop was not retrieved by the department until almost an hour later. Because the laptop could have been tampered with during that time, it could not be collected as best evidence.
- Energy requires that within 32 hours of an incident of security concern, a written report be submitted to the Headquarters Operations Center. The written report was not made until six days after the incident was discovered.
- Subsequent inquiries revealed that as many as 37 additional laptops may have been brought into the limited area by ORNL employees without following proper security protocols.
The report notes that as soon as the manager of the Y-12 site office heard about the incident, he required that the individuals involved in the Oct. 24 incident be removed from the site and that their unclassified computer accounts be suspended. ORNL officials also notified the inspection team that they had initiated corrective plans and revisions to local security procedures.
Further review by the IG team revealed that nine of the 38 laptops that had been taken into the limited area without authorization had later been taken on foreign travel; six of those nine had wireless capability; and two of those six had been to countries that are on Energy's sensitive countries list
. A forensic evaluation of the 38 laptops also showed that all contained malware, which could potentially be used by hackers to obtain unauthorized information.
According to the IG, ORNL management agreed with the recommendations of the report, and has implemented corrective actions to prevent future breaches. The report added that the IG would evaluate the adequacy of these corrective measures in the future.
Trudy Walsh is a senior writer for GCN.