Agencies are supposed to protect their data systems from cybersecurity threats, especially those known as high value asset systems. The Homeland Security Depa...
Agencies are supposed to protect their data systems from cybersecurity threats, especially those known as high value asset systems. The Homeland Security Department office of inspector general looked at a high value asset system operated by the Transportation Security Administration. Uh oh. Lots of missing pieces. For the details, Federal Drive with Tom Temin spoke with the principal deputy inspector general, Glenn Sklar and the acting assistant I-G for the office of audits, Craig Adelman
Interview Transcript:
Tom Temin Glenn, we’ll start with you. In general, high value assets. These are subject to regular review for [Federal Information Security Modernization Act of 2014 (FISMA)] compliance too, correct. That’s what got you to look at the system in the first place?
Glenn Sklar Indeed, that’s correct. After the SolarWinds nationwide cyber-attack in 2019, it really changed the way we look at DHS’ cybersecurity. Shifting our oversight away from compliance-based audits to more performance and technical type reviews, including the Transportation Security Administration review we’re here today to discuss. In this report as part of a series of reviews we’re doing looking across the entire Department of Homeland Security portfolio.
Tom Temin So every component of DHS has high value assets systems, and probably they have more than one. Fair to say?
Glenn Sklar That’s correct. And we’re really focused on the ones that present the potential greatest vulnerabilities, really trying to provide the best possible advice. We can’t DHS so they mitigate risk.
Tom Temin And you picked one of several that are operated by TSA. Any particular reason for looking at that system? I imagine you can’t tell us what’s in there, but maybe you can, Craig.
Craig Adelman We cannot go into detail on what was in the system, but we can note that this is not just a high value assets system. This is a tier one high value asset which is designated by the Cybersecurity and Infrastructure Security Agency. So that means that it has a critical impact not just to TSA but to the entire nation. So this is an extremely important system with information that needs to be secured.
Tom Temin Got it. I have a feeling, given the world news, this is probably more timely than we realized at the time. But again, we’ll pull from you. But if we can guess what’s probably in that system. Well, Ok, so you looked at it in terms of what cybersecurity controls were in place under the NIST guidance and under CISA guidance, essentially?
Craig Adelman That’s correct. We looked at ten different control families under the NIST guidance, and we found that there were deficiencies in eight of those controls, some of them significant.
Tom Temin Yeah. Tell us more of the controls, our configuration management risk assessment and things like that.
Craig Adelman Right. Supply chain risk management, access controls, planning awareness and training, assessment authorization and monitoring, and contingency planning all had deficiencies.
Tom Temin So each one of those characteristics has to have specific controls in place. For example, I would think assessment, authorization and monitoring means who can get in there and do administrative work on it.
Craig Adelman It’s also constantly monitoring the system to ensure that it’s secure. In some cases, if there are vulnerabilities identified in that particular control family, you’re supposed to have a plan of action and milestones to address that vulnerability. However, we found that all of TSA is open plans for addressing those vulnerabilities were overdue. One of them hadn’t been addressed and had been open for five years.
Tom Temin Yeah. In fact, you have a list of them from special publication 853, kind of the Bible for Cyber from NIST. And I see a lot of read on there, which means that they have not done those things. What do you think the effect is of all of this? Does that mean the system is easily hacked, ultimately.
Craig Adelman That means that there is a greater chance that an attack could occur. And if attack does occur, it’s harder for TSA to respond to and recover from that cyber-attack. So that means that not only could system information be lost, but it’ll be harder to bring the system back up so that it’s functioning and supporting the role that it supports.
Tom Temin Got it. We’re speaking with Craig Adelman. He is the acting assistant IG for the Office of Audit. And with Glenn Sklar, the principal deputy inspector general, both from Homeland Security’s OIG. Well, what happened when you told TSA about what you found here? It couldn’t have been a surprise.
Glenn Sklar Yeah. Tom, we’re actually pleased with the response we got and that they’re incredibly responsive and move right in to correct the deficiencies. But we much rather have a situation where they find the problems rather than us. We really want DHS to be much more proactive in getting in front of their inspector general rather than the reverse. So we are going to continue to do these types of reviews till we stop finding major deficiencies. And we’ve really changed the way we do these reviews moving in a way for more of a compliance-based review. It’s much more technical testing, more of trust, but verify. So that we’re actually trying to be pretty aggressive in terms of what we can find and what we can offer the department in terms of solutions.
Tom Temin Well, to do a technical assessment means you have to have some technical means of pressure testing the system. I mean, do you try to gain access as an administrator, for example, that kind of thing, Craig?
Craig Adelman For this project, we did not do penetration testing. We did conduct an assessment of the system, both the security controls that were in place, which we did find challenges with, along with vulnerabilities that we identified in the system. During our testing of the vulnerabilities, we identified almost 300 unique, critical, high vulnerabilities from the over 1,000 workstations and servers we tested. I want to note that CISA puts together a catalog of known, exploited vulnerabilities. These are the vulnerabilities that should be addressed right away. And we found of the almost 300 vulnerabilities, 12 were in this catalog of vulnerability that have already been exploited. So these are serious concerns. We also found that during our testing, we couldn’t reach 700 workstations. This is in addition to the 1,000 that we did test. And what we found was that TSA had not been providing patch updates to these 700 workstations, between May 2022 and November 2022, when we conducted our fieldwork. So during that time, CISA have put together 203 known exploited vulnerabilities, and TSA had not been able to patch these workstations to address any of those vulnerabilities.
Tom Temin Wow. So that gets under the subject of risk assessment because it sounds like they didn’t know what they hadn’t done, basically.
Craig Adelman That’s right.
Tom Temin And if you don’t do a good risk assessment, then everything else kind of falls out, like access controls and configuration management would derive after you have a good risk assessment, I would guess.
Craig Adelman That’s what we found, was that even in addition to these vulnerabilities that weren’t being addressed, there were other issues down the line with the controls. For example, with the access controls, they couldn’t provide an accurate list of system users. We also found that some people who had access to the system had already left the agency. These are contractors and federal employees. However, these inactive accounts had not been removed from the system. So obviously that’s concerning. What’s more concerning is that some of these were privileged accounts. Those privilege account user has the ability to make updates or security updates on the system, software updates, maybe changing passwords. So those accounts are of particular concern and should be protected. However, they remained with access to the system even though they were inactive for long stretches of time.
Tom Temin Wow. And what does supply chain risk management mean in the context of a operate of an ongoing system like this?
Craig Adelman That’s a good question. As Glenn mentioned, we change our approach a little bit with the SolarWinds attack. And the SolarWinds attack occurred because there was an issue with the software’s supply chain. So it’s important to have a plan to ensure that your supply chain for building your technology is protected. And in this case, TSA did not have a plan to do so.
Tom Temin Like you don’t want an ICAM or an identity and credential access management system from China, for example, as your ICAM, that type of thing.
Craig Adelman Exactly.
Tom Temin All right. So you said TSA, though, is getting after it. But I guess the question is they have a management problem. Probably if they were way behind on these details of this system, is that a systemic problem for TSA or are you able to determine that, Glenn?
Glenn Sklar Yes. So generally we interface with the chief information officer for all of the department, and they’ve certainly been responsive and appreciative of what we found, and we are trying to propel them to move faster. It could potentially be funding issue, it could be the multitude of legacy systems at the department. Having been here 20 years ago when the department was first formed, I can tell you there are hundreds of legacy systems and many of them have been consolidated, but certainly not all.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED