The Environmental Protection Agency’s (EPA) Integrated Risk Information System (IRIS), is one of the main tools the agency relies on for environmental regulations, containing information on human health effects that may result from exposure to various chemicals in the environment. However, a new report from the EPA’s inspector general, said the agency needs to do a better job of who has access to it, or it could be tampered with. For more on the report, Federal Drive with Tom Temin Executive Producer Eric White talked with Jeremy Sigel, the IG office’s Supervisory Audit Manager in the Information Resources Management Directorate.
Eric White So is it safe to say am I oversimplifying it? If I referred to the IRIS database kind of as the EPA’s glossary, so to speak?
Jeremy Sigel That’s an interesting term. I mean, it’s more of a something that either has its chemical evaluation program. It contains toxicity information and assessment reports for toxic chemicals. So, you know, it’s something that the protection of that data and how it’s displayed and disseminated is a great ongoing concern that, you know, that needs to be secured. While the IRIS databases is mostly internal. I mean, we’ve seen so many examples of, you know, internal threats that can be used to exploit vulnerabilities. So, you know, our purpose in this audit was to make sure that that data is properly secured.
Eric White Got it. And so, yeah, we’ll get to those threats. But yeah, just trying to establish what this IRIS database does is it contains the effects that certain chemicals have on human health in the environment. Does that mean it includes, you know, studies and things of that nature as well?
Jeremy Sigel Well, yeah, What it contains are assessment reports that the that they receive the Office of Research and Development for EPA receives and then their IRIS program which includes this IRIS database that then displays the not only the assessment results but also, you know, the scheduling of some there’s a seven step process. So sometimes, you know, the rating or the chemical information may not be ready yet, but they at least show, you know, where it is in the process. And if it is complete, then you can go in and see the assessment reports on there.
Eric White Got it. Okay. And so then they use those assessment reports to determine whether or not policymakers need to take a look at, you know, regulating them on who has access to the chemicals and where they can be used.
Jeremy Sigel I think it’s more of displaying the information so that it can be relied upon for, you know, environmental and any kind of, you know scientific policy.
Eric White Okay. So now let’s get more into your wheelhouse here. What kind of IT security is required for such a database by law and, you know, needed just to make it effective?
Jeremy Sigel You know, every government information system is subject to federal and then their own agencies regulations. So if, for instance, a lot of the requirements come from the National Institutes of Standards and Technology. And so we’ll look at those requirements. You know, specifically for this audit, it was just access control. So, you know, who can access the database? Who has what are the process for approving access? And so they can take these federal requirements, like, for instance, say, you know, every password has to expire in 60 days. The agency can either adopt those in their own I.T. procedures or say, you know this, we can’t really support that, so we’re going to make it 90 days. And this is in basically standardized in our IT procedures. So what we looked at was who had access, you know, what are the password settings, who has elevated access? Is that access monitored, reviewed on a periodic basis? And that was mainly our thrust for the audit.
Eric White Okay. And was there anything in particular that sparked the audit or was it a part of your regularly scheduled programing?
Jeremy Sigel No, actually, two years ago I was reading an article about a the Trump administration was trying to get an OMB mandate that made it so these assessments had to go through White House approval. And I guess this had been done in the past. So the article said it had been done in the past, and it was found that that greatly reduced the reliability or integrity of the reports. But the one thing that stood out to me was in this article, it actually mentioned the information system. It stood out to me because they never really mentioned any, you know, government systems by name in these articles. It’s usually, you know, a higher level or, you know, something more important that stood out to me. And I realized, you know, I then did further research knowing that GAO had done a lot of reports related to IRIS. And I looked through those reports and realized that none of them touched upon I.T. security. So I proposed it to our agency. You know, basically that saying, you know, this is just putting our foot in the door to look at it, because I don’t think it has been looked at before by anybody. So from that angle we said, well, let’s look at, you know, the most I guess the basic, you know, your foundation for any kind of IT security, which would be access controls.
Eric White We’re speaking with Jeremy Segal from the EPA’s Office of Inspector General. All right. So let’s get into the results of the audit, then, what you exactly found. What were some of the top level concerns that you have? I know you got into a few of them earlier, but, you know, as far as access management goes, what were some of the most egregious red flags that you saw?
Jeremy Sigel I just want to preface this by saying that, you know, this is a very there’s a very limited number of people with access to it. It’s mostly just developers and their contractors. However, you know, because it hadn’t been looked at and there really wasn’t any new access to it in years, you know, we got a listing of the users and looked through it and then said, you know, do really all these people need access because a lot of their accounts are still active? And then the agency reviewed them and knocked out, you know, the majority of them based on, you know, saying that, yeah, you’re right. This this doesn’t need they don’t need access. But then we went even further and we looked at, you know, the database server that IRIS is hosted on and found some password issues, some, some of the password settings were a bit lax. Some of them they, you know, they didn’t have control over. They don’t want to be too restrictive and lock certain accounts that you know, the database needs in order to function. But, you know, just as an overall practice, we saw that there was a lack of monitoring and periodic review. So if we came in and basically saw why do all these people need active accounts, if it’s really just displaying these reports that have already been vetted, then they went through and said, okay, you know, they don’t need to be active, they don’t need to have these accounts. But, you know, there really wasn’t any purpose to the accounts anyways. So we’ll just to be safe, lock them up, which is, you know, was our concern, knowing that there’s really no external access to it. Our concern was, well, there still could be internal threats and those internal threats could be exploited. So that’s basically what we looked at was, you know, the entry level access controls of who has access and, you know, why do they have that access and is it really needed and and how often is it reviewed? And all of our findings pretty much flowed from there.
Eric White Got it. Okay. And so what are the risks of having, you know, the lack of access controls? You know, I guess this goes back to the purpose of the list again. Is it the kind of thing that somebody could get in there and manipulate if they you know, if a bad actor ended up getting access, whether internally or externally?
Jeremy Sigel I don’t know if I would go that far. It’s more just because this information is so valuable and so relied upon, you know, any alteration or availability of that data we feel is important. So, you know, even if it’s not something an external actor can get to, there’s still the internal threat. But also, I mean, we’ve seen examples just recently in the news, like with Okta, you know, they that was a service account that was exploited from an internal user just trying to access their account and then an outside threat getting access to it, because that service accounts, these shared accounts, these system accounts, they still need to have some restrictions to them so that they can’t be exploited. Even if the example I like to use is you could have a nice safe, but it doesn’t matter if you leave the door unlocked.
Eric White Gotcha. Okay. That’s that puts it simply for us who aren’t in the IT field. And so it seems as if they were receptive about the external access and the recommendations that you made. Was there any other response from the agency that you can tell us about?
Jeremy Sigel I don’t know about the external access part. It was mostly internal, you know, restrictions that they needed to tighten up. But in terms of their response, they concurred with the findings and the recommendations, one of which they’ve already implemented for password settings. And they basically said that they’re going to ramp up their account management. We were happy about that and receptive to it. I mean, this this report took a long time to come out because as you can see, it’s very tech heavy for general public. So maybe not as, you know, enticing as most. But in that time we’ve been in constant contact with the agency. So they knew the report was coming, they knew the findings. So they had time to develop internal procedures. And, you know, in terms of some of the password settings, just, you know, fix that before the report even came out.
Eric White All right. Anything else from the report that we haven’t touched on that you think is important for the conversation?
Jeremy Sigel Again, it’s an internal database, but in the things that it distributes helps to display on the website. Extremely important like this, this data, what we’ve seen that the main thing that, you know, this report was made for is, you know, protecting the integrity of valuable chemical data. And we’ve seen multiple examples that just the proliferation of inaccurate data itself can have catastrophic results. So for something as important and relied upon as chemical assessment data and toxicology that should be relied upon, it should be something that, you know, doesn’t have interference or, you know, outside exploitation. Just making sure that that data is presented accurately. That was our main goal.