Energy Department watchdog finds research labs fail to secure ‘peripheral’ devices like USBs

Multiple Department of Energy research labs lack adequate security controls to safeguard devices like printers and USB drives, leaving the facilities susceptible to data theft, according to an inspector general investigation.

“[T]he confidentiality, integrity and availability of systems and data could be directly impacted by the vulnerabilities discovered by our test work,” the DOE inspector general said in a memo released last week.

The watchdog did not name the four DOE field sites it reviewed, but said they were part of DOE’s Office of Science. That office spans at least 10 research labs that are doing sensitive research on everything from supercomputing to the supply chain of health equipment to combat the coronavirus.

An official at one DOE site complained that the department’s security standards were “technically not feasible or extremely difficult to implement,” according to the inspector general. In another case, site officials said that following the standards would cost too much, hurt collaboration or “would likely be unjustified by the risk presented to the site,” the investigation found.

The so-called peripheral devices — which also include scanners and external hard drives — that the watchdog reviewed aren’t part of the core design of an IT network, but can affect a network’s security if exploited. All four DOE field sites that the watchdog reviewed failed to fully implement the department’s security policies for USB sticks and other removable media.

“[A]bsent effective implementation of access controls, the weaknesses noted during our review could allow an attacker or malicious user to make unauthorized changes to information technology peripheral devices and disclose sensitive information,” the watchdog said.

The inspector general released a two-page summary of its findings, rather than the full report, citing security concerns. The summary did not suggest that any real-world attacks had arisen from the vulnerabilities.

A DOE spokesperson did not respond to a request for comment on the audit. Officials at the four sites told the inspector general that they had “compensating controls” in place to account for the vulnerabilities, however the oversight agency indicated those measures were insufficient.

USB sticks have long been a potential vector for smuggling malware into a facility. Increasingly, the malicious code that arrives via USB sticks is specifically designed to propagate on those devices, according to industrial vendor Honeywell. In a study this month covering 60 countries, Honeywell found that 19% of USB-based malware that it blocked at industrial facilities was designed for such a purpose, up from 9% in a previous study.