System Administrator AccessOne major vulnerability for the dams’ ICS systems comes from the way their administrator access is controlled and monitored. The evaluation found that most of the USBR Operations Center’s 25 employees had access to at least one other ICS account that was not defined by their position; only five of the 13 employees with system administrator access had official ICS administration-related duties. According to principles established by the National Institute for Standards and Technology (NIST), in order to maintain the highest possible level of internal security, the principle of “least privilege” should have been implemented (meaning that only employees with official related job duties should have such access). In addition, the USBR had authorized nearly 20 ICS group accounts, each of which had system administrator access, and none of which were being monitored continually as mandated by NIST. This could have allowed a malicious actor with group access to alter critical system programs and logs, enable access to the ICS, and install malware.
Password SecurityAnother major threat uncovered by the office of the Inspector General was the failure of employees to change passwords every 60 days, as mandated by department policy. This is in keeping with standard practices of the American public, many of whom are undereducated about password security and who do not prioritize learning basic best practices of cyber security. Of the 30 ICS administrator accounts evaluated, 10 had not changed their passwords for over a year. In addition, nine of the 30 ICS administrator accounts and seven of the 18 group accounts had not been used for at least a year. Failure to remove unused accounts can be an easy access point for breaches. Part of the reason for the lack of consistent password changes was the use of many group accounts; coordinating among all users with access to the shared accounts proves challenging and accordingly is often neglected. To compound this problem, when employees left the organization, the passwords to their accounts, including those group accounts, were not changed, exposing additional vulnerabilities.
Background ChecksAnother primary cause of risk to the ICS was the lack of sufficient background testing and personnel security practices. Of the 13 USBR employees with system administrator access, just 11 had completed a Tier 2 background investigation despite the fact that the USBR’s personnel security manual mandates that all employees with such access must complete at least that level. In addition, once hired, users granted “privileged” administrator access to the ICS were not continually evaluated despite a requirement by the 2012 Federal Investigative Standards that mandated such evaluation.
Next StepsAlthough several vulnerabilities to the USBR’s ICS security were found during the course of this investigation, a few important steps can help mitigate the risk to the organization moving forward. As outlined by the Office of the Inspector General:
- Limit the number of USBR employees with administrator access to the ICS based on needs for their specific positions.
- Remove all group accounts with administrator access to the ICS and ensure that no new unnecessary group accounts are created.
- Remove all accounts with access to the ICS when the employee leaves or when their position no longer mandates such access.
- Ensure that employees regularly change the passwords on their ICS accounts.
- Enhance background check procedures and provide follow-up evaluation on a regular basis.