February 15, 2017
Alleged Information Technology Weaknesses and Inappropriate System Access at the Oak Ridge National Laboratory
The Department of Energy’s Oak Ridge Office of Environmental Management’s (Environmental Management) mission, in part, includes de-inventorying uranium-233 at the Oak Ridge National Laboratory’s Building 3019. Isotek Systems, LLC (Isotek), an Environmental Management contractor at Oak Ridge National Laboratory, is tasked with de-inventorying the materials. Isotek uses the Honeywell Vindicator Information System (Vindicator), a stand-alone Federal information system, to administer the intrusion detection system needed to assist with the physical protection of Building 3019. National Strategic Protective Services, LLC, another contractor at Oak Ridge National Laboratory, is responsible for monitoring the intrusion detection system alarms.
The Office of Inspector General received a complaint alleging that: (1) Isotek personnel misused a former Technical Security Administrator’s (Technical Administrator) login credentials; (2) the current Technical Administrator accessed Vindicator without being HRP-certified; and (3) a note was displayed on a computer workstation informing users not to log off of Vindicator.
We substantiated the allegations that Isotek personnel had misused a former Technical Administrator’s login credentials to access Vindicator and that the current Technical Administrator had accessed Vindicator prior to being HRP-certified. We did not substantiate the allegation that a note informing users to not log off of Vindicator was displayed on a computer workstation. Although, we substantiated the first two allegations, we also found that Isotek had stopped using the former Technical Administrator’s login credentials to access Vindicator and that the current Technical Administrator was not required to be HRP-certified per Title 10 Code of Federal Regulations Part 712, Human Reliability Program, before accessing Vindicator. As such, we did not make any recommendations regarding these issues.
While Environmental Management and Isotek took several corrective actions during our review to address the issues we identified related to audit data and Vindicator access processes, we made additional recommendations aimed at improving the overall management and oversight of Vindicator. Management concurred with the report’s recommendations and provided a path forward to address the issues identified in the report. Management stated that actions to designate a Risk Executive for the Vindicator System had already been taken. In addition, a corrective action plan and milestone date had been developed to ensure required assessments of the Vindicator security controls are performed.
Topic: National Security & Safety