June 15. 2017

The Office of Enterprise Assessments Testing Incident at the 2016 Department of Energy Cyber Conference

The Department of Energy’s Office of Enterprise Assessments is responsible for conducting independent assessments on behalf of the Secretary and Deputy Secretary in the areas of nuclear and industrial safety and cyber and physical security. Within the Office of Enterprise Assessments, the Office of Cyber Assessments evaluates the effectiveness of cybersecurity policy throughout the Department, as well as program and site office performance as it relates to implementation of cybersecurity programs. Assessments can be announced or unannounced and typically include a programmatic cybersecurity policy review in conjunction with technical performance testing. Announced testing is coordinated with the organization being tested and conducted as part of a scheduled appraisal activity. Unannounced tests, also known as red team exercises, are conducted without informing the site but are required to include coordination with a trusted agent. Due to the potential operational impacts, assessments must be carefully and thoroughly conducted and coordinated.

The Office of the Chief Information Officer (OCIO) recently sponsored the Department’s 2016 Cyber Conference, held at a non-Federal facility located in Atlanta, Georgia. During the conference, the Office of Cyber Assessments conducted an unannounced assessment related to the use of mobile device charging stations. Officials indicated that the purpose was to determine whether conference participants would connect government and/or personal devices to a charging station. Due to concerns raised by various Department officials related to the Office of Cyber Assessments’ lack of coordination with the OCIO prior to the assessment, the Office of Inspector General initiated a special inquiry to determine the facts and circumstances surrounding the assessment.

Our review of the cyber conference testing incident substantiated concerns that the assessment had not been appropriately coordinated with the OCIO. We also identified issues related to the resulting response by OCIO officials. Although they participated in planning the conference, we found that the Office of Cyber Assessments had not taken appropriate planning and coordination steps when conducting its security assessment during the Department’s 2016 Cyber Conference. Specifically, we found that Office of Cyber Assessments officials placed two data collection devices disguised as charging stations outside the conference exhibit hall just prior to commencement of the conference, without coordination with any individual responsible for planning or hosting the conference. In addition, once discovered, OCIO officials may not have taken the appropriate steps in responding to the identification of the uncoordinated devices. While it was ultimately determined that the devices were not malicious, did not pose a risk to the conference attendees, and no data was collected during the conference, we are concerned about the lack of coordination among Department elements and the related OCIO response to the potential threat that such devices could have posed. While not specifically addressing the operations related to the Department’s 2016 Cyber Conference, a review conducted in November 2016 by the Associate Deputy Secretary found that the Office of Enterprise Assessments acted within its authorities.

We found that a number of factors contributed, at least in part, to the testing incident that occurred at the Department’s Cyber Conference. In particular, we noted that the Office of Cyber Assessments procedures were not always followed by personnel during this unannounced assessment. Similarly, the response by the OCIO did not adhere to Department incident response guidance, leaving conference attendees and other facility patrons vulnerable to potential unmitigated threats. Furthermore, we determined that the Office of Enterprise Assessments should have been more diligent in monitoring the execution of the assessment.

This incident illustrates shortcomings in the planning and operations of the Office of Enterprise Assessments and operations of the OCIO. The lack of adequate management and oversight of the unannounced assessment illustrated weaknesses in the performance of assessment operations that, if left uncorrected, could have the potential for negative repercussions on future operations.

To help improve the Department’s processes related to planning and executing cybersecurity assessments, we made recommendations to the Director, Office of Enterprise Assessments and the Acting Chief Information Officer.  Management concurred with each of the report’s recommendations and indicated that corrective actions had been taken, or were being planned, to address the identified issues.

Topic: Management & Administration