DOE IG offers details of 24 October Oak Ridge security breach

Published 9 January 2008

Certain areas of the U.S. nuclear labs are designated “limited areas” by DOE; employees are prohibited from bringing into these secure areas any equipment capable of transmitting data wirelessly; at Oak Ridge, 38 laptops had been allowed into restricted areas, and IG finds that nine of these laptops had later been taken on foreign travel — two of them to countries on DOE’ sensitive countries list

It is a serious matter to have a security breach at your bank. How about having a security breach at a nuclear weapon laboratory? It happened, and the Department of Energy (DOE) says it is doing something about it. Additional security protocol training for employees, better information sharing with local counterintelligence officials, and periodic review of laptop PC security procedures are among the recommendations made by the DOE’s inspector general after an investigation into a security breach at the department’s Y-12 National Security Complex in Oak Ridge, Tennessee. According to the IG’s report, in 2006 an unauthorized laptop with wireless capability was taken into a “limited area” at the Y-12 nuclear weapons plant. GCN’s Trudy Walsh writes that limited areas are defined as “secure work areas that employ physical controls to prevent unauthorized access to classified matter or special nuclear material,” the report states. DOE prohibits any equipment capable of transmitting data wirelessly from entering secure areas. Posted at the entrance to the Y-12 limited area is a large sign that lists the items prohibited from the area without prior approval. Second on that list, after firearms, is “Electronic equipment with data exchange port capable of being connected to automate information systems equipment (i.e., personal computers, PDAs).”

Four main security violations occurred, the IG said:

* On 24 October 2006, Y-12 employees discovered a contractor from Oak Ridge National Laboratory had brought an unclassified laptop with wireless capability into a Y-12 limited area without following proper protocols.

* Y-12 cybersecurity staff did not properly secure the laptop, and the user left the area with the computer, contrary to DOE policy. The laptop was not retrieved by the department until almost an hour later. Because the laptop could have been tampered with during that time, it could not be collected as best evidence.

* Energy requires that within thirty-two hours of an incident of security concern, a written report be submitted to the Headquarters Operations Center. The written report was not made until six days after the incident was discovered.

* Subsequent inquiries revealed that as many as thirty-seven additional laptops may have been brought into the limited area by ORNL employees without following proper security protocols.

The report notes that as soon as the manager of the Y-12 site office heard about the incident, he required that the individuals involved in the 24 October incident be removed from the site and that their unclassified computer accounts be suspended. ORNL officials also notified the inspection team that they had initiated corrective plans and revisions to local security procedures.

Read on: Further review by the IG team revealed that nine of the thirty-eight laptops which had been taken into the limited area without authorization had later been taken on foreign travel; six of those nine had wireless capability; and two of those six had been to countries that are on DOE’s sensitive countries list. A forensic evaluation of the thirty-eight laptops also showed that all contained malware, which could potentially be used by hackers to obtain unauthorized information.

According to the IG, ORNL management agreed with the recommendations of the report, and has implemented corrective actions to prevent future breaches. The report added that the IG would evaluate the adequacy of these corrective measures in the future.