In an “incident of security concern” at the Energy Department’s highly sensitive Y-12 plant, unauthorized laptop computers were repeatedly brought into the restricted area of the Tennessee high-enriched uranium facility–raising the risk of classified information breaches–and the plant operator failed to promptly report the security lapses to DoE headquarters as required, the department’s inspector general said recently.
Inspector General Gregory Friedman said his investigation into the laptop lapses indicated no classified information was lost, but he expressed particular concern about Y-12’s failure to promptly notify DoE headquarters about the incident, which he said could have exacerbated any national security damage that might have resulted from the episode. Further, the IG said Y-12 officials failed to inform a local counterintelligence officer of key information about the laptop matter until four months after the incident.
In an interesting response to the IG’s findings, the National Nuclear Security Administration (NNSA), the semi-autonomous DoE weapons agency that oversees Y-12, acknowledged that all of Friedman’s concerns about Y-12 cyber-security were valid, but suggested that his entire report should have been withheld from public release as “official use only” because it contained sensitive information.
Nonetheless, DoE released Friedman’s Jan. 2 report to Energy Secretary Samuel Bodman in which he detailed the security lapse at Y-12, which is operated for NNSA by BWXT Y-12, a joint venture of Bechtel and BWX Technologies Inc., now known as B&W Technical Services Group, Inc.
In his report, Friedman said the problem was discovered Oct. 24, 2006, when Y-12 personnel found that a contractor employee from DoE’s Oak Ridge National Laboratory (ORNL) failed to follow security clearance procedures before bringing a laptop with wireless transmission capabilities into a sensitive area of Y-12 containing nuclear weapons-related data or special nuclear materials.
In investigating that incident, Y-12 officials subsequently learned that as many as 37 more laptops may have been brought into the “limited area” of the Y-12 plant by ORNL personnel in recent years without security clearance requirements having been met, the IG said.
Y-12 cyber-security staff compounded the risks posed by the October 2006 incident by failing to confiscate the laptop–as required by security regulations–and instead allowed the ORNL employee to leave the restricted area with the laptop.
And while Y-12 is required to report such cyber-security breaches to DoE headquarters within 32 hours of their occurrence, a written report on the incident was not sent to headquarters until six days after the incident happened.
Prompt reporting of cyber-security incidents to headquarters is required by DoE to enable the department to take timely action, if needed, to limit the loss of national security data.
However, the IG said: “Department and contractor officials told us they knowingly delayed submitting the required incident of security concern report because of uncertainty over whether ORNL or Y-12 would accept responsibility for formally reporting the incident and due to continually developing information. Y-12 ultimately accepted responsibility for reporting the incident.”
There were considerably greater reporting delays after Y-12 discovered that ORNL personnel may have brought up to 37 additional unauthorized laptops into the restricted area of the plant. The IG said Y-12 officials did not provide written disclosure about the additional laptops to DoE headquarters until May 2007.
Friedman said Y-12 management “contended that it was appropriate to delay reporting this information until submission of its final investigative report provided to headquarters in May 2007.
“However, we confirmed with a headquarters security official that the additional laptop computers should have been reported upon discovery in order to update and disseminate pertinent information about the security incident,” the IG added.
Overall, the IG said: “We determined that ORNL personnel allowed 38 laptop computers to be brought into the limited area [of Y-12] without the required special authorizations and associated controls being implemented….When interviewed, a computer security officer claimed a lack of knowledge regarding the established Y-12 policies and procedures on laptop computers in the limited area.”
A key concern with the laptop computers is that they can be used to quickly download classified data in restricted areas, and that data then be wirelessly transmitted to outside parties without DoE knowledge. In addition, the IG said DOE laptops can be targets for espionage when they are taken out of the country.
In the case of the 38 computers involved in the Y-12 incident, the IG said nine were found to have been taken overseas, six of those nine had wireless capability and two of the six had been taken to “sensitive” countries posing espionage concerns.
However, analysis of the 38 computers found that none contained classified data and that further investigations identified no cyber-security compromise.
In response to the IG report, Y-12 officials said they had taken effective corrective actions, including suspending access to sensitive areas for all ORNL employees involved in the incident until they were retrained on proper security procedures for their laptops.
The IG said it appeared Y-12 had properly addressed the security lapse, but, “due to the significance of the underlying security concerns, we are considering evaluating the adequacy of these corrective measures in the future.”