The Environmental Protection Agency failed to consistently and promptly fix vulnerabilities in a system used for monitoring radiation level fluctuations, putting the data “at risk of being exploited by threats,” according to the agency’s watchdog.
“Because of the significance of the data collected, analyzed, and hosted within [the Analytical Radiation Data System], the impact of these data being compromised poses a significant risk to public health,” the agency’s Office of the Inspector General said in a Wednesday report.
The report found EPA’s Office of Air and Radiation (OAR) didn’t follow the agency’s own timelines or create plans of action to fix vulnerabilities in the system, which is used to detect radiation changes in things like air and drinking water.
In a response included in the report, OAR cited “resource limitations” as one of the reasons for the deficiencies and said it was working on the inspector’s recommendations. The inspector said it now considers those recommendations “resolved with corrective actions pending.”
The findings were a part of the inspector’s evaluation for the agency’s compliance with the Federal Information Security Modernization Act (FISMA) of 2014, a key information system security law, for fiscal year 2022.
Overall, the EPA received the third highest of five possible maturity levels, which means it “consistently implemented its information security policies and procedures, but quantitative and qualitative effectiveness measures are lacking,” the report said.
As part of the assessment, the inspector’s office assessed vulnerability scan results, which it said identified more than 20,000 “critical vulnerabilities that could impact remotely operated computers on the Agency’s network in various ways, such as remote code execution, denial of service, and memory corruption.”
The inspector said the agency couldn’t provide plans — known as Plan of Action and Milestone (POA&M) — for eight vulnerabilities it randomly selected. The OAR attributed that failure “to the significant number of vulnerabilities identified for ARadDS and the limited resources to address them.”
The office told the inspector that ARadDS is difficult to patch because it’s not connected to the agency-wide network and doesn’t receive automated updates. Patches must be done manually and issues arise with software and hardware restrictions. As a result, the OAR said, it uses a database version of the system that is not up-to-date in software or hardware.
The inspector recommended the OAR implement a plan for prioritizing patch installations in a timeframe consistent with agency policy and document associated plans of action and milestones for the system.
In response to the report, the EPA’s Office of Air and Radiation (OAR) agreed with the findings and said it was already making changes to address the vulnerabilities, including “separating the ARadDS network from the Agency’s network and running its own 72-hour scans to identify security weaknesses and flaws,” the inspector said.
Among the actions it has in progress, the OAR cited a request for funding from the Technology Modernization Fund. That request was granted Thursday in an announcement from the General Services Administration, which manages the fund.
The $2.5 million award would help modernize hardware and software for ARadDS’s network and prepare it for a possible migration to the cloud, OAR said.