The Environmental Protection Agency (EPA) is failing to track and remediate thousands of critical vulnerabilities to its environmental and radiation data in a timely manner, according to a new watchdog report that claims the security deficiencies could put the EPA’s data at risk of being exploited by threat actors.
“These environmental and radiation data are used for determining responses to national incidents and safeguarding first responder personnel, but without timely patching of known vulnerabilities, the Agency risks compromising the integrity and availability of this data,” the 55-page report published on July 5 states.
The Inspector General (IG) report said the EPA had not complied with Federal mandates that require the agency to address identified vulnerabilities under specific timeframes for its Analytical Radiation Data System (ARadDS).
The EPA is directed by the National Institute of Science and Technology (NIST) to remediate vulnerabilities in ARadDS within two calendar days for critical vulnerabilities, seven days for moderate vulnerabilities, and 30 days for low vulnerabilities.
ARadDS is an information technology (IT) architecture that provides historical and present information on the results of monitoring to detect radiation in air particulate, precipitation, drinking water, and surface water. Over time, these data show the fluctuations in normal background levels of environmental radiation, the report notes. The data can also be used to detect higher than normal radiation levels during a radiological incident.
A scan of the agency’s network revealed more than 20,000 instances of critical vulnerabilities, the report says, and the EPA failed to provide adequate tracking and remediation efforts.
“Because of the significance of the data collected, analyzed and hosted within ARadDS, the impact of these data being compromised poses a significant risk to public health,” the report says.
EPA officials cited “the significant number of vulnerabilities” associated with ARadDS “and the limited resources to address them” as part of the reason for the backlog to install critical patches for the system.
The report notes that the EPA scored an overall level three out of five on its maturity model spectrum, meaning that the EPA has consistently implemented its information security policies and procedures in accordance with the Federal Information Security Modernization Act of 2014, but noted that “quantitative and qualitative effectiveness measures are lacking.”
The IG also found that the EPA’s IT procedures are not updated in order to comply with Federal time constraints.
The EPA is currently following outdated IT evaluation procedures that give the agency three years to ensure its compliance with the Federal mandates, while the Office of Management and Budget has tasked Federal entities with implementing NIST standards within one year of their publication.
The IG report recommended that the EPA develop implementation plans to prioritize and schedule known patches to identified vulnerabilities within required timeframes, as well as update its monitoring guidance to include a timelier process for reviewing security procedures and assign responsibilities to track and measure progress.
The EPA agreed with the IG’s three recommendations and provided corrective actions with timeframes to address the noted vulnerability tracking and remediation issues.
Joseph Goffman, principal deputy assistant administrator for the Office of Air and Radiation, said in response to the report that the agency is adding two new cybersecurity positions to his office to support monitoring and mitigation efforts. The agency has also sought a $2.5 million investment from the Technology Modernization Fund to assist with additional modernization efforts to the ARadDS network.
Goffman noted that his office plans to complete the IG’s recommendations by quarter two of fiscal year 2024.