ORNL Security Breach - Details Released
UPDATE: A factual error was brought to my attention by Mr. Bill Cabage, a public information officer at Oak Ridge National Laboratory. Specifically, I wish to clarify that the incident described in this post occurred at the Y-12 National Security Complex and not at Oak Ridge National Laboratory. These two facilities, while both located in Oak Ridge Tennessee, are in fact separate facilities managed by different organizations. Y-12 is managed by Babcock and Wilcox (B&W Technical Services Group, Inc.) while ORNL is managed by UT-Battelle.
"As noted in the first bullet in the referenced IG report, the laptops belonged to ORNL staff members who were working at Y-12. ORNL staff often work on projects at Y-12, but the two facilities are separate entities with different missions."
In October 2006, there was a significant security breach at Oak Ridge National Laboratory. This is unrelated to the suspected hack attack by China against ORNL in December 2007. Now, following an investigation by the Department of Energy, the DoE Inspector General has just released a report on the "incident." The title of the report is: Inspection Report on "Incident of Security Concern at the Y-12 National Security Complex." This breach occurred at the Y-12 National Security Complex at ORNL.
As background, it should be understood that:
Y-12 maintains Limited Areas that employ physical controls to prevent unauthorized access to classified matter or special nuclear material. The Department has restrictions regarding what items may be taken into Limited Areas and the capabilities of those items. The Office of Inspector General received an allegation that unauthorized portable electronic devices (including laptop computers) were introduced into a Limited Area at Y-12 and that this breach in security was not properly reported.
In all, it is now known that at Oak Ridge, 38 laptops had been allowed into restricted areas, and that the Inspector General found that nine of these laptops had later been taken on foreign travel. If that wasn't bad enough, two of the laptops had been taken to countries on DoE's sensitive countries list (this is the list as of July 2005). As some added detail, although this is a 2003 document, it describes what the DoE considers to be "sensitive information" (this document is actually titled Sensitive Foreign Nations Controls).
Four main security violations occurred, the IG said:
● On Oct. 24, 2006, Y-12 employees discovered a contractor from Oak Ridge National Laboratory had brought an unclassified laptop with wireless capability into a Y-12 limited area without following proper protocols.
● Y-12 cybersecurity staff did not properly secure the laptop, and the user left the area with the computer, contrary to Energy policy. The laptop was not retrieved by the department until almost an hour later. Because the laptop could have been tampered with during that time, it could not be collected as best evidence.
● Energy requires that within 32 hours of an incident of security concern, a written report be submitted to the Headquarters Operations Center. The written report was not made until six days after the incident was discovered.
● Subsequent inquiries revealed that as many as 37 additional laptops may have been brought into the limited area by ORNL employees without following proper security protocols.
Even though the IG's report reported that forensic analysis concluded that the laptop computers did not contain classified information; all 38 computers in question contained malware that could potentially be used by hackers to obtain unauthorized information and 26 of the 38 laptop computers had wireless communications capability.
According to the Inspector General's report, ORNL management took immediate remedial steps upon learning of the security breach. The contractors who were involved in the incident were removed from the Y-12 Facility and had their unclassified email accounts suspended. A security breach at your bank is serious; a security breach at TJ Maxx was serious; a security breach at a nuclear laboratory is quite a bit more serious.