Saturday, May 6, 2023

Review - According to EPA IG the CSB Has Cybersecurity Issues

Thanks to a long-time reader, I came across a new EPA IG Report conducted by a contractor (SB & Company LLC) that notes that: “The CSB Is at Increased Risk of Losing Significant Data as Vulnerabilities Are Not Identified and Remediated Timely”. The CSB responded vigorously to correct the deficiencies noted.

Latest Report

In this new report, the contractor provided the CSB with an ‘Ad Hoc’ cybersecurity maturity level, noting (pg 5) “This means that the CSB policies, procedures, and strategies are not formalized, and activities are performed in an Ad-Hoc, reactive manner.” The sole deficiency specifically addressed in the core of the report dealt with system backups:

“The CSB has policies and procedures in place, requiring monthly vulnerability scanning. However, due to staffing issues, monthly vulnerability scanning was discontinued in FY2022.”

CSB Response

In the CSB’s response (Appendix C), the Board notes that with the recent change in Board management, cybersecurity has been re-emphasized, along with hiring a new CISO and addressing earlier IG noted deficiencies (see below), they reported how they addressed the one formal recommendation about backups:

“Further, CSB established a Microsoft Azure cloud presence, which is now being utilized to perform daily backups of critical servers to an offsite location in another region. Virtual machines in that same cloud region are also configured and ready for continuity of operations and disaster recovery needs for the agency.”

Commentary

Anyone that has been following the CSB should not be surprised at the cybersecurity issues identified in this and earlier reports. Management and personnel problems abounded at the agency; existing problems further aggravated by the efforts of the Trump Administration to disband the Board. That cybersecurity initiatives would be affected by those problems should not be unexpected.

It appears that the new management (but still short two Board Members) is taking appropriate actions to correct these cybersecurity deficiencies, but we cannot be sure that these actions have been effective until the next review by the EPA IG’s inspectors (contractors). Hopefully, we will see significant improvements in the CSB’s cybersecurity maturity level.

 

For a more detailed look at the cybersecurity shortcomings outlined by the IG’s inspectors, including a brief look at an earlier report, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/according-to-epa-ig-the-csb-has-cybersecurity - subscription required.

No comments:

 
/* Use this with templates/template-twocol.html */