Throughout government, employees and contractors come and go, and while a great deal of attention is paid to bringing individuals on board and up to speed, sadly the same cannot be said for off board processes. The Department of Energy (DOE) learned this the hard way when former contractor Gary Peter Simon, Jr., two months after his need to know and access had expired, used the credentials he had when he was a contractor to re-enter their cloud infrastructure.
The off board process at DOE’s Strategic Petroleum Reserve Office (SPRO) had failed.
The result? Simon was able to access sensitive data, to which he had no need to know, but which he previously had authorized access. This unauthorized accessibility allowed Simon to wreak a bit of havoc within SPRO’s cloud infrastructure. He destroyed files, altered files, compromised former colleague’s accounts and attempted to sweep his having been their under the rug.
How the unauthorized access to DOE’s systems occurred
Simon plead guilty to one count of “intentionally accessing a protected computer without authorization and recklessly causing damage resulting in loss of more than $5,000 during one year.” According to court documents about the plea, the system he accessed was the DOE’s SPRO, WebEOC.
The SPRO is “responsible for overseeing and maintaining readiness of the United States stockpile of emergency crude oil, which was stored along the coastline of the Gulf of Mexico.” The SPRO’s cloud based system had two primary functions.
- Emergency operations management support of SPRO’s facilities. For example, when a hurricane arrives along the Gulf coast.
- Daily chronicle of control room operations from four SPRO facilities (two in Louisiana and two in Texas). The collation of daily activity through individual log views, allowed all to be cognizant of what was occurring at their sister facilities.
Access to the WebEOC was permitted either from an external log-in or from within the SPRO network. The WebEOC had an “Administrator” account for the cloud based system which allowed the administrator super-user access. In other words, this account could control access, and was able to alter, update or delete any user account or password, according to the court document. Access to the WebEOC was permitted either from an external log-in or from within the SPRO network.
Access controls out of alignment at the DOE SPRO
The access controls from within the SPRO infrastructure to the WebEOC and externally via the internet did not align. This misalignment, known to Simon, facilitated his post-employment access. To access the WebEOC via the intranet, one needed a userid, password and a separate form of authentication – in the case of SPRO, that was an RSA secure token assigned to individual users. To access the WebEOC via the internet one needed only a user ID and password.
Yes, there were more controls on internal access than external.
The court documents indicate SPRO information technology processes/procedures allowed the “administrator” credentials to be used by multiple persons – Simon had administrator duties during his period of employ and was one of those persons. The credentials were not adjusted when Simon departed.
Their processes allowed a former insider, now outside, to have access to which Simon was not authorized. That is to say, SPRO had their insider threat realized and become a reality.
Off board your employees and contractors with care
We have addressed this topic in prior years, Employee Off Boarding: Three Steps Every Organization Must Take, where we highlighted three important steps to include in any off board process.
- Termination of access to information. Lock the individual out
- Review Non-Disclosure or Secrecy agreement
- Acquire an attestation from the individual which stipulates that they have returned all intellectual property of their employer, they retain no information from employer or clients.
As for Simon?
Department of Justice advises that Simon faces a maximum term of five (5) years in prison, a fine of up to $250,000.00, up to three (3) years of supervised release after imprisonment, and a mandatory $100 special assessment. Sentencing has been scheduled for November 11, 2019.