The primary ongoing assurance activity is the review of incidents conducted by the cybersecurity program to determine if the program is efficiently and effectively protecting the scientific mission of the Laboratory. This ongoing review suggests that the cyber program is functioning well and we continue to make adjustments to technical and administrative controls and policies as required by the environment.
1.1. Drive-by-download Infections
Drive-by infections continue to decrease, but they continue to be a source of risk given the low barrier for conducting an attack, difficulty in defending against an attack, and the large number of potentially vulnerable systems. Our existing mitigations (broad deployment of BigFix, isolating unpatched computers, and RPZ) continue to manage this risk to an acceptable level.
1.2. UDP Attacks
In this past year we have seen two attacks using the UDP protocol, one directed at NTP (monlist) and another directed at IPMI, both of which have been discussed in recent reports.
We have recently updated Bro to log all UDP activity and have implemented new protections in Bro and netflow to detect anomalous UDP activity. To address the two more recent UDP attacks, Berkeley Lab blocked several network ports and also developed and implemented Bro policy aimed at detecting and blocking these attacks. Although we have been able to address these two recent attack method, the risk for new attacks directed at UDP remain. As new threats emerge, we will continue to develop protections to address them. UDP attack risk is reduced to acceptable levels.
1.3. Legacy Operating Systems
Vendors terminating support of operating systems presents an ongoing risk to Berkeley Lab. In some cases, existing systems cannot be upgraded, e.g. embedded systems or third party software reliant on the legacy operating system.
Microsoft’s termination of Windows XP support poses a risk, given the history of security vulnerabilities in Windows XP and the overall longevity of Windows XP.
We have prohibited Windows XP and Windows 2000 LBLnet and have modified Bro to detect and block network access to systems running prohibited versions of Windows. Requests for exceptions are evaluated on a case-by-case basis. An evolving set of compensating controls is being deployed to instruments and other systems which must continue to run XP.
1.4. Emergent Security Risks and Evolving Threats
Supervisory Control and Data Acquisition (SCADA) systems. We continue to work with the Bro research team under the NSF grant to develop tools for monitoring SCADA. We are currently studying and characterizing the Backnet protocol on our facilities network that includes all of our Johnson Control systems (building automation system).
1.5. Policy and Oversight
The largest single unmitigated risk to Berkeley Lab in the area of cybersecurity continues to be compliance-oriented policy and its negative effect on our core science mission. Compliance-oriented policy tends to undermine risk-based approaches to cybersecurity. It forces us to devote resources based upon compliance, not upon actual risk. It also runs counter to modern recommended models for cybersecurity, where the emphasis is on a tailored risk approach, similar to Berkeley Lab’s current approach to cybersecurity.
Such policy may come from DOE, OMB, NIST, UC, or may be policy via audit or oversight. In the history of Berkeley Lab, no cyber-attack has appreciably degraded our ability to do excellent research - instead, we’ve seen degradation from oversight policies that funnel money and resources away from science towards inefficient compliance activities.
In this trimester, Berkeley Lab was required to reassess the applicability of DOE Official Use Only (OUO) requirements. Given BSO’s strong position on this issue, Berkeley Lab and UC has agreed to accept the remainder of the OUO Order and Manual. An implementation plan has been completed.
A new governance model has been approved by the Secretary of Energy which will create a break from the way policy has been made in DOE for the past four years. We are optimistic that this new model will continue to provide ways to achieve reasonable input into the policy process.
Several new Directives are in development or have been recently approved that are applicable only to classified environments by design. LBL is concerned that communication from HQ regarding this applicability has not provided BSO with sufficient information.
2.0. LBNL Performance
2.1. Business Plan Performance
2.1.1. Border Router
Our new border router continues to function with increased block capacity (amount and duration). This new blocking capacity has allowed us to easily block new risks (IPMI, NTP) as well as extend our blocking to additional protocols.
2.1.2. Communication and Outreach.
Berkeley Lab’s LabTech 2014, a technology and computing showcase for scientists and operations, occurred this past trimester, . Attendees included participants from other DOE Labs and several Universities. https://commons.lbl.gov/display/itdivision/LabTech+2014
2.1.3. CPP Sensors
Deployed and operational per direction from BSO.
2.1.4. PII Review
Progress continues on corrective actions from the PII review.
There were no audits that were directly related to IT or cybersecurity this past trimester.
The F$M Pre-Implementation Review was conducted this trimester and although it was not IT focused, it referenced IT and cybersecurity issues. An audit of Vital Records was also initiated this past trimester.
Berkeley Lab Chief Information Officer and Deputy Chief Information Officer led a review of the SC IT Modernization Project including its cybersecurity approach, at the request of Jeff Salmon. This review involved CIOs and SMEs from across the Labs and resulting in recommendations and briefings to Vasillios Kontouros, Jeff Salmon, and Pat Dehmer
Berkeley Lab led the National Lab CIO effort to provide a coordinated multi-lab reporting strategy to DHS on behalf of SC, NNSA, and the DOE CIO.
3.0 PEMP Goals, Objectives, Notable Outcomes
4.0 Noteworthy Accomplishments
Berkeley Lab was recognized for its expertise in network intrusion systems with funding from NNSA to prototype 100G monitoring approaches and share the findings with other national laboratories.
Berkeley Lab has also provided substantial technical assistance to SLAC over this past year to assist with their implementation of Bro and overall review of their cybersecurity and IT modernization programs.