Text

OFFICE OF THE INSPECTOR GENERAL MEMORANDUM TO:

FROM:

SUBJECT:

DEFENSE NUCLEAR FACILITIES SAFETY BOARD WASHINGTON, D.C. 20004-2901 June 8, 2020 Glenn Sklar General Manager Dr. Brett M. Baker IRA/

Assistant Inspector General for Audits INDEPENDENT EVALUATION OF DNFSB'S POTENTIAL COMPROMISE OF SYSTEMS (SOCIAL ENGINEERING)

(DNFSB-20-A-07)

The Office of the Inspector General (OIG) contracted MRE Technology Solutions, LLC.

(MRETEC) to conduct an independent evaluation of the Defense Nuclear Facilities Safety Board's (DNFSB) Potential Compromise of Systems (Social Engineering).

Attached is MRETEC's report titled Social Engineering Evaluation - DNFSB. The evaluation objective was for MRE Technology Solutions LLC (MRETEC) to perform a cybersecurity Social Engineering evaluation against the DNFSB. The evaluation was performed to assess the efficacy of DNFSB's security controls and cybersecurity awareness training. The findings and conclusions presented in this report are the responsibility of MRETEC. OIG's responsibility is to provide adequate oversight of the contractor's work in accordance with the Council of Inspectors General on Integrity and Efficiency Quality Standards for Inspection and Evaluation.

The report presents the results of the subject evaluation. Following the exit conference, DNFSB staff indicated that they had no formal comments for inclusion in this report.

MRETEC identified weaknesses in the area of physical testing and makes recommendations to strengthen identified weaknesses by improving the efficacy of DNFSB's security controls and cybersecurity awareness training.

FOR OFFICIO I ::clii Otlb!f iliialilll><<lii I allliiliUIO Is l~ffQRMAilQM

F0R 0FFl&IAL W8E 0P4LV 8EU81iFl't1E IP4iFERP4iltL lr4FOFtMAlilOH Please provide information on actions taken or planned on each of the recommendation(s) within 30 days of the date of this memorandum. Actions taken or planned are subject to OIG follow up as stated in Management Directive 6.1.

We appreciate the cooperation extended to us by members of your staff during the evaluation. If you have any questions or comments about our report, please contact me at (301) 415-5915 or Terri Cooper, Team Leader, at (301) 415-5965.

Attachment:

As stated cc:

R. Howard, DNFSB FQR 0FFl&ls9tl ij8E OHLV 81!,.9"1¥1! 114"Pl?~l4AE ll FOR I0 IA I ION

F8R 8FFIOIAls l!l&li OPJb¥

&liPJ&liflVli IPJifliRPJAla lalFQRU OilQM MRE Technology Solutions LLC Social Engineering Evaluation - DNFSB May 18, 2020 1

F8R 8FFIOIJl<<L l!IOE Of4LY ec1*e1.i1,c 11*,l!!"i.J!{L IIU' O"""' 11014

Table of Contents Acrony1n List................................................................................................................................... 3 1.0 Introduction/Executive Sumtnary............................................................................................. 4 2.0 Finding and Recotnmcndations................................................................................................. 5 2.1 Finding A: Physical Testing.................................................................................................. 5 3.0 Objective, Scope, and Methodology......................................................................................... 6

3. l Objective................................................................................................................................ 6 3.2 Scope...................................................................................................................................... 6 3.3 Methodology.......................................................................................................................... 6 (b)(7)(E)

Consolidated Recommendations................................................................................................... 34 4.1 Physical Testing................................................................................................................... 34 2

fief\\ el'l'IOIJllL el8E OP4Ll/

81s~U,lifllJE 1*~ifE(aUIOls: 1*1rOADGOIIOtl

P8" 8PP101Jlft e:IOE OP4LY 8EP481ifllo'[ IP4ifEFU4Jlfl IUFQlitMAifilQtJ Acronym List Acronym Definition ANS American Nuclear Society ASME American Society of Mechanical Engineers BBCl Broad-based Campaign 1 BBC2 Broad-based Campaign 2 BBC3 Broad-based Campaign 3 CISPREP NRC system CS-IRT Computer Security Incident Response Team DC District of Columbia DNFSB Defense Nuclear Facilities Safety Board DOE Department of Energy EDT Eastern Daylight Time HQ Headquarters ID Identification IRS Internal Revenue Service ISNATT International Society for Nuclear Air Treatment Technologies IT Infonnation Technology MRETEC Short Name for MRE Technology Solutions (LLC)

NQA Nuclear Quality Assurance NRC Nuclear Regulatory Commission NW Northwest OPM Office of Personnel Management OSINT Open Source Intelligence PDF Portable Document Format PIN Personal Identity Number 3

FOR CFFIGI O l I !Glii Ctlb?f Gi~Uslille'E IUifililitUAlt 1Pff0RMA:Pl8P4

1.0 Introduction/Executive Summary This document provides an overview of a cybersecurity Social Engineering evaluation against the Defense Nuclear Facilities Safety Board (DNFSB). The evaluation's fieldwork was performed during the period of December 18, 2019-Febrnary 4, 2020. The evaluation included both DNFSB personnel and the DNFSB facility located at 625 Indiana Avenue, No1th West (NW), Number 700, Washington, District of Columbia (DC).

This document is provided as Deliverable Number 4 under Contract No. GS-35F-215CA, Order Number 140D0418F0452.

The objective of this task was for MRE Technology Solutions LLC (MRETEC) to perform a cybersecurity Social Engineering evaluation against the DNFSB. The evaluation was performed to assess the efficacy of DNFSB's security controls and cybersecurity awareness training.

(b}(7)(E)

Results of this evaluation will support DNFSB in providing feedback on the efficacy of their security controls.

(bJ\\/ J\\t J 4

fi8~ 8FPlO1Jtfl ~!!! 014l i Sl!l4Slfl U l! I IQ I l!P<IQAE IIQPOP<I0IA I IOIQ

FOR OFFICIAL OSI! OIQLI Sl!IQSI I IOI! IIQ'f l!PtlU:k ii~FOPtM*?lO14 2.0 Finding and Recommendations (b)(?)(E)

Recommendations The physical plant recommendations are provided below.

1) Verify or update training about password protection/release an internal memo that reminds personnel about their responsibilities to protect passwords. The training/memo should contain a reference to the consequences of violating the safeguarding procedures.

2) Within the next year, perform follow-on checks to see if passwords are being protected.

3) Remove the open password for the MATLAB system.

5 FOR QFFIGIAk Wiili Q~Jk¥

&leJU,iifllJE IUifEAUAL IUF8AMAifil8P~

3.0 Objective, Scope, and Methodology 3.1 Objective The objective of this task was for MRETEC to perform a cybersecurity Social Engineering evaluation against the DNFSB. The evaluation was performed to assess the efficacy of DNFSB's security controls and cybersecurity awareness training.

(b}(7)(E)

Results of this evaluation will suppo1t DNFSB in providing feedback on the efficacy of their security controls.

3.2 Scope The scope of the Social Engineering evaluation included evaluating vulnerabilities for individual DNFSB employee/contractors (approximately 90 personnel) and the DNFSB facility located at 625 Indiana Avenue, NW, Number 700, Washington, DC.

3.3 Methodology MRETEC conducted this evaluation in accordance with the Council of Inspectors General for Integrity and Efficiency Quality Standards for Inspection and Evaluation. Those standards require that we plan and perform the evaluation to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our evaluation objectives.

We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our evaluation objectives.

MRETEC performed the Social Engineering evaluation using the following attack vectors and techniques:

rb)(7)(E) 6 FOR QFFIOI a k l!Qliii OtJb¥ Gliii~U,lille'E l~~iERHAls IHF01ilMAil0tJ

(b)(J )lt.)

Each of these techniques are described herein.

(b){7)(E) 7 fi8~ 8fifilOIJllt el!!! 014LY

!El481'I1o'E 114'E"14Jllt ll41"0"MA?l014

FOR OFF ICIAE t,SI! OIQLI ETEC 0

AS T C.HNOLOOV (b)(7)(E)

ETEC IO AS T C.HNOLOOV (b)(7)(E) 9 FOR OFFICIAL OSI! 014E I 31!.IQSI I IOI! IIQ I t!RIQAL 1m*e"MA?1e14

FOR 0&&101 Oak Wi& 0Ub¥

&liH&lililYE IPfifiEAF~sllL U4POFUt1Jlc?IOlf ETEC

-:-...;..:.~

P£ PL£ IDCAS TCCHN LOGY r )(7)(EJ IO FQA OPFl&l:\\k Wili 0PJb>f

&liU&lilillJi IPfifiEANsllL IPIFOAMs117flOF~

FOR OFFICIAL USE OIQEI 5214511 IO 2 1141 ERIQAE iiQFORI0IA 11014 ETEC f-LUI 'Le..

IOCA.S TECHNOLOGY (1!).

~--=-

~

(b)(7)(E) 11 F8R 8FFl8i"'L ~8E 8PJLV 8EPJ8iifl1JE IPJifERPJAL IUFO~Msl.iflOU

u~

LJJ ~

I-a

~

LJJ~

a

~ -

' i ~------------

8 Q.

e:

FOR QFFIGl:,k W&li OPJkV

&1;aJ&liflVE IPtifiEAUAL IP4FOAMAiflOU ETEC ID AS T CMNOLOV 13 FOA OFFIOIAL elOE OP4LY OEPJOlifllJ[ IPJifEAUAL IPff OAMAiflOU

P8" 8PP101Jlft ~OE OP4LY 8EP481ifl1o'E IP4ifEFU4JlfL IUFQlitMAifilQtJ ETEC 0

AS T C.HNOLOOV (b)(7)(E) 14 fie" e l'l'ICIJl'<l ~31! OICJE I St!ICJSl 110 I! 114 11!.P<IQAE IICJFOP<IOIA I IOICJ

P8" 8PP'l0IJtlt ~!I! 014t I ETEC 0

AS T C.HNOLOOV (b)(?)(E)

FOR 8FFIGIAls WSls OP4LY ETEC 0

AS T C.HNOLOOV (b)(7 )(E) 16 FOR OFFICIAL e,sl! 0 14Li Sl!l4Slfl U I! ll4'l!"l4AL IHPe"MAifilOP4

FOR OFFICIAL 051! OIQLI 31!1431 I IOI! IIQ'f l!PtiU:k ii~FOPtM*?i014 ETEC IO AS T C.HNOLOOV (b)(7)(E) 17 F8A 8FFIO1Ak wee Ot4Ll/ 8Dd8iifi1o'E 1PdifEAP4AL IHPONMAiflOPd

ETEC 0

AS T C.HNOLOOV (b)(?)(E) 18 fi8~ 8fiPIOIJlll ~!!! 014l i Sl!l4Slfl U l! 114 I l!P<l4AE 114POP<I0IA I IOIQ

P8" 8PP101Jlft l!IOE OP4LY OEP401ifl1o'E IP4ifEFU4JlfL IUFQlitMAifilQtJ ETEC 0

AS T C.HNOLOOV (b)(7)(E) 19 P8" 8PFIOIAL l!IOE OP4LV

&leJU,lifillJE IUifliRHAls ltlFQRU OilQtl

P8" 8PP1O1Jlft ~Oc 8'4LY ETEC 0

AS T C.HNOLOOV (b)(7)(E) 20 P8" errlOIJlft ~51!! el4L I

5!14:51110 t! i IQ I t!RIQAE IIQFORI0IA I ION

F8~ 8FFIOIAL l!!IOE OP4LV ETEC 0

AS T C.HNOLOOV (b)(7)(E) 21 re~ 8FPI0IJlll ~e!! 014l i S!!l4Slfl U E I IQ I EP<IQAE ll4POP<IOIA I IOIQ

P8" 8PPI0IJtlt ~!I! 014t I ETEC 0

AS T C.HNOLOOV (b)(7}(E) 22 FOR OFFIGIAk WSl!i OP~LV 8EP~81ifl1o'E U~if!"HAL IHPOl'Ut1A?IOl4

P8" 8FPI0IJtlt ~!I! 014t I ETEC 0

AS T C.HNOLOOV (b)(7)(E) 23 FOR OFFIGIAk WSl!i OP~LV 8EP~81ifl'o'E U~if!"HAL IHPOl'Ut1Jtl?IOl4

FOR OFFICIAL USE OIQEI SEIQSI I IVE 114 I ERIQAL INFORIOIAI ION ETEC 0

AS T C.HNOLOOV (b)(7)(E) 24 FOR OFFIGIAk Wiili 0~Jk¥

&leJU,iifilJE IUifEAUAL IUF8AMHfil6P~

(b)(7)(E)

FOR OFPCI O I 116§ Otll lf iiiialilil>'li laFifiRHAk ltffQRMAlil9tJ ETEC IO AS T C.HNOLOOV 25 FOP OFFICI !\\I I 1cc At IL V

~itl~l-r-1"

--- ---*-* ~*, *-- -~** **

ii ltlifliRUAI::: IHF8RMA"Fl6P~

FOR OFFICIAL USE OIQLI 521451 I 102 IIQ I 2RIQAL IIQFORIOIAI IOI\\

ETEC 0

AS T C.HNOLOOV (b)(7)(E) 26 fi8~ 8fifi01Jtfl ~!!! 014l i S214Slfi U E I IQ I 2P<IQAE IIQFOP<MA I ivi'J

1'0" Ol'l'ICIJl(t U~I! Ol~LY ETEC 0

AS T C.HNOLOOV (b)(7)(E) 27 FQR QFFICIAI:: l:JSE Q~41::¥ SD4SITPJE 1PffERP4AL 1PffORMA"flOP4

FOR OFFIOIAL USE OP4LY SEP4SlflVE IPHERP4AL 1PffORMAf lOP4 ETEC II A.S T

C.HNOLOOV (b)(7)(E) 28 FOR OFFIOIAL USE Ot4LY SEP4Slfl1o1E IPHERP4AL IHFORMAflOP4

FOR OFFIOIAL USE OP~LY SEP~SPFIVE IP4fE"P41<L IP4F6"Ml<Tlel4 ETEC 0

AS T C.HNOLOOV (b )(7)(E) 29 "e" ef'f'ICll<L U!l! er4LY !!14!1TIV! 114T!"l41<L 114f'e"M1<T1e14

1'0~ Ol'l'ICIAL U!! Ol~t t S!!l~SI I Iv!! lltHl!Rl~AL ll~FORIVIAI ION ETEC 0

AS T C.HNOLOOV (b)(7)(E) 30 1'0~ Ol'l'ICIAL U~! Ol~Lt

!!l~!ITIV! ll~T!~l~At ll~FORIVIAI IOI~

FOR OFFIOIAL USE OP4LY SEP4SlflVE IPHERP4AL 1PffORMAf lOP4 ETEC 0

AS T C.HNOLOOV (b)(7)(E) 31 FOR OFFIOIAL USE Ot4LY SEP4Slfl1o1[ U4fERP4AL U4FORMA'l'lel4

F6" 6FF1Ch!rt USE 6f4LY ETEC 0

AS T C.HNOLOOV (b)(7)(t./

32 reR 6FFIOIAL USE 6t4LY 8Et481Tl1o1E IPHERP4AL IHF6RMATl6P4

1'0~ Ol'l'ICIAL U~I! Ol~t t S!!l~SI I Iv!! lltHl!R:l~AL ll~FOR:IVIAI ION ETEC IO AS T C.HNOLOOV (b)(7)(E) 33 FQR QFFIGIAL l:ISE OP~LY 8EP~81'71VE U~fl!~l~AL ll~l'O~MATIOI~

ETEC 0

AS T C.HNOLOOV (b)(7)(E) 34 F0R 0FFIOIAL USE 0P~LY SEP~SITPJE IPffERP~AL IPffORMATIO~*