The Environmental Protection Agency’s (EPA) central database – where it stores environmental data received from companies, states, and tribes – isn’t properly secured, leaving it vulnerable to cyber threat actors, a new report from the agency’s Office of Inspector General (OIG) finds.
The web-based Central Data Exchange (CDX) overseen by the EPA stores environmental data sent to more than 30 different programs linked to the system.
Some of those programs granted access to the system without first verifying identities according to Federal and EPA standards, allowing more than 100 non-U.S. users to enter data, the OIG said.
“Without adequate security controls, the CDX is vulnerable to threat actors exploiting weak security controls to potentially gain unauthorized access, create fraudulent accounts, and enter unreliable data into the system,” reads the report.
The OIG also found that the EPA’s data system lacks the security controls to track how often a CDX user account is accessed, where in the system it visits, and what tasks it performs.
Data entered by users also lacked basic safeguards to block invalid or suspicious information, the audit revealed, allowing users to submit nonsensical numbers or characters.
The OIG noted that while it only reviewed files that contained identity data, it “is possible that other CDX files have similar data quality issues,” and that until the EPA addresses its “data integrity issues” it won’t have accurate and reliable data.
The EPA also failed to properly manage user accounts for its key data system, the OIG said, leaving over half of its 165,000 accounts active after long periods of inactivity and allowing many to bypass password expiration rules.
“Disabling inactive accounts reduces the attack surface of the system, which is the number of exposed entry points for a threat actor to use,” reads the report. “The smaller the attack surface, the less chance of a threat actor finding a vulnerability and exploiting the system.”
The EPA’s Office of Mission Support agreed with recommendations from the OIG to implement a process to validate identity data in CDX and disable accounts that can’t be verified. It also agreed to disable CDX accounts that are inactive for more than 45 days and regularly review user activity.