TSA typically has not managed security equipment in compliance with departmental guidelines regarding sensitive IT systems, according to OIG report.
The Transportation Security Administration’s IT department has persistent security problems including unpatched software, inadequate contractor oversight, physical security and inadequate vulnerability reporting.
Those were the main conclusions outlined in a report this week from the Department of Homeland Security’s Office of Inspector General which specifically took a look at the TSA’s Security Technology Integrated Program (STIP) which it defines as a “mission-essential data management system that connects airport transportation security equipment to servers. Connection to a centralized server allows remote management of passenger and baggage screening equipment and facilitates equipment maintenance, including software changes in response to emerging threats.”
A further explanation of STIP finds that it enables the remote management of that equipment by connecting it to a centralized server that supports data management, aids threat response, and facilitates equipment maintenance, including automated deployment of software and configuration changes. This significantly reduces the time needed to deploy critical software updates and configuration changes in response to emerging threats, for example, within and amongst the screening machines and STIP central servers, the OIG stated.
As a result of our prior audits of information technology security controls at selected US airports, we repeatedly reported IT security control deficiencies associated with STIP. Across the various locations, we found instances where:
TSA was not scanning STIP servers for technical vulnerabilities.
Non-DHS airport employees had access to STIP server rooms.
TSA had not implemented a process to report STIP-related computer security incidents to the TSA Security Operations Center.
STIP servers were not included in information systems security plans.
TSA had not established interconnection security agreements to document STIP connections to non-DHS baggage handling systems.
STIP servers were using an operating system that was no longer supported by the vendor.
STIP information security documentation inadequately identified the risks inherent in operating STIP.
The vulnerabilities could adversely affect the availability and the reliability of STIP. According to TSA staff, software patches for -applications were not installed because TSA system owners were concerned that the patches would degrade the performance of their systems.
Other vulnerabilities rated ‘high’ by the scanning software but unrelated to these two applications have been known for years — one such vulnerability dates back to 1999.
“These problems occurred because TSA typically has not managed STIP equipment in compliance with departmental guidelines regarding sensitive IT systems. TSA also did not effectively manage all IT components of STIP as IT investments and did not designate these assets as IT equipment. Thus, TSA did not ensure that IT security requirements were included in STIP procurement contracts, which promoted the use of unsupported operating systems that created security concerns and forced TSA to disconnect STIP equipment from the network.
By August 2015, TSA had to disconnect STIP equipment from its network due to IT security concerns created by the unsupported operating systems. As of the end of our fieldwork in December 2015, the equipment was still disconnected,” the OIG stated.
The OIG made 11 recommendations to rectify the security issues including: Ensure that IT security controls are included in STIP system design and implementation so that STIP servers are not deployed with known technical vulnerabilities; ensure that STIP servers use approved operating systems for which the department has established minimum security baseline configuration guidance; and ensure that STIP servers have the latest software patches installed so that identified vulnerabilities will not be exploited.
For its part the TSA said it was addressing the recommendations.
“TSA has developed a Cybersecurity Statement of Objective inclusive of critical requirement to bring legacy transportation security equipment — including the explosive detection system (EDS) servers — into compliance with IT security controls mandated by DHS.
Additionally, future procurements must include these requirements. TSA has also created a formal Cybersecurity Management Framework and Plan that lays out an organizational framework and strategy to oversee the implementation of IT Security requirements onto legacy transportation security equipment. TSA will issue the Cybersecurity Statement of Objective to current transportation security equipment vendors by the end of August 2016,” the TSA stated.