Our Objective(s)To determine whether security weaknesses exist in FHWA's information technology (IT) infrastructure that could lead to the compromise of the Agency's IT systems and data. Specifically, we reviewed FHWA's (1) adherence to cybersecurity policies and (2) compliance with the Rules of Engagement (ROE) and its cybersecurity incident response procedures.
Why This AuditFHWA's information systems support mission processes that aid in grant management, infrastructure inspections, inventory management, and research and development. Protecting these systems and the information stored in them prevents unauthorized access and compromise. This audit is the fourth in a series of reviews to determine whether the U.S. Department of Transportation (DOT) has the security controls in place to protect its networks and information systems from unauthorized access.
What We FoundDOT's lack of adherence to cybersecurity policies allowed the Office of Inspector General (OIG) to gain unauthorized access into FHWA's network.
FHWA and DOT's Office of the Chief Information Officer (OCIO) do not remediate vulnerabilities in FHWA's IT infrastructure according to policy.
OCIO had not implemented the required network boundary protection controls, which allowed us to access the Federal Aviation Administration's intranet site and sensitive proprietary data. FHWA did not replace default credentials in FHWA information systems, which allowed us to access network printers and sensitive information.
We also used open-source tools to crack and utilize weak and known passwords to compromise and penetrate FHWA IT infrastructure and gain access to two FHWA servers and an OCIO server.
DOT and FHWA officials did not consult with OIG in accordance with the ROE and did not fully follow DOT's incident response procedures, which prevented us from completing testing activities.
After we gained unauthorized access to three of DOT's servers, DOT disconnected one and started decommissioning the other two without consulting with OIG, as required by the ROE. According to DOT officials, FHWA and OCIO technicians did not notify OIG because they did not recognize OIG as the source of scanning and other intrusion attempts.
However, had DOT followed its incident response procedures, it could have identified OIG as an intruder and notified us they were aware of our intrusion so that we could consult and then complete further testing. As a result of these actions, we were unable to determine whether FHWA IT infrastructure is at risk of being further compromised.
RecommendationsWe have made eight recommendations to improve OCIO's IT security posture providing IT shared services to FHWA's IT infrastructure.
Unresolved Recommendations: Two
Note: This report has been marked Controlled Unclassified Information (CUI) in coordination with the U.S. Department of Transportation to protect sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. 552. Relevant portions of this public version of the report have been redacted.