By Mike Skwarek, Deputy CIO and Cyber Security Officer
Argonne’s cyber security experts remain vigilant in protecting the laboratory’s data around the clock. Recently, the U.S. Department of Energy’s (DOE’s) Office of Enterprise Assessment conducted a full assessment of Argonne’s unclassified and classified cyber security program. The assessment team consisted of 19 cyber technical (ethical hackers) and audit professionals who worked with the laboratory’s cyber team to review cyber documentation, risk tolerance and technical protections. The rigorous assessment concluded that the cyber program was healthy, and it did not receive any formal findings.
These types of assessments are conducted on average once every four years, more often if critical deficiencies were previously identified. Management and staff in Argonne’s Business and Information Services Division put great effort into preparing and planning for the assessment, which began in late 2017 after the assessment team identified Argonne as a site on their 2018 plan.
The assessment consisted of both external and internal penetration testing, whereby the assessment team leveraged their expertise and techniques to simulate breaking into the laboratory’s systems and networks. The team conducted two full months of external scanning and four full days of interviews and documentation reviews. Several opportunities for improvement and best practices were identified.
Why is DOE breaking into their own systems? The laboratory’s cyber team strongly believes in having external experts validate our approach and share best practices seen across the complex as a means to strengthen our program. While these assessments can add to stress and raise blood pressure, they are valuable tools and reminders to keep up with the ever-changing cyber landscape.