Evidence Based Risk Assessment: Lessons Learned from the Y-12 Breach

My approach to risk assessment always includes analysis of actual breaches in an industry similar to the client industry.  This is the evidence-based component of risk analysis.  On July 28, 2012, three protesters broke into the Y-12 Highly Enriched Uranium Manufacturing Facility (HEUMF) in Oak Ridge, Tennessee.  While you may not run a nuclear complex, we can still learn from this incident.  Much has been published about this break-in and how it could occur given the high priority placed on security at the facility.  How did three people, average age of about 66 years, breakthrough three fences to an enriched uranium facility?  Only the people who were there will really know, but a recent book by Steve Gibbs does give some insight into the events and aftermath.  Mr. Gibbs was General Manager for the protective force vendor, Wackenhut, around the time of the break-in.  His recent book, Behind the Blue Line (2015) is a rare look into the events surrounding any type of security breach.  Here are some lessons I learned from this book.  These are my own observations, not explicitly stated in Mr. Gibbs’ book:

1. Wackenhut was involved in 6 weeks of difficult contract negotiations with the guard union.  This was finalized only the day before the above breach.  Did anyone in management or labor take their eye off the ball?  Did the negotiations contribute to the failure to detect the breach or take appropriate action?
2. Failure to maintain security systems was clearly a contributing factor.  The zone 62 camera simply was not working and had been out of service for five months.  Maintenance of physical security equipment seems like an obvious necessity.  Maintenance of cyber security controls is not top of mind with most organizations.  Interestingly, a new service in this space, “Managed Tools Security Service”, is now offered by Compliance Engineering.
3. Some systems in operation at Y-12 were not tuned for effective use.  One example was Argus, a physical intrusion detection system.  It had recently replaced a legacy system that had been in use for 20 years.  Argus had too many false positives to be effective, according to some of its users.  This, of course, is a common problem with all types of cyber detection systems.
4. Finally, one more contributing factor is that contract negotiations and budget scrutiny was taking place at exactly the same time as the July breach.  This was in addition to the labor negotiations mentioned in #1.  Previous reductions in funds had eliminated some of the guards that could have caught the intrusion before it got to the HEUMF.

The biggest failure is that Y-12 did not test its incident response plan or operational security monitoring.  This would have highlighted shortcomings and hopefully led to corrective action.  Conclusion:  never trust a security control, unless it is regularly tested.  Trust but verify everything.  Mr. Gibbs’ book is a worthwhile read, illustrating what it takes to secure a nuclear facility.