Our objective was to determine if controls for purchasing and maintaining information technology (IT) equipment, specifically printers, webcams, and [redacted] cameras, are effective in identifying, assessing, and mitigating vulnerabilities and related cybersecurity risks to the U.S. Postal Service’s IT infrastructure.
The Postal Service purchases IT equipment, such as webcams and printers, through the eBuy Plus system. As of April 2020, the Postal Service had about 73,000 printers. Of these, 63,357 are categorized as [redacted] which are maintained by local information specialists. The remaining 9,352 are categorized as managed printers because they are managed and maintained using enterprise tools by [redacted], including application of firmware updates. Firmware is a software program embedded on a device that gives instructions for how to communicate with other devices.
As of November 2019, the Postal Service had 4,512 webcams to monitor customers’ wait times at retail facilities. Each district controls and maintains its own webcams. The Corporate Information Security Office (CISO) scans these webcams regularly to identify security vulnerabilities and directs districts to apply appropriate firmware updates when needed.
In addition, the [redacted] cameras are used inside and on the [redacted]. The Inspection Service, Facilities group, and U.S. Postal Service Office of Inspector General funded procurement and maintenance of the [redacted] cameras, including firmware updates, through the [redacted]. Although these organizations funded the [redacted] cameras, they are owned, operated, and controlled by the Postal Inspection Service. As of January 2020, there were over 11,000 [redacted] cameras connected to the Postal Service’s internal network.
Our fieldwork was planned before the President of the United States issued the national emergency declaration concerning the novel coronavirus outbreak (COVID19) on March 13, 2020. The results of this audit do not reflect operational changes and/or service impacts that may have occurred as a result of the pandemic.
The Postal Service has effective controls over purchasing IT equipment; however, controls for identifying, assessing, and mitigating cybersecurity risks associated with [redacted] and [redacted] cameras are not effective.
The Postal Service did not update firmware on any [redacted] since mid-2018. In addition, the CISO did not perform vulnerability scans of most of the [redacted] and did not maintain a comprehensive list of active firmware versions to determine if an update was required.
Postal Service information security policy and industry standards require evaluation and application of compatible firmware updates as they are made available to mitigate vulnerabilities. Failure to apply these updates occurred because the IT group did not establish a process and assign responsibility for updating firmware versions for [redacted]. This could lead to potential data compromise or loss of access to network resources supporting business operations.
The Inspection Service did not always apply firmware updates to its [redacted] cameras. In June 2020, CISO scanned all 11,808 [redacted] cameras and identified 2,815 cameras with the same critical vulnerability. The firmware update to mitigate that vulnerability has been available since June 2018; however, the firmware was never updated.
Industry standards recommend applying firmware updates as they are released to mitigate security risks and vulnerabilities. In addition, the [redacted] camera manufacturer recommends updating firmware to the most current version. Failure to apply these updates occurred because the Inspection Service has not upgraded the video management software system to enable the supplier to apply firmware updates.
In addition, the Inspection Service does not track and maintain [redacted] cameras in an inventory system but instead keeps a list of the cameras in a manual file that does not meet Postal Service hardware inventory policy. This occurred because the Inspection Service has not defined the roles and responsibilities for creating and maintaining an inventory management system.
Without timely firmware version updates and an inventory system to track cameras and their firmware versions, there is an increased risk that a remote attacker could gain unauthorized system-level access and take control of camera operations, potentially impeding investigations.
Finally, the CISO Vulnerability Assessments Team could not always complete the weekly vulnerability scans to identify outdated versions of firmware. Postal Service information security policy and management instruction require regularly conducted scans to identify vulnerabilities and assess cybersecurity threats.
This occurred because the Telecommunication Services group intermittently blocked vulnerability scans by changing firewall security settings since October 2017. The CISO vulnerability scans were blocked because they disrupted phone services and the Retail System Software business application that processes retail transactions. The CISO attempted to coordinate a resolution with the Telecommunication Services group; however, the vulnerability scans continued to be intermittently blocked without advance notice.
When vulnerabilities are not detected and corrected, there is an increased potential for loss of confidentiality, data integrity or system availability which may result in degraded customer service and loss of goodwill and brand value.
We recommended management:
- Establish a process to periodically evaluate current and updated firmware versions and apply timely firmware updates to [redacted].
- Upgrade the video management software system and apply firmware updates for the [redacted] cameras.
- Establish an inventory system for the [redacted] cameras that meets the hardware asset inventory policy requirements outlined in Handbook AS-805, Information Security.
- Develop a process to scan the Postal Service network for vulnerabilities without negatively affecting the performance of the network and applications.