July 24, 2019
The Maritime Administration’s Information Technology Infrastructure Is at Risk for Compromise
What We Looked At
The Maritime Administration’s (MARAD) programs promote waterborne transportation and integration with other transportation modes and the viability of the U.S. Merchant Marine. MARAD works in many areas, including ship building and shipping, vessel and port operations, national security, and transportation safety. The Agency has 12 information systems and 1 local area network. MARAD also uses a number of web applications, some of which contain sensitive data and personally identifiable information (PII). We conducted this audit because of the importance of MARAD’s programs to the Nation’s transportation system and the sensitive nature of some of the Agency’s information. Accordingly, our objective for this self-initiated audit was to determine whether MARAD’s IT infrastructure contains security weaknesses that could compromise the Agency’s systems and data.
What We Found
We gained unauthorized access to MARAD’s network but MARAD did not detect our access or our placement of hacking tools on the network, in part because it did not have an alert system configured to do this, which the National Institute of Standards and Technology (NIST) recommends. We also gained access to records containing PII. While DOT policy requires the use of encryption to protect sensitive data, these records and other data we obtained were not encrypted. Had malicious attackers obtained these records, they could have used them to steal citizens’ identities and MARAD could have lost $103 million in credit monitoring fees. Furthermore, inadequate security awareness training may contribute to some Agency personnel’s susceptibility to social engineering. These weaknesses, individually and together, put MARAD’s network and data at risk for unauthorized access and compromise.
We made several recommendations to help MARAD improve the security of information technology infrastructure.
Sensitive information exempt from public disclosure under the Freedom of Information Act, 5 U.S.C. § 552, has been redacted and we have marked the document as FOR OFFICIAL USE ONLY.