banner

Unrestricted Access to Your Critical Infrastructure – The U.S. Treasury

The US Treasury Department is an industrial control environment integrated with an active business environment. This organization collects taxes, pays bills for the United States, produces coins and currency (ICS controllers, field devices, servers, and applications), manages government accounts, and enforces tax and finance laws. The recent access to access that has been provided to the Department of Government Efficiency (DOGE) team equates unmoderated administrative access to this control environment. The US Treasure Department one piece of the United States’ critical infrastructure.

Common Control Network Access Requirements

Cybersecurity professionals that conduct penetration testing and security assessments of industrial control environments, to include the United States’ critical infrastructure, are required to adhere to very specific conditions before, during, and after these assessments. Let’s count the requirements that critical infrastructure and industrial control teams have imposed on me and my colleagues when performing cybersecurity assessment activities. Note that most of these occur BEFORE interacting with any network, system, application, device, or communications.

  • Safety Training – always first. I bring it up because I have not seen any details about if the DOGE team was required to access the systems and networks supporting the printing and processing of coins, bills, bonds and other items that comprise US currency. If so, a safety briefing would have been required, at a minimum.
  • Transient Cyber Assets – these are mobile computers authorized to access the control environment at any level. A few clients have allowed me to use consulting company equipment on their non-sensitive networks. Most of my ICS clients require external and internal teams to use dedicated laptops, virtual machines, and jump hosts to access the sensitive networks. The clients that are subjected to nation-state threat actors control these systems VERY closely and require digital escorts at ALL times. The swiftness of DOGE activities leads me to believe that these capabilities were not considered.
  • Data Restrictions – data collected during assessments typically have to remain in the client’s environment. Some clients do allow reporting on consulting company equipment. Most, however, require that data remains on the client’s file shares and deliverables are processed using their equipment, software, and services. The ones that are subjected to nation-state threat actors do NOT allow data or account information to leave their control. Reports indicate unfettered access for the DOGE team members without digital escorts. I’ve seen no indications if this includes physical access to data centers or the control environments.
  • Background Checks – background checks have been required by all of my clients. The consulting company typically handles this, but clients that are subject to nation-state threat actors require their own background service check. Several articles have reported significant issues with the backgrounds of several DOGE team members.
  • System and Account Changes – I have made small and monitored changes to ICS lab environments during penetration testing. I have NEVER asked or been authorized to make a change to a system, service, or account on ANY production system, business or ICS. To do so would have resulted in termination of the assessment and legal action. I would imagine that this activity would affect me personally as it would be viewed as malicious and I would be held to civil and criminal consequences. Reports indicate that administrators have been locked out of systems. There is no indication if this happed at the system level, application level, or both. Some portions of the report seem to indicate that other system changes may have been made.
  • Coordination with Stakeholders – ICS clients requirement an understanding of all actions to be performed in the test and production environment prior to coming onsite. The actions are reviewed, restrictions and limitations are provided, the stakeholders discuss the risks, and then all the teams modify the plan to ensure safety to personnel and operations. Unfettered and unmonitored access is never provided. Administrators, or responsible stakeholders, review the functionality and integrity of the system or device if they feel there is an issue. The swiftness and details in reports indicates that the DOGE team members did not coordinate their activities.

The Right Way Vs The Wrong Way

While systems do require audits and assessments there is a right way and a wrong way to do it. I am surprised that the DOGE team has no restrictions in these control and business environments. It goes against common practices and international standards, as outlined in ISA/IEC 62443, the DHS Sensitive Systems Policy Directive 4300A, and the DHS Handbook for Safeguarding Sensitive PII. My knowledge about the financial sector is limited but perhaps there are additional guidelines and requirements provided by the Financial Services – Information Sharing and Analysis Center (FS-ISAC) and the Financial Services Sector Coordinating Council (FSSCC) (“an industry-led, non-profit organization that coordinates critical infrastructure and homeland security activities within the financial services industry”).

Brian Kreb’s article Teen on Musk’s DOGE Team Graduated from ‘The Com’ and Wired article A US Treasury Threat Intelligence Analysis Designates DOGE Staff as ‘Insider Threat’ have pointed out two, at the moment, individuals on the DOGE team that would not be allowed to conduct an assessment of ICS environments, including but not limited to critical infrastructure. The swiftness and lack of coordination with stakeholders would have prevented the beginning of the assessment. And the changing of systems and accounts, if true, would have ended the assessment all together and required a full check of integrity and operability. With the criminal and personal background of the current DOGE team in question, additional actions would be required, since they access the control and business environments.

Call to Action

Considering these issues within a part of the United States’ critical infrastructure, the integrity of the US. Treasury business and control environments need to be assessed before returning to production. Non-DOGE teams should analyze system and application access events, system and application configurations, and perform a physical review of all networks, data centers, and control environments. A review of external network communications should be conducted to determine if any data was exfiltrated from the environment (although this will not detect if the team exfiltrated data using cellular modems). Network traffic needs to be monitored very closely to determine if any rogue devices, services, or malware have been installed to maintain remote access to these business or control networks. While this may be expensive, it is the reality. These checks are required to ensure the integrity, reliability, availability, and safety of these process and business environments.

It is my hopes that the Secretary of Treasury Scott Bessent and my congressional representation (Congressman Michael Cloud of the U.S. House of Representatives , U.S. Senator Ted Cruz , and U.S. Senator John Cornyn) review this situation and take appropriate action. The DOGE team needs to be updated with personnel that meet basic background, skills, and a security clearance checks. The scope of work should be limited to information gathering about metrics necessary for the audit / assessment. Access should require physical and digital escorting by administrative personnel with the appropriate knowledge of the system and the audit’s information gathering techniques. All data should remain on U.S. Treasury systems and not leave the premises. Their Sphere of Influence is protecting these environments for the citizens of the United States.

Honestly, if we restrict access to our critical infrastructure, such as electrical and water, and impose basic limitations for cybersecurity professionals then shouldn’t we do the same to the systems that are used to protect the finances of the United States and it’s citizenry? If this situation concerns you, please forward this onto your congressional representatives.

Learn More About Assessing Critical Infrastructure

The SANS ICS authors and instructors discuss these in the SANS Institute course ICS410 ICS/SCADA Security Essentials and we will be teaching them in the ICS613 ICS Penetration Testing and Assessments when it goes live later this year.

Go forth and do good things,

Don C. Weber

Image Source: Generated using MidJourney on February 8, 2025