“We figured out that they were in there doing something within 24 hours,” Roser said. “And we turned our DMZ completely off in about 36 hours — just removed it from the internet while we dealt with it.”
The investigation uncovered several weaknesses that made the breach possible.
First, the organization lacked a complete inventory of applications deployed in the DMZ.
“In our DMZ, we didn’t have an inventory or change control for the applications that were in there,” Roser said.
One developer had deployed an application that relied on an open-source forms library with a known vulnerability. Even worse, the system was running with default credentials.
“They just walked right in,” Roser said.
A second issue compounded the problem. Some security monitoring tools had effectively been disabled after users complained about performance slowdowns.
“Our cyber tools were telling us that we had a problem,” Roser said. “But they weren’t allowed to react.”
Despite the disruption, Roser said, the incident provided valuable clarity.
“The upside was that it gave me a roadmap of what I had to work on,” he said.
Moving to Zero Trust
The breach accelerated INL’s decision to move away from traditional perimeter security and adopt a zero-trust architecture.
“We were going to shift to a full-out zero-trust environment,” Roser said.
One early priority was ensuring that security tools could not easily be overridden. The lab strengthened endpoint protection and monitoring capabilities and began rethinking how users accessed applications and data.
Roser also wanted to eliminate reliance on legacy VPN technology.
“I wanted to get out of the VPN game,” he said.
Instead, INL adopted a zero-trust model built around identity-based access and secure connectivity using the Zscaler platform. By deploying Zscaler Internet Access and Zscaler Private Access, the laboratory was able to provide secure application access without exposing internal networks.
“With ZIA and ZPA, we basically got two use cases right away,” Roser said.
The architecture allows users to access only the applications they need rather than connecting broadly to the network.
For Roser, identity is the foundation of this approach.
“Identity is the foundational element for zero trust,” he said. “You want to refine role-based access and get more and more granular about what people can do.”
The Next Generation of Threats
As INL continues maturing its security architecture, Roser said, the lab is also exploring how artificial intelligence can strengthen cyber defense.
“We’re just starting the AI journey,” he said.
The laboratory has built its own GPU cluster and is experimenting with machine learning models to detect anomalies and suspicious activity.
INL is also evaluating additional capabilities, such as advanced data loss prevention through Zscaler and improved detection tools to protect sensitive research data.
At the same time, Roser cautioned, agencies should carefully evaluate the growing number of cybersecurity products claiming AI capabilities.
“Every vendor out there claims to use AI,” he said. “You have to do some vetting.”
Still, he believes AI will ultimately become a critical defensive tool.
“You need AI to fight AI,” Roser said.
For federal agencies modernizing cybersecurity programs, Roser said the lessons from INL’s experience are clear: Maintain visibility into systems, prioritize identity and reduce reliance on legacy perimeter security.
“Zero trust everywhere should be the goal,” he said. “That reduces the attack surface and puts you in a much better security posture.”
