Space Mission Networks at Risk of Major BreachInspector General: Hackers Could Cripple NASA's Operations
The audit - Inadequate Security Practices Expose Key NASA Network to Cyberattack - didn't link any specific mission to specific vulnerabilities, but did mention that the NASA mission network is widely distributed and hosts more than 190 IT systems and projects run by the agency's mission directorates and Jet Propulsion Laboratory, including the Hubble space telescope, space shuttle and international space station and the Cassini and lunar reconnaissance orbiters.
"These IT systems and projects, categorized as moderate- and high-impact, control spacecraft, collect and process scientific data, and perform other critical agency functions," the audit said. "Consequently, a security breach of one of these systems or projects could have a severe to catastrophic adverse effect on NASA operations, assets or personnel."
IG audits uncovered that six servers associated with IT assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable. Once inside the agency-wide mission network, the attacker could use the compromised computers to exploit other weaknesses the IG identified, a situation that could severely degrade or cripple NASA's operations, the IG said.
Auditors also found that some network servers revealed encryption keys, encrypted passwords and user account information to potential attackers, providing attackers additional ways to gain unauthorized access to NASA networks. "These deficiencies occurred because NASA had not fully assessed and mitigated risks to its agency-wide mission network and was slow to assign responsibility for IT security oversight to ensure the network was adequately protected," the audit said.
In an audit report issued last May, the IG recommended that NASA immediately establish an IT security oversight program for its key network. Though the agency concurred with the recommendation, the audit said, it wasn't implemented as of February.
NASA regularly conducts risk assessments of individual IT systems, but not an agency-wide assessment of its portfolio of computers. "Agency-wide risk assessments are important because they help ensure that all threats and vulnerabilities are identified and that the greatest risks are promptly addressed," the IG said.
The IG recommended that NASA immediately identify Internet-accessible computers on its mission computer networks and take immediate action to mitigate identified risks as well as to continuously monitor Internet-accessible computers as a security control. The IG also recommended that NASA conduct an agency-wide IT security risk assessment of its mission-related networks and systems in accordance with federal guidelines and industry best practices.
NASA CIO Linda Cureton, in a letter to the IG, generally concurred with the IG's recommendations, saying she will work with mission directorates and centers to develop a comprehensive approach by Sept. 30 to ensure that Internet-accessible computers on NASA's mission networks are routinely identified, vulnerabilities are continually evaluated and risks are promptly mitigated. In addition, Cureton said she will develop and implement a strategy for conducting an Agency-wide risk assessment by Aug. 31.