The security climate is in need of change at the National Oceanic and Atmospheric Administration (NOAA) after a report from the Office of the Inspector General in the Department of Commerce found “significant security deficiencies” — amounting to thousands of vulnerabilities — threaten its mission critical systems.
Specifically, the report on the IG's audit of NOAA called out the agency for having its information systems connected to National Environmental Satellite, Data, and Information Service (NESDIS) critical satellite ground support system which it says “increases the risk of cyber attacks.”
“The Polar-orbiting Operational Environmental Satellites' (POES') and Geostationary Operational Environmental Satellites' (GOES') mission-critical satellite ground support systems have interconnections with systems where the flow of information is not restricted, which could provide a cyber attacker with access to these critical assets,” said the report, echoing security professionals who have always pegged the transitive trust between the systems that run the business and the infrastructure systems as a point of vulnerability.
After reviewing selected Windows components on four NESDIS systems, the Inspector General concluded that “inconsistent implementation of mobile device protections” boosted the probability of malware infection, primarily because unauthorized devices had been connected to critical systems and because GOES and the Environmental Satellite Processing Center (ESPC) didn't take steps to make sure that the Windows AutoRun feature was consistently disabled. Nearly half, 48 percent, of the ESPC's components — and 36 percent of GOES's — were accessed by unauthorized smart phones and thumb drives.
What's more, the report's authors expressed dismay that the agency had not implemented critical security controls in the NESDIS information systems, specifically that NESDIS did not “appropriate remediate vulnerabilities” nor did it institute “required remote access security mechanisms.” Even secure configuration settings controls were not implemented on IT products.
The IG's review did not spare NOAA harsh scrutiny and the agency, which operates under the Commerce Department, took hits for several recent security incidents, including an incident last year in which "an attacker exfiltrated data from a NESDIS system to a suspicious external IP address via the remote connection established with a personal computer.” In that situation, someone accessed a contractor's personal computer and nicked satellite data.
NOAA's efforts to investigate were hampered when the PC owner “did not give NOAA permission to perform forensic activities.”
The report blamed some of NOAA's security woes on the protracted battle between NOAA and the U.S. Air Force from 2006 to 2010 over who was responsible for the security of the Defense Meteorological Satellite Program into which POES is knitted.
“Neither organization conducted security assessments,” the report said, contending that a lack of funding might force NOAA to “abandon any corrective actions and accept the risks of leaving the systems interwoven.”
The Inspector General's office called for NOAA to take 13 significant actions to improve security, among them that the agency “conduct a review to determine risks posed by NESDIS' restricted systems' current interconnections and ensure that USAF identifies all of DMSP's interconnections.”
Those risks must be detailed to NOAA senior management and the agency must “require that interconnected systems have completed control assessments and are authorized to operate before establishing an interconnection.”
The agency should also put the safeguards in place to prohibit the use of unauthorized mobile devices and to set a timeline for patching vulnerabilities in POES, GOES and ESPC and “implement necessary security mechanisms to secure against remote access via personal computers.”