NASA’s Jet Propulsion Laboratory (JPL) is best known as the home for a variety of space-faring endeavors, but the facility is also tasked with defending the space agency from cyberattacks.

A new report from NASA found that while JPL’s rocket scientists are doing well when it comes to handling space explorations, it found multiple security weaknesses reducing JPL’s ability to prevent, detect, and mitigate attacks targeting its systems and networks, thereby exposing NASA systems and data to exploitation by cyber criminals. JPL is managed by the California Institute of Technology.

Some of the issues spotted by the internal audit include an incomplete and innaccurate database inventory which reduces the agency’s ability effectively monitor, report, and respond to security incidents. There is also a user access issue as NASA found “JPL’s network gateway that controls partner access to a shared IT environment for specific missions and data had not been properly segmented to limit users only to those systems and applications for which they had approved access.”

The report also found system administrators did not do a sufficient job tracking the devices on their assigned networks with one person noting he does not add devices because the network’s updating function does not always work and then he often forgets to handle the task manually.

“Consequently, assets can be added to the network without being properly identified and vetted by security officials. The April 2018 cyberattack exploited this particular weakness when the hacker accessed the JPL network by targeting a Raspberry Pi computer that was not authorized to be attached to the JPL network,” the report stated, but did not say the this particular administrator was responsible for this incident.

JPL also has issued dealing with identified cybersecurity issues. The report detailed how these may not be resolved for more than 180 days in some cases. Administrators misunderstood their roles and regarding management and review of incident logs for identifying malicious activity.

The agency was also taken to task for not creating and implementing a threat hunting program as had been previously recommended nor put into a placed security training nor funded IT security certifications for its system administrators.

NASA also found it did not have access to JPL’s incident management system nor were there any controls in place to fulfill Caltech’s contractual obligation to report certain types of IT security incidents to the Agency through the NASA SOC.

The 49-page document included a nine-point list of recommendations for the director of the NASA Management Office to implement:

  • require system administrators to review and update the ITSDB and ensure system components are properly registered and the JPL Cybersecurity/Identity Technologies and Operations Group (CITO) periodically review compliance with this requirement;
  • segregate shared environments connected to the network gateway and monitor partners accessing the JPL network;
  • review and update ISAs for all partners connected to the gateway;
  • require the JPL CITO to identify and remediate weaknesses in the security problem log ticket process and provide periodic aging reports to the JPL CIO;
  • require the JPL CITO to validate, update, and perform annual reviews of all open waivers;
  • clarify the division of responsibility between the JPL Office of the Chief Information Officer and system administrators for conducting routine log reviews and monitor compliance on a more frequent basis;
  • implement the planned role-based training program by July 2019;
  • establish a formal, documented threat-hunting process;
  • develop and implement a comprehensive strategy for institutional IT knowledge and incident management that includes dissemination of lessons learned. We also recommended the NASA CIO include requirements in the pending IT Transition Plan that provide the NASA SOC with sufficient control and visibility into JPL network security practices.