An audit of NOAA found security shortcomings, including the link between information systems and satellite systems.
An audit of NOAA found security shortcomings, including the link between information systems and satellite systems.

The security climate is in need of change at the National Oceanic and Atmospheric Administration (NOAA) after a report from the Office of the Inspector General in the Department of Commerce found “significant security deficiencies” — amounting to thousands of vulnerabilities — threaten its mission critical systems.

Specifically, the report on the IG's audit of NOAA called out the agency for having its information systems connected to National Environmental Satellite, Data, and Information Service (NESDIS) critical satellite ground support system which it says “increases the risk of cyber attacks.”

“The Polar-orbiting Operational Environmental Satellites' (POES') and Geostationary Operational Environmental Satellites' (GOES') mission-critical satellite ground support systems have interconnections with systems where the flow of information is not restricted, which could provide a cyber attacker with access to these critical assets,” said the report, echoing security professionals who have always pegged the transitive trust between the systems that run the business and the infrastructure systems as a point of vulnerability.

After reviewing selected Windows components on four NESDIS systems, the Inspector General concluded that “inconsistent implementation of mobile device protections” boosted the probability of malware infection, primarily because unauthorized devices had been connected to critical systems and because GOES and the Environmental Satellite Processing Center (ESPC) didn't take steps to make sure that the Windows AutoRun feature was consistently disabled. Nearly half, 48 percent, of the ESPC's components — and 36 percent of GOES's — were accessed by unauthorized smart phones and thumb drives.

What's more, the report's authors expressed dismay that the agency had not implemented critical security controls in the NESDIS information systems, specifically that NESDIS did not “appropriate remediate vulnerabilities” nor did it institute “required remote access security mechanisms.” Even secure configuration settings controls were not implemented on IT products.

The IG's review did not spare NOAA harsh scrutiny and the agency, which operates under the Commerce Department, took hits for several recent security incidents, including an incident last year in which "an attacker exfiltrated data from a NESDIS system to a suspicious external IP address via the remote connection established with a personal computer.” In that situation, someone accessed a contractor's personal computer and nicked satellite data.