The U.S. sees flaws in NASA and NOAA's ground control stations
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
September 11, 2014
On any given day, weather predictions could be thrown into a storm if potential hackers exploited a whole slew of dangerous and years-old security flaws reported in ground control stations for the Joint Polar Satellite System (JPSS).
The security holes, of which 12,703 are considered high risk, have been detailed in a U.S. Government audit report that examined the state of security of the "high impact IT" ground control system of the JPSS and the Suomi National Polar-orbiting Partnership.
The JPSS is the latest U.S. polar-orbiting environmental satellite and provides data for weather forecasts and climate monitoring.
Allen Crawley, the U.S. Department of Commerce's assistant inspector general for systems acquisition and IT security, found shocking flaws in the NASA and National Oceanic and Atmospheric Administration's (NOAA's) ground control station.
"As a direct result, few security controls are fully implemented and many high-risk security vulnerabilities exist within the system," Crawley wrote in a report.
"Software used by the JPSS system contains security vulnerabilities that have been publicly known for several years. Software tools to exploit several of these vulnerabilities are available on the Web," he added.
"Since 2012, the number of high-risk security vulnerabilities in the system has increased by two-thirds despite recent efforts the program has taken to remediate these vulnerabilities," he said.
Some security flaws, including some very bad ones, have persisted for several years due in part to contractors having a four-year reprieve in 2010 from addressing any flaws while the station was repurposed from a research project to the JPSS.
High risk security vulnerabilities were defined as relatively easy for attackers to exploit and cause "significant disruption" to "critical data used in weather forecasting and climate monitoring".
About 26.2 percent of the National Institute of Standards and Technology security controls were fully implemented at the station between fiscal years 2012 and 2013.
Worse, the majority of the security vulnerabilities identified won't be fixed for a further two years despite policy stating that high-risk security flaws must be fixed within a month of being discovered.
In the recent past, it took up to about fourteen months for some security patches to be applied and more than a year for holes identified in penetration tests to be patched.
Management did confess that IT maintenance in 2011 was suspended for almost a year. Old security flaws include more than 9,100 high risk unpatched vulnerabilities, bad configurations and unnecessary operating system and software privileges.
Additionally, about 3,600 password and audit settings not in-line with JPSS policy and three security holes newly identified in 2012 but still not fixed are still present today.
Those security holes could be fixed with only minor alteration to the ground control systems, according to the report.
Crawley also recommends that the station cancel its failed bi-annual maintenance cycle and fix the high risk holes ASAP before meteorologists begin reporting snowfall in the coming winter.
"High-risk security vulnerabilities could lead to a disruption of NOAA’s ability to command and control the Suomi NPP satellite and to provide data that is used in numerical weather models that support weather predictions and climate monitoring. The importance of remediating these vulnerabilities justifies addressing them outside the regular cycle of maintenance deployments," Crawley added.
NOAA's security slap-down comes after it was revealed in July that a staffer had made off with data contained on his laptop which he refused to hand over.
Auditors found insecure access to corporate systems by staff consumer devices and thousands of security vulnerabilities.
Source: The U.S. Department of Commerce.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!