Report Shows Serious Weakness In NASA's Cyber Security Posture, Reveals Several Breaches and Security Incidents at the Space Agency
Recent testimony by NASA Inspector General Paul K. Martin before the Subcommittee on Investigations and Oversight, House Committee on Science, Space, and Technology, revealed that NASA faces serious challenges when it comes to protecting its information and systems from cyber attacks.
Details released this week on the state of the agency’s Information Security revealed some frightening facts about the security posture of the organization, along with some eye opening security-related incidents that occurred over the past few years.
NASA, which spends more than $1.5 billion annually on its IT-related activities, said just $58 million of that goes toward IT security and from what was revealed by the Inspector General, it’s not nearly enough.
The 10-page report, “NASA Cybersecurity: An Examination of the Agency’s Information Security,” is a worthy read for anyone in an IT security related job function, but here are a few interesting highlights.
Hackers Had Full Functional Control Over NASA Networks
The agency reported that during 2010 and 2011, it experienced 5,408 cyber security incidents that resulted in the installation of malware or unauthorized access to its systems.
Martin said that NASA was the victim of 47 APT attacks, 13 of which compromised agency systems during FY 2011. In one incident, attackers captured user credentials for more than 150 NASA employees that could have been used to gain unauthorized access to NASA systems. “The attackers had full functional control over these networks,” Martin said.
Interestingly, NASA OIG is the only Office of Inspector General that regularly conducts international network intrusion cases, something that NASA says could skew perceptions with regard to the agencies relative rate of significant intrusion events compared to other agencies.
Some of the interesting facts and security incidents shared by Inspector Martin include:
• Six servers associated with IT systems that control NASA spacecraft and contain critical data had vulnerabilities that could allow a remote attacker to take control of or render them unavailable.
• Servers that were not properly secured exposed encryption keys, encrypted passwords, and user account information to potential attackers.
• An unencrypted NASA laptop that was stolen in March 2011 resulted in the loss of the algorithms used to command and control the International Space Station. Other lost or stolen notebooks contained Social Security numbers and sensitive data on NASA’s Constellation and Orion programs, Marin said.
• A May 2010 audit found that just 24 percent of applicable computers at the Goddard Space Flight Center were monitored for critical software patches and only 62 percent were monitored for technical vulnerabilities.
• NASA found computers and hard drives being sold or prepared for sale despite the fact that they still contained sensitive data. The report cited one example when a NASA facility released 10 computers to the public that had failed sanitization testing and could have put sensitive data at risk.
• Citing a lack of accountability for IT assets across the organization, Martin noted an incident when hard drives were found in an unsecured dumpster accessible to the public.
• Despite the fact that Encryption is recognized as a best practice and an action required by the Office of Management and Budget (OMB), as of February 1, 2012, only 1 percent of NASA portable devices laptops have been encrypted.
• During control testing, NASA identified several high-risk technical vulnerabilities on the system that provides mission support to the Space Shuttle and International Space Station. If exploited, these vulnerabilities could allow a remote intruder to gain control of the system or render it unavailable.
• In November 2011, NASA’s Jet Propulsion Laboratory (JPL) reported suspicious network activity involving Chinese-based IP addresses. NASA’s review disclosed that the intruders had compromised the accounts of the most privileged JPL users, giving the intruders access to most of JPL’s networks. Martin said that the OIG is still to invesitaging the matter.
• 130 NASA systems were infected with the DNSChanger malware.
“Although our audit work identified challenges to and weaknesses in NASA’s IT security program, we concluded that the Agency is steadily working to improve its overall IT security posture,” Martin concluded.
“Of the 69 recommendations for improvement we made in our IT audit reports over the last 5 years, 51 have been closed after full implementation by the Agency,” he added. “NASA continues to work toward implementation of the remaining 18, most of which stem from our more recent work.
NASA’s Information Technology assets include more than 550 information systems that control spacecraft, collect and process scientific data, and more.