Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

NOAA Cybersecurity Criticized in Audit by Inspector General

A cybersecurity audit of the National Oceanic and Atmospheric Administration uncovered an agency challenged by inconsistent security controls.

A cybersecurity audit of the National Oceanic and Atmospheric Administration uncovered an agency challenged by inconsistent security controls.

The audit was performed by the U.S. Department of Commerce Inspector General Office, and was released late last week. The audit focused on select systems in two line offices that support the NOAA’s mission: the National Environmental Satellite, Data, and Information Service (NESDIS) and the National Weather Service (NWS).

According to the report, the mission-critical ground support systems of the polar-orbiting operational environmental satellites (POES) and geostationary operation environmental satellites (GOES) have interconnections with systems where the flow of information is not restricted. While these interconnections can facilitate interagency and external communications and services, those connections can also “pose a significant risk to each interconnected information system (i.e., more easily allow malware to spread, or attackers to use one system to access another).”

While NESDIS asserted POES has restricted the flow of data with other systems, the audit discovered POES is actually interwoven with the U.S. Air Force’s Defense Meteorological Satellite Program to the “point where they are virtually one system.”

“Specifically, there is no physical or logical separation between the systems (i.e., the systems operate on the same network and data can flow between the systems); they share support personnel, and they share some of the same support services and IT security controls (e.g., access control via a common Microsoft Windows Active Directory domain). This interweaving means that deficiencies in one system’s security posture will drastically affect the other system’s security,” according to the audit report. 

The report also found that NESDIS’ inconsistent implementation of mobile device protections increases the possibility of malware infection. In its review of selected Windows components on four NESDIS systems, the IG’s office found that unauthorized mobile devices had been connected to POES, GOES and the Environment Satellite Processing Center (ESPC), and GOES and ESPC did not consistently ensure that Microsoft Windows’ AutoRun feature was disabled.

“Mobile devices can carry malware that, when plugged into a workstation or server, could execute malicious code residing on the device and lead to a compromised system,” the report explained. “Accordingly, there has been a long-standing requirement that agencies restrict the use of mobile devices. Implementing required mobile device security mechanisms helps prevent the spread of malware and limits the risk of a compromise of critical assets.”

In addition, security controls on NESDIS information systems were left unimplemented. According to the audit, the systems reviewed did not properly remediate vulnerabilities, implement required remote access security mechanisms or employ secure configuration settings on their systems.

“Improvements are needed to provide assurance that independent security control assessments are sufficiently rigorous,” according to the report.

“We found that 28 of 60 (47 percent) of the control assessments have deficiencies and may not have provided the AO with an accurate implementation status of the system’s security controls,” according to the report. “Independent assessors did not conduct sufficiently rigorous assessments of critical security controls. NOAA selected a designated certification and accreditation shared-services provider with the exception that the assessment would be sufficiently rigorous. “

The IG’s office recommended among other things that the NOAA require interconnected systems have completed control assessments and are authorized to operate before establishing an interconnection. The office also recommended the NOAA ensure high-risk vulnerabilities are prioritized and patched in the required timeframe.

The full report can be read here.

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.