Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

NOAA Cybersecurity Criticized in Audit by Inspector General

A cybersecurity audit of the National Oceanic and Atmospheric Administration uncovered an agency challenged by inconsistent security controls.

A cybersecurity audit of the National Oceanic and Atmospheric Administration uncovered an agency challenged by inconsistent security controls.

The audit was performed by the U.S. Department of Commerce Inspector General Office, and was released late last week. The audit focused on select systems in two line offices that support the NOAA’s mission: the National Environmental Satellite, Data, and Information Service (NESDIS) and the National Weather Service (NWS).

According to the report, the mission-critical ground support systems of the polar-orbiting operational environmental satellites (POES) and geostationary operation environmental satellites (GOES) have interconnections with systems where the flow of information is not restricted. While these interconnections can facilitate interagency and external communications and services, those connections can also “pose a significant risk to each interconnected information system (i.e., more easily allow malware to spread, or attackers to use one system to access another).”

While NESDIS asserted POES has restricted the flow of data with other systems, the audit discovered POES is actually interwoven with the U.S. Air Force’s Defense Meteorological Satellite Program to the “point where they are virtually one system.”

“Specifically, there is no physical or logical separation between the systems (i.e., the systems operate on the same network and data can flow between the systems); they share support personnel, and they share some of the same support services and IT security controls (e.g., access control via a common Microsoft Windows Active Directory domain). This interweaving means that deficiencies in one system’s security posture will drastically affect the other system’s security,” according to the audit report. 

The report also found that NESDIS’ inconsistent implementation of mobile device protections increases the possibility of malware infection. In its review of selected Windows components on four NESDIS systems, the IG’s office found that unauthorized mobile devices had been connected to POES, GOES and the Environment Satellite Processing Center (ESPC), and GOES and ESPC did not consistently ensure that Microsoft Windows’ AutoRun feature was disabled.

“Mobile devices can carry malware that, when plugged into a workstation or server, could execute malicious code residing on the device and lead to a compromised system,” the report explained. “Accordingly, there has been a long-standing requirement that agencies restrict the use of mobile devices. Implementing required mobile device security mechanisms helps prevent the spread of malware and limits the risk of a compromise of critical assets.”

In addition, security controls on NESDIS information systems were left unimplemented. According to the audit, the systems reviewed did not properly remediate vulnerabilities, implement required remote access security mechanisms or employ secure configuration settings on their systems.

Advertisement. Scroll to continue reading.

“Improvements are needed to provide assurance that independent security control assessments are sufficiently rigorous,” according to the report.

“We found that 28 of 60 (47 percent) of the control assessments have deficiencies and may not have provided the AO with an accurate implementation status of the system’s security controls,” according to the report. “Independent assessors did not conduct sufficiently rigorous assessments of critical security controls. NOAA selected a designated certification and accreditation shared-services provider with the exception that the assessment would be sufficiently rigorous. “

The IG’s office recommended among other things that the NOAA require interconnected systems have completed control assessments and are authorized to operate before establishing an interconnection. The office also recommended the NOAA ensure high-risk vulnerabilities are prioritized and patched in the required timeframe.

The full report can be read here.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.