A cybersecurity audit of the National Oceanic and Atmospheric Administration uncovered an agency challenged by inconsistent security controls.
The audit was performed by the U.S. Department of Commerce Inspector General Office, and was released late last week. The audit focused on select systems in two line offices that support the NOAA’s mission: the National Environmental Satellite, Data, and Information Service (NESDIS) and the National Weather Service (NWS).
According to the report, the mission-critical ground support systems of the polar-orbiting operational environmental satellites (POES) and geostationary operation environmental satellites (GOES) have interconnections with systems where the flow of information is not restricted. While these interconnections can facilitate interagency and external communications and services, those connections can also “pose a significant risk to each interconnected information system (i.e., more easily allow malware to spread, or attackers to use one system to access another).”
While NESDIS asserted POES has restricted the flow of data with other systems, the audit discovered POES is actually interwoven with the U.S. Air Force’s Defense Meteorological Satellite Program to the “point where they are virtually one system.”
“Specifically, there is no physical or logical separation between the systems (i.e., the systems operate on the same network and data can flow between the systems); they share support personnel, and they share some of the same support services and IT security controls (e.g., access control via a common Microsoft Windows Active Directory domain). This interweaving means that deficiencies in one system’s security posture will drastically affect the other system’s security,” according to the audit report.
The report also found that NESDIS’ inconsistent implementation of mobile device protections increases the possibility of malware infection. In its review of selected Windows components on four NESDIS systems, the IG’s office found that unauthorized mobile devices had been connected to POES, GOES and the Environment Satellite Processing Center (ESPC), and GOES and ESPC did not consistently ensure that Microsoft Windows’ AutoRun feature was disabled.
“Mobile devices can carry malware that, when plugged into a workstation or server, could execute malicious code residing on the device and lead to a compromised system,” the report explained. “Accordingly, there has been a long-standing requirement that agencies restrict the use of mobile devices. Implementing required mobile device security mechanisms helps prevent the spread of malware and limits the risk of a compromise of critical assets.”
In addition, security controls on NESDIS information systems were left unimplemented. According to the audit, the systems reviewed did not properly remediate vulnerabilities, implement required remote access security mechanisms or employ secure configuration settings on their systems.
“Improvements are needed to provide assurance that independent security control assessments are sufficiently rigorous,” according to the report.
“We found that 28 of 60 (47 percent) of the control assessments have deficiencies and may not have provided the AO with an accurate implementation status of the system’s security controls,” according to the report. “Independent assessors did not conduct sufficiently rigorous assessments of critical security controls. NOAA selected a designated certification and accreditation shared-services provider with the exception that the assessment would be sufficiently rigorous. “
The IG’s office recommended among other things that the NOAA require interconnected systems have completed control assessments and are authorized to operate before establishing an interconnection. The office also recommended the NOAA ensure high-risk vulnerabilities are prioritized and patched in the required timeframe.
The full report can be read here.