March 29, 2011
NASA Network Security Audit Reveals Vulnerabilities
NASA servers used to control spacecraft are vulnerable to cyber attack via the Internet, warned a report released Monday by NASA's inspector general following an audit of the space agency's network security.
"We found that computer servers on NASA's agency-wide mission network had high-risk vulnerabilities that were exploitable from the Internet," the report read.
"Specifically, six computer servers associated with IT assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable."
"Moreover, once inside the agency-wide mission network, the attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA's operations," the report read.
The audit also uncovered "network servers that revealed encryption keys, encrypted passwords, and user account information to potential attackers. These data are sensitive and provide attackers additional ways to gain unauthorized access to NASA networks."
"These deficiencies occurred because NASA had not fully assessed and mitigated risks to its Agency-wide mission network and was slow to assign responsibility for IT security oversight to ensure the network was adequately protected."
Inspector General Paul Martin said his office had recommended in a May 2010 audit report that NASA immediately establish an IT security oversight program for this critical network.
"Until NASA addresses these critical deficiencies and improves its IT security practices, the agency is vulnerable to computer incidents that could have a severe to catastrophic effect on agency assets, operations, and personnel," he said.
Mr. Martin's office conducted the current audit after NASA's servers suffered a number of cyber intrusions that resulted in the "theft of export-controlled and other sensitive data from its mission computer networks."
The audit report cited one specific incident that occurred in May 2009, when cyber criminals infected a computer system that supports one of NASA's mission networks.
"Due to the inadequate security configurations on the system, the infection caused the computer system to make over 3,000 unauthorized connections to domestic and international Internet Protocol (IP) addresses including addresses in China, the Netherlands, Saudi Arabia, and Estonia," the report read.
In January 2009, cyber criminals stole 22 gigabytes of export-restricted data from a Jet Propulsion Laboratory computer system, the inspector general said.
In order to strengthen the Agency's IT security program, "We urge NASA to expedite implementation of our May 2010 recommendation to establish an IT security oversight program for NASA's Agency-wide mission network. We also recommend that NASA Mission Directorates (1) immediately identify Internet-accessible computers on their mission networks and take prompt action to mitigate identified risks and (2) continuously monitor Agency mission networks for Internet-accessible computers and take prompt action to mitigate identified risks," the audit report read.
"Finally, to help ensure that all threats and vulnerabilities to NASA's IT assets are identified and promptly addressed, we recommend that NASA's Chief Information Officer, in conjunction with the Mission Directorates, conduct an Agency-wide IT security risk assessment," the report's authors concluded.
On the Net:
- The full report can be viewed at http://oig.nasa.gov/audits/reports/FY11/IG-11-017.pdf.