recommended reading

Hacker Breached NOAA Satellite Data from Contractor’s PC

A GOES-R Spacecraft System and Propulsion Modules in Lockheed Martin Cleanroom

A GOES-R Spacecraft System and Propulsion Modules in Lockheed Martin Cleanroom // NOAA

National Oceanic and Atmospheric Administration satellite data was stolen from a contractor's personal computer last year, but the agency could not investigate the incident because the employee refused to turn over the PC, according to a new inspector general report.

This is but one of the “significant security deficiencies” that pose a threat to NOAA’s critical missions, the report states.

Other weaknesses include unauthorized smartphone use on key systems and thousands of software vulnerabilities. 

The July 15 report made public on Friday concentrates on information-technology security problems at NOAA's National Environmental Satellite, Data, and Information Service. NOAA is part of the Commerce Department. 

During the 2013 incident, "an attacker exfiltrated data from a NESDIS system to a suspicious external IP address via the remote connection established with a personal computer," wrote Allen Crawley, Commerce's assistant IG for systems acquisition and IT security, referring to a dodgy computer address.

NOAA determined the PC likely was infected with malware, but it was prevented from examining further because "the owner of the personal computer, even though a NESDIS contractor, did not give NOAA permission to perform forensic activities on the personal computer," Crawley said.

The inspector general cited this case as an example of why it's a bad idea -- and a violation of Commerce policy -- for any personnel to access NOAA information systems using personal computers. In response to a draft report, NOAA officials noted the system in question was not a "high-impact" system. 

Satellites a Potential Target for Hackers

The report, however, also focused on vulnerabilities to high-impact systems related to weather satellites, such as the Polar-orbiting Operational Environmental Satellites and Geostationary Operational Environmental Satellites. 

Unauthorized smartphone and thumb drive use was recently detected on 41 percent of components in systems supporting POES; 36 percent of GOES support systems; and 48 percent of components in the Environmental Satellite Processing Center, a system that handles data received from the satellites. 

Several U.S. earth observation satellites have also been probed by suspected Chinese government hackers in recent years, according to federal officials. 

In 2011, the Defense Department investigated two unusual incidents a few years prior involving signals targeting a U.S. Geological Survey satellite. NASA also experienced two "suspicious events" with a Terra observational satellite in 2008. A 2011 report by the U.S.-China Economic and Security Review Commission characterized the events as successful interferences that might have been linked to the Chinese government.

Crawley said, "As it only takes one infected mobile device to spread malware and allow an attacker access to restricted systems like POES and GOES, NESDIS’ critical components are at increased risk of compromise.”

IG Also Cites Turf War, Funding Shortfall

A clash between the Air Force and NOAA over securing conjoined systems also has created hazards.

POES is interwoven with the military’s Defense Meteorological Satellite Program to the point where they are virtually one system.

"Because USAF and NOAA disputed for several years (from 2006 to 2010) who was responsible for DMSP’s security, neither organization conducted security assessments" of the military satellites, Crawley said. "POES will remain interwoven with DMSP, and DMSP’s security posture will remain deficient for some time."

Inadequate funding might prolong the security lapse further.

NOAA "has asserted that if funding is not available it will abandon any corrective actions and accept the risks of leaving the systems interwoven," he said.

The Air Force, meanwhile, doesn't expect to conduct a security posture assessment until a technology upgrade in 2016.

"There is doubt that the refresh will occur because of the USAF’s funding constraints," the report stated.

Linkages between NOAA satellite systems and less secure machines, such as those connected to the Internet, also present a threat.

POES and GOES "have interconnections with systems where the flow of information is not restricted, which could provide a cyberattacker with access to these critical assets," Crawley said. 

Thousands of Vulnerabilities Unremedied

A more general issue across NOAA satellite systems are security bugs in software that have remained unfixed for more than a decade. 

"POES, GOES, and ESPC have thousands of vulnerabilities, where some of the vulnerabilities in the software have been publicly disclosed for as long as 13 years," he said. "The older the vulnerability, the more likely exploits have been incorporated into common hacking toolkits.”

Overall, NOAA officials agreed with the report’s findings, but said the agency has already begun addressing the defects, the final report states.

"NOAA is committed to maintaining a cost-effective IT security program that manages risk at an acceptable level," Vice Adm. Michael Devany, NOAA deputy undersecretary for operations, wrote in a June letter, responding to the draft report. "We had already identified most of the concerns cited by the OIG in the report and have been implementing remediation efforts" that are documented in a Commerce tracking system.

Threatwatch Alert

Accidentally leaked credentials

U.K. Cellphone Company Leaks Customer Data to Other Customers

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.