recommended reading

Hacker Breached NOAA Satellite Data from Contractor’s PC

A GOES-R Spacecraft System and Propulsion Modules in Lockheed Martin Cleanroom

A GOES-R Spacecraft System and Propulsion Modules in Lockheed Martin Cleanroom // NOAA

National Oceanic and Atmospheric Administration satellite data was stolen from a contractor's personal computer last year, but the agency could not investigate the incident because the employee refused to turn over the PC, according to a new inspector general report.

This is but one of the “significant security deficiencies” that pose a threat to NOAA’s critical missions, the report states.

Other weaknesses include unauthorized smartphone use on key systems and thousands of software vulnerabilities. 

The July 15 report made public on Friday concentrates on information-technology security problems at NOAA's National Environmental Satellite, Data, and Information Service. NOAA is part of the Commerce Department. 

During the 2013 incident, "an attacker exfiltrated data from a NESDIS system to a suspicious external IP address via the remote connection established with a personal computer," wrote Allen Crawley, Commerce's assistant IG for systems acquisition and IT security, referring to a dodgy computer address.

NOAA determined the PC likely was infected with malware, but it was prevented from examining further because "the owner of the personal computer, even though a NESDIS contractor, did not give NOAA permission to perform forensic activities on the personal computer," Crawley said.

The inspector general cited this case as an example of why it's a bad idea -- and a violation of Commerce policy -- for any personnel to access NOAA information systems using personal computers. In response to a draft report, NOAA officials noted the system in question was not a "high-impact" system. 

Satellites a Potential Target for Hackers

The report, however, also focused on vulnerabilities to high-impact systems related to weather satellites, such as the Polar-orbiting Operational Environmental Satellites and Geostationary Operational Environmental Satellites. 

Unauthorized smartphone and thumb drive use was recently detected on 41 percent of components in systems supporting POES; 36 percent of GOES support systems; and 48 percent of components in the Environmental Satellite Processing Center, a system that handles data received from the satellites. 

Several U.S. earth observation satellites have also been probed by suspected Chinese government hackers in recent years, according to federal officials. 

In 2011, the Defense Department investigated two unusual incidents a few years prior involving signals targeting a U.S. Geological Survey satellite. NASA also experienced two "suspicious events" with a Terra observational satellite in 2008. A 2011 report by the U.S.-China Economic and Security Review Commission characterized the events as successful interferences that might have been linked to the Chinese government.

Crawley said, "As it only takes one infected mobile device to spread malware and allow an attacker access to restricted systems like POES and GOES, NESDIS’ critical components are at increased risk of compromise.”

IG Also Cites Turf War, Funding Shortfall

A clash between the Air Force and NOAA over securing conjoined systems also has created hazards.

POES is interwoven with the military’s Defense Meteorological Satellite Program to the point where they are virtually one system.

"Because USAF and NOAA disputed for several years (from 2006 to 2010) who was responsible for DMSP’s security, neither organization conducted security assessments" of the military satellites, Crawley said. "POES will remain interwoven with DMSP, and DMSP’s security posture will remain deficient for some time."

Inadequate funding might prolong the security lapse further.

NOAA "has asserted that if funding is not available it will abandon any corrective actions and accept the risks of leaving the systems interwoven," he said.

The Air Force, meanwhile, doesn't expect to conduct a security posture assessment until a technology upgrade in 2016.

"There is doubt that the refresh will occur because of the USAF’s funding constraints," the report stated.

Linkages between NOAA satellite systems and less secure machines, such as those connected to the Internet, also present a threat.

POES and GOES "have interconnections with systems where the flow of information is not restricted, which could provide a cyberattacker with access to these critical assets," Crawley said. 

Thousands of Vulnerabilities Unremedied

A more general issue across NOAA satellite systems are security bugs in software that have remained unfixed for more than a decade. 

"POES, GOES, and ESPC have thousands of vulnerabilities, where some of the vulnerabilities in the software have been publicly disclosed for as long as 13 years," he said. "The older the vulnerability, the more likely exploits have been incorporated into common hacking toolkits.”

Overall, NOAA officials agreed with the report’s findings, but said the agency has already begun addressing the defects, the final report states.

"NOAA is committed to maintaining a cost-effective IT security program that manages risk at an acceptable level," Vice Adm. Michael Devany, NOAA deputy undersecretary for operations, wrote in a June letter, responding to the draft report. "We had already identified most of the concerns cited by the OIG in the report and have been implementing remediation efforts" that are documented in a Commerce tracking system.

Threatwatch Alert

User accounts compromised

1 Million Online Gaming Accounts Exposed

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.