recommended reading

Hacker Breached NOAA Satellite Data from Contractor’s PC

A GOES-R Spacecraft System and Propulsion Modules in Lockheed Martin Cleanroom

A GOES-R Spacecraft System and Propulsion Modules in Lockheed Martin Cleanroom // NOAA

National Oceanic and Atmospheric Administration satellite data was stolen from a contractor's personal computer last year, but the agency could not investigate the incident because the employee refused to turn over the PC, according to a new inspector general report.

This is but one of the “significant security deficiencies” that pose a threat to NOAA’s critical missions, the report states.

Other weaknesses include unauthorized smartphone use on key systems and thousands of software vulnerabilities. 

The July 15 report made public on Friday concentrates on information-technology security problems at NOAA's National Environmental Satellite, Data, and Information Service. NOAA is part of the Commerce Department. 

During the 2013 incident, "an attacker exfiltrated data from a NESDIS system to a suspicious external IP address via the remote connection established with a personal computer," wrote Allen Crawley, Commerce's assistant IG for systems acquisition and IT security, referring to a dodgy computer address.

NOAA determined the PC likely was infected with malware, but it was prevented from examining further because "the owner of the personal computer, even though a NESDIS contractor, did not give NOAA permission to perform forensic activities on the personal computer," Crawley said.

The inspector general cited this case as an example of why it's a bad idea -- and a violation of Commerce policy -- for any personnel to access NOAA information systems using personal computers. In response to a draft report, NOAA officials noted the system in question was not a "high-impact" system. 

Satellites a Potential Target for Hackers

The report, however, also focused on vulnerabilities to high-impact systems related to weather satellites, such as the Polar-orbiting Operational Environmental Satellites and Geostationary Operational Environmental Satellites. 

Unauthorized smartphone and thumb drive use was recently detected on 41 percent of components in systems supporting POES; 36 percent of GOES support systems; and 48 percent of components in the Environmental Satellite Processing Center, a system that handles data received from the satellites. 

Several U.S. earth observation satellites have also been probed by suspected Chinese government hackers in recent years, according to federal officials. 

In 2011, the Defense Department investigated two unusual incidents a few years prior involving signals targeting a U.S. Geological Survey satellite. NASA also experienced two "suspicious events" with a Terra observational satellite in 2008. A 2011 report by the U.S.-China Economic and Security Review Commission characterized the events as successful interferences that might have been linked to the Chinese government.

Crawley said, "As it only takes one infected mobile device to spread malware and allow an attacker access to restricted systems like POES and GOES, NESDIS’ critical components are at increased risk of compromise.”

IG Also Cites Turf War, Funding Shortfall

A clash between the Air Force and NOAA over securing conjoined systems also has created hazards.

POES is interwoven with the military’s Defense Meteorological Satellite Program to the point where they are virtually one system.

"Because USAF and NOAA disputed for several years (from 2006 to 2010) who was responsible for DMSP’s security, neither organization conducted security assessments" of the military satellites, Crawley said. "POES will remain interwoven with DMSP, and DMSP’s security posture will remain deficient for some time."

Inadequate funding might prolong the security lapse further.

NOAA "has asserted that if funding is not available it will abandon any corrective actions and accept the risks of leaving the systems interwoven," he said.

The Air Force, meanwhile, doesn't expect to conduct a security posture assessment until a technology upgrade in 2016.

"There is doubt that the refresh will occur because of the USAF’s funding constraints," the report stated.

Linkages between NOAA satellite systems and less secure machines, such as those connected to the Internet, also present a threat.

POES and GOES "have interconnections with systems where the flow of information is not restricted, which could provide a cyberattacker with access to these critical assets," Crawley said. 

Thousands of Vulnerabilities Unremedied

A more general issue across NOAA satellite systems are security bugs in software that have remained unfixed for more than a decade. 

"POES, GOES, and ESPC have thousands of vulnerabilities, where some of the vulnerabilities in the software have been publicly disclosed for as long as 13 years," he said. "The older the vulnerability, the more likely exploits have been incorporated into common hacking toolkits.”

Overall, NOAA officials agreed with the report’s findings, but said the agency has already begun addressing the defects, the final report states.

"NOAA is committed to maintaining a cost-effective IT security program that manages risk at an acceptable level," Vice Adm. Michael Devany, NOAA deputy undersecretary for operations, wrote in a June letter, responding to the draft report. "We had already identified most of the concerns cited by the OIG in the report and have been implementing remediation efforts" that are documented in a Commerce tracking system.

Threatwatch Alert

Stolen credentials

Hackers Steal $31M from Russian Central Bank

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download

When you download a report, your information may be shared with the underwriters of that document.