NASA cybersecurity report: ISS, Hubble, Shuttle vulnerable when hackers penetrated NASA network
- Xeni Jardin
- Uncategorized
- Apr 02, 2011
- News, security, Space
The office of NASA’s Inspector General released a report this week titled “Inadequate Security Practices Expose Key NASA Network to Cyberattack,” which details pretty much what it says on the tin: the International Space Station, the Hubble telescope, the space shuttle, and other key assets were made vulnerable back in 2009 when hackers penetrated the NASA computer network that controls them.
The vulnerabilities have since been addressed, but NASA still lacks a recommended cybersecurity oversight progam to reduce future risks.
From a related story in the Huntsville Times:
Also in 2009, hackers stole 22 gigabytes of export-controlled data from the Jet Propulsion Laboratory and opened links between the NASA network and 3,000 foreign IP addresses.
NASA has closed the worst holes in its system, according to the audit released Monday, but other risks will remain until NASA establishes IT safeguards for the entire agency. NASA says it will do that by the end of the fiscal year Sept. 30. NASA said in a statement Tuesday that its chief information officer will work with NASA centers, including Huntsville’s Marshall Space Flight Center, to make sure computers are secure.
And more about the past intrusions, directly from the NASA Inspector General’s report:
We found that computer
servers on NASA’s Agency-wide mission network had high-risk
vulnerabilities that were exploitable from the Internet.
Specifically, six computer servers associated with IT assets
that control spacecraft and contain critical data had
vulnerabilities that would allow a remote attacker to take
control of or render them unavailable. Moreover, once inside
the Agency-wide mission network, the attacker could use the
compromised computers to exploit other weaknesses we
identified, a situation that could severely degrade or cripple
NASA’s operations. We also found network servers that revealed
encryption keys, encrypted passwords, and user account
information to potential attackers. These data are sensitive
and provide attackers additional ways to gain unauthorized
access to NASA networks. These deficiencies occurred because
NASA hadnot fully assessed and mitigated risks to its
Agency-wide mission network and was slow to assign
responsibility for IT security oversight to ensure the network
was adequately protected. In a May 2010 audit report, we
recommended that NASA immediately establish an IT security
oversight program for this key network.However, even
though the Agency concurred with the recommendation it remained
unimplemented as of February 2011.
Direct link to the Inspector General’s cybersecurity audit
here.
(thanks, Miles
O’Brien)