Commerce IG: NOAA needs to better protect its satellite data
Agency infighting, data breaches and protection failures pose a series of cybersecurity risks that threaten the reliability of satellite systems used by National Oceanic and Atmospheric Administration and other federal agencies, according to a new report from the Commerce Department’s office of the Inspector General.
The IG report found during an audit that systems tied to NOAA’s National Environmental Satellite, Data, and Information Service (NESDIS) “have a significant number of vulnerabilities that have not been remediated,” with some of the security flaws having “been publicly disclosed for as long as 13 years.”
One of the big factors contributing to risks cited by the IG report is the dual involvement of the U.S. Air Force and NOAA in protecting data from the Polar-orbiting Operational Environmental Satellites (POES) system. POES is interwoven with the Air Force’s Defense Meteorological Satellite Program. Dual demands have created conflicts in operation and create the possibility for deficiencies and vulnerabilities. NOAA and the Air Force actually fought over responsibility for the program’s security in years past with the Air Force taking control in 2010. However, the IG report found the Air Force has yet to ensure the system meets the department’s security requirements.
POES staff did tell the IG firewalls have been installed to prevent attacks, but the IG said any internal threats from the Air Force still put the system at risk.
The IG also found that a number of programs lacked the government-required two-factor authentication or remote access restrictions from personal computers.
NOAA has had trouble with personal computers before. The report lists an incident in 2013 when a personal computer infected with malware took data from a NESDIS system, but NOAA was powerless to investigate because the contractor would not allow the agency to access the personal computer responsible for the breach. However, NOAA took issue with this incident being listed in the IG’s report because the breach was not directly related to the systems we assessed.
The report also found that NOAA systems did not prevent unauthorized mobile devices from being able to connect to the their systems.
“As it only takes one infected mobile device to spread malware and allow an attacker access to restricted systems like POES… NESDIS’ critical components are at increased risk of compromise,” the report said.
As to closing vulnerabilities, NESDIS staff admitted they either don’t track, or are unable to apply, patches within the approved cycle.
The IG also found that a number of programs lacked the government-required two-factor authentication or restrict remote access from personal computers as well as flaws from an independent security analysis done by the Federal Aviation Administration.
“The FAA assessors asserted that [security] controls were appropriately implemented, despite evidence that directly contradicted these assertions,” the report said.
NOAA concurred with all 13 of the IG’s recommendations noting that some have already been put into effect.
“NOAA is committed to a cost-effective IT security program that manages risk at an acceptable level,” a NOAA response included in the report read. “We had already identified most of the concerns cited by the OIG in the report and have been implementing remediation efforts.”
You can read the full IG report here.