Inspector General's Office Brings Laboratory Back to Earth
We Speak of the Voyager Probe If You're Wondering
NASA's Jet Propulsion Lab still has multiple IT Vulnerabilities in security controls exposing "systems and data to cyber-criminal exploitation," despite precautionary measures earlier this year.
Following a strongly worded March letter warning NASA as a whole of cybersecurity issues, the NASA Office of the Inspector General (OIG) has now published a detailed report (PDF).
The results are not good. The JPL's internal inventory database is "incomplete and inaccurate," which reduces JPL's ability to "monitor, report, and respond to security incidents," as "devices attached to its networks are less visible."
Houston, we had a problem: NASA feared that the internal server would be hacked and the personal data of rogue staff stolen from the Tech Security Database system, " because the database update function sometimes does not work ".
A cyber attack in April 2018 exploited this vulnerability when an unauthorized Raspberry Pi was attacked by an external attacker.
An important network gateway between JPL and a shared IT environment used by partner agencies "was not segmented properly to restrict users to only the systems and applications for which they had granted access". Even when JPL employees opened tickets at the security help desk, it took up to six months for the matter to be resolved. Possibly, "obsolete security controls that offset the JPL network from cyber-attacks exploitation" have been compensated.
At the time of the visit, as many as 666 tickets with the maximum severity level of 10 were open, as the report showed. In total, more than 5,000 were open.
Indeed, such a cyberattack hit all of NASA in December. Sensitive personal information from employees who worked for the US Space Agency between 2006 and 2018 was filtered by the program's servers – and it took two months for NASA to notify those affected. Worse, the JPL has no active threat-hunting process, despite its apparent appeal to state-level opponents, and its incident response exercises "deviate from NASA and recommended industry practices". The JPL itself appears to function as a silo within NASA, with the OIG stating, "NASA officials [did not] have access to the JPL incident management system."
Perhaps this report is the wake-up call of NASA in general, and in particular JPL must tighten its activities. ®