US space agency NASA’s Jet Propulsion Laboratory (JPL) is best known as the home for a variety of space-faring endeavors, but the facility is also tasked with defending the space agency from cyberattacks.
A new report from NASA found that while JPL’s rocket scientists are doing well when it comes to handling space explorations, it found multiple security weaknesses reducing JPL’s ability to prevent, detect, and mitigate attacks targeting its systems and networks, thereby exposing NASA systems and data to exploitation by cyber criminals. JPL is managed by the California Institute of Technology.
Some of the issues spotted by the internal audit include an incomplete and innaccurate database inventory, which reduces the agency’s ability effectively monitor, report, and respond to security incidents. There is also a user access issue as NASA found "JPL’s network gateway that controls partner access to a shared IT environment for specific missions and data had not been properly segmented to limit users only to those systems and applications for which they had approved access."
JPL also has issued dealing with identified cybersecurity issues. The report detailed how these may not be resolved for more than 180 days in some cases. Administrators misunderstood their roles and regarding management and review of incident logs for identifying malicious activity.
The agency was also taken to task for not creating and implementing a threat hunting program as had been previously recommended nor put into a placed security training nor funded IT security certifications for its system administrators.
NASA also found it did not have access to JPL’s incident management system nor were there any controls in place to fulfill Caltech’s contractual obligation to report certain types of IT security incidents to the Agency through the NASA SOC.
The 49-page document included a nine-point list of recommendations for the director of the NASA Management Office to implement:
- require system administrators to review and update the ITSDB and ensure system components are properly registered and the JPL Cybersecurity/Identity Technologies and Operations Group (CITO) periodically review compliance with this requirement;
- segregate shared environments connected to the network gateway and monitor partners accessing the JPL network;
- review and update ISAs for all partners connected to the gateway;
- require the JPL CITO to identify and remediate weaknesses in the security problem log ticket process and provide periodic aging reports to the JPL CIO;
- require the JPL CITO to validate, update, and perform annual reviews of all open waivers;
- clarify the division of responsibility between the JPL Office of the Chief Information Officer and system administrators for conducting routine log reviews and monitor compliance on a more frequent basis;
- implement the planned role-based training program by July 2019;
- establish a formal, documented threat-hunting process;
- develop and implement a comprehensive strategy for institutional IT knowledge and incident management that includes dissemination of lessons learned. We also recommended the NASA CIO include requirements in the pending IT Transition Plan that provide the NASA SOC with sufficient control and visibility into JPL network security practices.
This article was originally published on SC Media US.