June 21, 2019 at 8:30 pm #25972
Holy crap. How about at least a few IT best practices, yeah? Just a few? [LINK]
Trigger warning: anyone who has ever worked in IT will feel their blood pressure rise as they read this.
An audit document from the U.S. Office of the Inspector General was published by NASA this week. It reveals that an unauthorized Raspberry Pi computer connected to the JPL servers was targeted by hackers, who then moved laterally further into the NASA network. How much further? Well, the hackers apparently got as far as the Deep Space Network (DSN) array of radio telescopes and numerous other JPL systems.
The extent of the breach, which happened in April 2018, was such that the Johnson Space Center, with responsibility for programs including the International Space Station, decided to disconnect from the gateway altogether. The audit report states that, “Johnson officials were concerned the cyber attackers could move laterally from the gateway into their mission systems, potentially gaining access and initiating malicious signals to human space flight missions that use those systems.”
Without going into all the technical detail of every mistake that has been identified by this audit, needless to say it paints a very poor picture of JPL network security indeed. Everything from poor IT asset visibility and security violation ticket resolution shortcomings, through to untimely delays in patching known vulnerabilities were detailed by the auditors. All in all it reads like a security basics 101 list that has been ignored. System administrators lacked security certifications, no role-based security training was in place and JPL, unlike the main NASA security operations center (SOC), didn’t even have a round-the-clock incident reporting capability.
According to information security analyst Mike Thompson, NASA is right up there when it comes to high profile targets. “Many purely associate them with space related activities,” Thompson explains, “but their depth of research and development includes patents covering cutting edge science that nation states would literally kill for.”
You must be logged in to reply to this topic.