A Host of Cyber Troubles at NASA

Released in June, NASA’s IG report on Cybersecurity Management and Oversight at the Jet Propulsion Laboratory (JPL) uncovers a host of cyber weaknesses at the lab managed by Caltech. Though managed by a third party, NASA is ultimately responsible for the protection of the data and systems at JPL. The audit stems from a number of cyber incidents that have occurred at JPL over the past several years. Most recently, in April 2018 JPL discovered an account belonging to an external user had been hacked and 500 megabytes of data stolen. Before that, in 2011, cyber intruders gained access to 18 servers supporting JPL missions and stole 87 gigabytes of data.

This is not the first time major hacks have taken place at NASA. In October 2018, NASA uncovered a data breach in one of its servers containing personal data, including social security numbers, of current and former employees.

NASA’s cyber woes do not stop there. An IG report released in May 2018 revealed several concerns at NASA’s Security Operations Center (SOC), including an ineffective IT governance structure and lack of necessary authorities, hindering the space agency’s efforts to maintain oversight and address emerging cyber threats. Moreover a GAO report, also released in May of last year, scorns NASA’s executive oversight of cybersecurity, risk management strategy, IT security plan and security policies.

Adding to NASA’s overall cyber difficulties, the latest FITARA scorecard, released last month, shows the space agency receiving an overall grade of a D-, down from a B+ last December. The drastic grade change is largely due to the incorporation of the cyber score, which reflects an agency’s compliance with FISMA. NASA received a D in the Cyber category, and is only one of two agencies to receive an F in the Transparency and Risk Management category.

JPL Audit

To conduct the audit at JPL, NASA OIG assessed the effectiveness of the lab’s network security controls for externally facing applications and systems. Additionally, specific elements of JPL’s cyber program were examined, including oversight of the IT security control responsibilities assigned to Caltech under its contract with NASA.

The OIG found several weaknesses in the cyber program at JPL including with the lab’s SOC and its inability to provide 24/7 availability of IT security incident responders. The audit also found that: 1.) JPL’s incident response plan is missing federally recommended elements, 2.) an absence of role-based security training, 3.) no controls in place to ensure Caltech compliance to report certain types of IT security incidents to NASA, and 4.) no access for NASA officials to JPL’s incident management system. In addition to these findings, the OIG identified other key cyber flaws at JPL:

• Incomplete and Inaccurate System Component Inventory: JPL’s Information Technology Security Database (ITSDB) is used to track and manage physical assets and applications on its network. Nonetheless, the audit found that the database’s inventory was incomplete and inaccurate, leading to the lab’s inability to effectively monitor, report and respond to cyber incidents. The reduced visibility also prevents JPL from properly securing all devices connected to its networks.
• Inadequate Segmentation of Network Environment Shared with External Partners: JPL’s network gateway is not properly segmented to limit users only to those systems and applications for which they have approved access. This weakness is likely what led an attacker to gain unauthorized access to JPL’s mission network through a compromised external user system.
• Untimely Security Problem Log Ticket Resolution and Patch Application: The audit found that security problem log (SPL) tickets were not resolved for long periods of time, sometimes longer than 180 days. Specifically, the audit reviewed 8 system security plans associated with 13 JPL systems and found 5,406 SPLs, 86% of which were rated high or critical, and 58% left open for more than 60 days.
• Lack of Threat-Hunting Capabilities: Finally, while auditors found that cybersecurity monitoring tools implemented by JPL do defend against routine intrusions and computer misuse, the lab has not coordinated a threat-hunting program to actively and aggressively pursue abnormal activity on its systems for signs of compromise. Instead, JPL relies on an ad hoc process to search for intruders.

The audit reports that NASA management agreed with most of the IG’s recommendations, excluding the recommendation to establish a cybersecurity threat-hunting capability, in which further discussions with the agency will take place.