The informational systems that the National Oceanic and Atmospheric Administration (NOAA) run are fraught with vulnerabilities and what the U.S. Department of Commerce deems “significant security deficiencies” that could leave it vulnerable to cyber attacks.
That’s according to the findings of an audit recently conducted by the Department of Commerce’s Office of the Inspector General (OIG). The report was initially published July 15 but wasn’t released to the public via OIG.gov last Friday.
The audit, which analyzed NOAA’s IT security program over the last six months of 2013 paints a sloppy picture, replete with lax policy interpretations and unimplemented critical security controls.
Report author Assistant Inspector General for Systems Acquisition Allen Crawley described one major incident where an attacker was able to use an employee’s personal device to transmit data from the NOAA through a remote connection to a “suspicious IP address.”
The data belonged to a satellite division of NOAA, the National Environmental Satellite, Data, and Information Service (NESDIS). And while the NOAA ultimately determined the machine had been infected with malware, it couldn’t investigate because the machine belonged to a contractor who refused to let the agency’s computer response team look at it.
Personal computer usage has long been admonished when dealing with companies’ IT infrastructure, let alone in a government agency context. It’s technically viewed as a violation of the Department of Commerce’s policy to access government systems on personal computers.
NESDIS’s stance on the topic is a bit hazy however. The report found that much of the service’s policy on telecommuting is ambiguous and contradicts the department’s overall policy. According to the report, it’s not clear under what circumstances users can connect their personal devices to NESDIS’s network. On top of that the systems “lack the necessary technical enforcement mechanisms.” It’s for these reasons that the report goes on to warn NOAA that its jeopardizing the security of its systems.
Despite it being a “government-wide requirement for high-impact systems,” NESDIS also fails to adequately enforce two-factor authentication on its system. Two NOAA entities, the Environmental Satellite Processing Center (ESPC) and Search And Rescue Satellite Aided Tracking (SARSAT) have yet to implement two-factor authentication, something which could leave its systems open to attacks. According to the report, NESDIS has no plans to incorporate two-factor authentication into their systems and even more problematic, “nor is it clear when NESDIS will comply,” with the requirement adds the report.
Elsewhere, the agency ”continues to struggle” when it comes to simply updating its systems’ security flaws in general.
NESDIS failed to appropriately patch vulnerabilities in the aforementioned ESPC and SARSAT in addition to its Polar-orbiting Operational Environmental Satellites (POES) and Geostationary Operational Environmental Satellites (GOES) systems. The systems are responsible for providing ground support to satellites transmitting critical weather forecasts and other warnings.
While SARSAT has been updated more frequently, according to the report, POES, GOES, and ESPC have “thousands of vulnerabilities.” Bafflingly enough, some of them have been publicly disclosed for “as long as 13 years.” For example: 50 percent of the vulnerabilities the audit found in POES were first identified by the OIG’s same audit in 2010. Unauthorized smart phone and USB drive usage were rampant on the three systems as well, Crawley said.
NESDIS admits in the report that its unable to update its software within the approved patch cycle however and that in return it’s left with “an inaccurate understanding of the security risks within each system.”
The NOAA is in charge of evaluating and predicting weather patterns, tides and other changes to climate, the ocean and the coast and sharing those statistics with other government agencies. When given the report the NOAA generally agreed with a handful of recommendations the OIG made to the agency to help secure its systems and its reportedly in the process of revising, expanding and replacing processes already in place going forward.
Agencies such as the NOAA and its services like NESDIS undergo an annual audit to ensure they comply with the Federal Information Security Management Act (FISMA) of 2002. The act mandates agencies shore up their IT sectors through the use of “cost-effective management, operational, and technical controls.”
It was just last month that the OIG called out the United States Citizenship and Immigration Service for failing to update what amounted to six years worth of Java patches. USCIS, which falls under the Department of Homeland Security, was given a handful of instructions by the audit including annual security assessments and more timely patch management.