Last month I wrote about some current cybersecurity concerns about satellite ground stations. That may seem rather exotic to many readers, but all of us rely on reasonably accurate weather predictions. Satellite cybersecurity problems would hurt all of us, but we can draw useful lessons from this episode.
The U.S. Commerce Department’s Inspector General is warning that the National Oceanic and Atmospheric Administration and its supporting contractor are neglecting the security of what they describe as “the nation’s next-generation polar-orbiting operational environmental satellite system”. They say it’s interwoven with a Department of Defense system to the point that the two are effectively one complex system. Vulnerabilities in one part affect the whole.
In Learning Tree’s Cloud Security Essentials course we talk about how the security of a complex system is limited by the weakest component. In this case the Commerce Department IG reported that the problems aren’t with the satellites themselves, the problems are in the servers and mobile devices on the network controlling the Joint Polar Satellite System or JPSS. As frequently happens when considering the cloud, BYOD and the haphazard use of mobile devices play a major role in the concerns.
The Commerce Inspector General issued a very critical report “Significant Security Deficiencies in NOAA’s Information Systems Create Risks in Its National Critical Mission” in mid July of this year. The report criticized the existing system security, the lack of security controls, and the need for improvements in independent security control assessments. It was subtitled “Final Report No. OIG-14-025-A”, but it wasn’t the IG’s final words on the subject.
Just over a month later a followup report appeared, “Expedited Efforts Needed to Remediate High-Risk Vulnerabilities in the Joint Polar Satellite System’s Ground System — Final Memorandum“.
The second report provides some background on how things got into a mess. The contractor began modifying the highly complex ground control system in 2010, but there was no requirement to begin implementing most of the system’s security controls until January 2014. That gave the system complexity a huge head start on the security controls!
There are some grim numbers in the reports, including the nearly 24,000 high-risk vulnerabilities in the JPSS ground system. A lot of existing vulnerabilities can be discovered over a period of four years. I would suspect that a large percentage of the cited vulnerabilities weren’t a matter of things being made worse, but were instead long existing problems we only recently discovered or figured out how to detect.
There are lessons here for all of us. I think the biggest is “Don’t get behind”. The JPSS security policy calls for high-risk vulnerabilities to be remediated within 30 days of their identification, and on a quarterly basis for moderate-risk and low-risk vulnerabilities. However, this analysis found that high-risk vulnerabilities required 11 to 14 months to be remediated.
It’s understandable how they couldn’t catch up, this was an ongoing project with operational events including satellite launches. And, for several years there was a dispute between the Air Force and NOAA as to who was responsible for the system’s security, leading to nothing being done.
So, let’s all learn from this. Let’s design security into our systems and our processes from the start.