3rd Party Risk Management , Critical Infrastructure Security , Cyberwarfare / Nation-state attacks
Report Outlines 10 Years' Worth of Serious Incidents(@Ferguson_Writes) • June 21, 2019 NASA's Jet Propulsion Lab (Image: NASA)Hackers have repeatedly stolen valuable data - including launch codes and flight trajectories for spacecraft - from NASA's Jet Propulsion Laboratory in recent years, according to a new inspector general audit, which describes weak security practices.
See Also: Webinar | The Future of Adaptive Authentication in Financial Services
The audit report released this week by the space agency's Office of Inspector General finds that over the course of 10 years, the Jet Propulsion Laboratory, based in Pasadena, California, has been hacked numerous times, with individuals and nation-state actors stealing data about NASA's critical missions as well as other sensitive and proprietary information.
In 2018, for example, a hacker used a Raspberry Pi computer to access the lab's network, stealing 23 files that contained about 500MB of sensitive NASA data, the report found.
In addition to launch codes and flight trajectories, hackers have attempted to target NASA's research and development on earth science and advanced space technologies, the audit notes.
'Shadow IT' Problems
The report cites several examples of weak security practices. For example, it concludes that the Jet Propulsion Laboratory has a "shadow IT" problem - it does not keep rigorous track of what devices are connected to its network.
The inspector general also found that outside partners and contractors have access to a shared network at the lab, and the lab's IT and security departments do a poor job of segmenting this network to ensure that third parties don't have access to sensitive data.
Simpler times: NASA's Jet Propulsion Lab in the late 1950s (Image: NASA)"This shortcoming enabled an attacker to gain unauthorized access to JPL's mission network through a compromised external user system," according to the inspector general's summary of a 2018 incident involving the use of a Raspberry Pi.
Other issues the inspector general's report found include:
Problems with NASA's IT ticketing system that helps identify and resolve vulnerabilities in software meant that some critical patches were not applied for over 180 days. The agency does not have a threat-hunting program to aggressively look for threats to its network. NASA's Security Operations Center does not maintain around-the-clock availability of incident responders, and this team does not always follow federal guidelines, such as the those from the National Institute of Standards and Technology, for responding to a cybersecurity incident. The Jet Propulsion Laboratory's has a longstanding contract with the California Institute of Technology, which provides some IT and security management resources. But Caltech's staff did not clearly relay all cybersecurity issues from the lab up through the chain of command at NASA.In its conclusion, the inspector general recommends a series of improvements, including greater network segmentation to reign in third-party access, greater adherence to federal cybersecurity guidelines and improvement to the ticketing system to ensure vulnerabilities in software are patched faster.
NASA and the Jet Propulsion Laboratory agreed to make nine out of the 10 recommendations that the report laid out. The only improvement that the agency will not make at this time is the creation of a threat-hunting team, the report notes.
10 Years' Worth of Hacks
Nor surprisingly, NASA and its Jet Propulsion Laboratory are a rich target for all kinds of hackers, whether they are working for nation-states or operating on their own, the audit finds.
The agency and its lab not only house a vast amount of data that is targeted by hackers, but NASA's openness to working with third parties and outside researchers - especially those connected with Caltech - means that it leaves itself more open to attack than more closed federal agencies, the report notes.
"The agency's substantial connectivity with nongovernmental educational and research institutions also presents cybercriminals with a larger, more attractive target than most other government agencies and offers cyberattackers multiple points of entry into the agency's various networks," according to the report.
The combination of openness and a lack of adequate controls for which devices and individuals have access to its network led to several incidents at the Jet Propulsion Laboratory between 2008 and 2018, the reports finds. In one 2011 case, hackers gained full access to 18 servers that supported several key NASA mission and stole 87GB worth of data, the inspector general found.
In 2018, an account belonging to an external user was compromised, providing access to a "major mission systems." In this case, the attacker used a Raspberry Pi, a small computer about the size of a credit card, to access the network and take 500MB of data, the report notes.
This particular incident at the lab got the notice of other NASA officials, who were concerned that an attacker could access one network and then move laterally across the entire agency's IT systems, putting mission critical operations in danger, the inspector general notes.
Unauthorized access to the lab's network, coupled with NASA's inability to respond faster, is a significant cause for concern, says Matt Walmsley, a director at Vectra, a San Jose, California-based threat detection and response firm.
"There has been a failing of appropriate policy definition and demonstrable compliance issues," Walmsley says. "There have been technical gaps, which have rendered JPL oblivious to devices connected to their network and left them nearly blind to indicators of active attackers who have defeated access and preventive controls and are now operating inside their network with impunity."
Restoring Trust
Despite the inspector general's issues with Caltech and how it's handled some of the cybersecurity incidents at the Jet Propulsion Laboratory, NASA signed a new, five-year agreement with the university to provide more IT and security services, the report notes.
Ultimately, NASA's leadership must do more to protect the its IT assets and data, the report concludes.
"NASA is responsible for ensuring its IT assets are protected from unauthorized or inappropriate access, including assets on the JPL network managed by Caltech pursuant to NASA's contract with the university," the report states. "Improvements to JPL's security controls and increased oversight by NASA is crucial to ensuring the confidentiality, integrity and availability of agency data."