Written by: Brandon C.
National Oceanic and Atmospheric administration (NOAA) are running their systems in a way that leaves them at high risk for cyber-attacks. The Department of Commerce’s Office of the Inspector General (OIG) found that the Joint Polar Satellite System’s (JPSS) ground system is highly vulnerable to a large number of cyber-attacks. JPSS is a system that collects the data from weather satellites and distributes the information to users worldwide. This system is planned to be used on more satellites in the near future.
“Our analysis of the JPSS program’s assessments of system vulnerabilities found that, since FY (fiscal year) 2012, the number of high-risk vulnerabilities in the system had increased by two-thirds despite recent efforts the program has taken to remediate these vulnerabilities,” This is according to a memorandum form Allen Crawley, assistant inspector general for systems acquisition and IT security, to Kathryn Sullivan, undersecretary of commerce for oceans and atmosphere and NOAA administrator. JPSS is considered to be a “High Impact” IT system, which means that it could have a very catastrophic effect on organizational operations, and organizational assets. The Audit, were the ones who investigated NOAA’s IT security program and found some frightening numbers. The Audit, found that the number of High-Risk vulnerabilities rose from 14,486 in the first quarter FY of 2012 to 23,868 in the second quarter FY of 2014. “If exploited, these [high-risk] vulnerabilities may make it possible for attackers to significantly disrupt the JPSS mission of providing critical data used in weather forecasting and climate monitoring,” Crawley wrote in the memorandum.
Some but not all of the vulnerabilities found are hard to patch. Most can be easily fixed by just making simple minor modifications to the current system. More than 9,100 software issues are there due to out of date software, lacking security patches, insecurely configured software and unnecessary user privileges. In over 3,600 instances the password and audit settings are not properly configured. There were also a number of software applications that need to be removed or disabled. The Heartbleed vulnerability is included in this long list. Heartbleed is something that leaves cryptographic keys and private data such as usernames, passwords, and credit card numbers at risk. “In response to our draft memorandum, NOAA concurred with our recommendations, NOAA indicated that it had already implemented [a] recommendation [to use system update processes for quickly applying critical patches], explaining that it remediated the Heartbleed vulnerability during the third quarter of FY 2014.” wrote Crawley.