NASA cybersecurity report: ISS, Hubble, Shuttle vulnerable when hackers penetrated NASA network

Screen-shot-2011-04-02-at-9.48.jpg

The office of NASA's Inspector General released a report this week titled "Inadequate Security Practices Expose Key NASA Network to Cyberattack," which details pretty much what it says on the tin: the International Space Station, the Hubble telescope, the space shuttle, and other key assets were made vulnerable back in 2009 when hackers penetrated the NASA computer network that controls them.

The vulnerabilities have since been addressed, but NASA still lacks a recommended cybersecurity oversight progam to reduce future risks.

From a related story in the Huntsville Times:

Also in 2009, hackers stole 22 gigabytes of export-controlled data from the Jet Propulsion Laboratory and opened links between the NASA network and 3,000 foreign IP addresses.

NASA has closed the worst holes in its system, according to the audit released Monday, but other risks will remain until NASA establishes IT safeguards for the entire agency. NASA says it will do that by the end of the fiscal year Sept. 30. NASA said in a statement Tuesday that its chief information officer will work with NASA centers, including Huntsville's Marshall Space Flight Center, to make sure computers are secure.

And more about the past intrusions, directly from the NASA Inspector General's report:

We found that computer servers on NASA's Agency-wide mission network had high-risk vulnerabilities that were exploitable from the Internet. Specifically, six computer servers associated with IT assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable. Moreover, once inside the Agency-wide mission network, the attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA's operations. We also found network servers that revealed encryption keys, encrypted passwords, and user account information to potential attackers. These data are sensitive and provide attackers additional ways to gain unauthorized access to NASA networks. These deficiencies occurred because NASA hadnot fully assessed and mitigated risks to its Agency-wide mission network and was slow to assign responsibility for IT security oversight to ensure the network was adequately protected. In a May 2010 audit report, we recommended that NASA immediately establish an IT security oversight program for this key network.

However, even though the Agency concurred with the recommendation it remained unimplemented as of February 2011.

Direct link to the Inspector General's cybersecurity audit here.

(thanks, Miles O'Brien)