An official audit of NASA’s network has concluded that the space agency faces a high risk of cyberattack.
Experts from the Office of the Inspector General (OIG) paint a grim picture of the state of the space agency’s server infrastructure, warning that vulnerabilities in its systems leave it open to defacement, denial of service or information-stealing attacks.
In particular, six unnamed IT systems were found to be at risk to attacks that might allow hackers to seize remote control of critical systems over the net – which included systems that control spacecraft – as a result of unpatched software vulnerabilities. The OIG’s report (24-page PDF/703 KB, extract of conclusions below) also warns that sensitive account information is poorly protected and wide open to extraction for any attackers who make it past NASA’s perimeter defences.
We found that computer servers on NASA’s Agency-wide mission network had high-risk vulnerabilities that were exploitable from the internet. Specifically, six computer servers associated with IT assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable.Moreover, once inside the Agency-wide mission network, the attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA’s operations. We also found network servers that revealed encryption keys, encrypted passwords, and user account information to potential attackers. These data are sensitive and provide attackers additional ways to gain unauthorized access to NASA networks.
Auditors criticised NASA for failing to apply an agency-wide computer security program they recommended following the previous review last May.
As Nature notes, the security vulnerabilities are a concern particularly because NASA has been the frequent victim of cyberattacks in the past. For example, hackers extracted 22 GB of data from the servers of NASA’s Jet Propulsion Laboratory in Pasadena, California back in 2009.
The space agency said it had already fixed the vulnerabilities identified by the OIG’s auditors. NASA managers promised to apply a consistent security policy across the agency.