NASA warned computer security amid insider threat risk
The vast majority of NASA’s computer systems “many of which contain high-value assets or critical infrastructure” are not covered by its current insider threat program, its watchdog has warned, calling for action.
This is because NASA’s Insider Threat Program only applies to classified systems and the vast majority of IT assets do not fall under this designation, meaning they are exempt from monitoring user activity. classified curriculum, insider threat training and expanded procurement disclosure requirements.
In a report released this month, NASA’s Office of Inspector General (OIG) noted that NASA’s insider risk exposure from insider threats is “significant and varied” – acknowledging that “issues staffing limitations, technological resource limitations and lack of funding to support such expansion”. [of the classified designation across IT systems] it should be tackled. (NASA’s total budget for fiscal year 2021 was $23.3 billion).
In a warning call that merits broader reflection in the corporate world, the OIG highlighted the “interdisciplinary challenges surrounding cybersecurity expertise” – noting that at NASA, unclassified systems responsibilities are largely shared between the Office of Protective Services and the Office of the CIO.
“In addition, Agency contracts are managed by the Office of Procurement, while grants and cooperative agreements are managed by the Office of the Chief Financial Officer. Nonetheless, in our view, mitigating the risk of an insider threat is a team sport in which a comprehensive insider threat risk assessment would allow the Agency to gather key insights into weak points or gaps in business processes. and cybersecurity…”
NASA insider threat warnings come after Raspberry Pi incident
In April 2018, unknown hackers hacked into the NASA network and stole data related to Mars missions – using a Raspberry Pi device connected to NASA’s Jet Propulsion Laboratory (JPL) computer network without senior management authorization of technology. The OIG said it should have required JPL CIO approval.
In a June 2019 report following this incident, the OIG painted a disturbing and lax cybersecurity picture at NASA, stating, “JPL has established a network gateway to allow external users and partners , including foreign space agencies, contractors and educational institutions. , remote access to a shared environment for specific missions and data. However, JPL did not properly segregate individual partner environments to limit users only to systems and applications to which they had approved access.
“The cyberattacker in the April 2018 incident exploited the lack of segmentation of the JPL network to move between various systems connected to the gateway, including multiple JPL mission operations and the DSN.
Surprisingly, IT security officials at Johnson Space Center (Johnson), which operates the International Space Station among other NASA projects, were so concerned that they “chose to temporarily disconnect from the Gateway due to security issues. Johnson officials were concerned that cyberattackers could move laterally from the Gateway to their mission systems, potentially gaining access to and launching malicious signals to human spaceflight missions that use those systems. At the same time, Johnson’s IT security officials stopped using DSN data because they feared it was corrupt and unreliable,” OIG warned in its 2019 report.
Regarding the fight against NASA’s insider threat, the OIG called on the space agency to “enhance cross-disciplinary communication by creating a working group that includes the Office of Protective Services (OPS), the Office of the CIO, Office of Procurement, Human Resources Managers and any other relevant Agency offices to collaborate on issues related to large scale insider threats to classified and unclassified systems.