Thousands of Vulnerabilities in NOAA Satellite System

jpss1_3_450

A Memorandum released last week by the Office of Inspector General revealed that numerous “High-Risk” security vulnerabilities were found in the Joint Polar Satellite System’s (JPSS) Ground System.

According to the report, a security audit of NOAA’s Information Technology security program found serious security issues with the JPSS Ground System which gathers information from  weather satellites and provides it to worldwide users. It also provides command and control for current and future weather satellites.

The system is considered a “High Impact” IT system, or a system “for which the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic effect on organizational operations, organizational assets or individuals.”

The report showed that the number of High-Risk vulnerabilities rose from 14,486 in the first quarter of 2012 to 23,868 in the second quarter of 2014:

JPSS Ground System Vulnerabilities

As you can see from the chart, the vulnerabilities have gone up and down over the last couple years as vulnerabilities have been found and patched. But overall the current vulnerabilities are about 2/3 higher than in the beginning of 2012.

High-Risk vulnerabilities are defined in the report as ones that are “relatively easy for attackers to exploit and gain control over system components.” The vulnerabilities found seem the same as would be found in any corporate security audit and including the following issues:

  • Out of date software or missing security patches
  • Insecurely configured software
  • Unnecessary user privileges
  • Passwords and auditing settings do not meet policy standards
  • Unnecessary software applications that need to be removed or disabled

The issues found even included the “Heartbleed” vulnerability, which has since been remediated.

The numerous other vulnerabilities are of major concern and the software tools to exploit some of the vulnerabilities are publicly available. For the full report, check out the “Correspondance” PDF link on the Inspector General page.

~ by D. Dieterle on August 27, 2014.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: