According to the findings of an audit recently conducted by the Department of Commerce’s Office of the Inspector General (OIG), the Joint Polar Satellite System’s (JPSS) ground system is vulnerable to a large number of high-risk vulnerabilities.
The JPSS ground system is used to collect data from several polar-orbiting weather satellites, and distribute the information to users worldwide. This system also provides command, control and data processing for current and future weather satellites.
But, the vulnerabilities identified in the system could impair technology controlling the United States’ next generation of polar-orbiting environmental satellites.
“Our analysis of the JPSS program’s assessments of system vulnerabilities found that, since FY 2012, the number of high-risk vulnerabilities in the system had increased by two-thirds7 despite recent efforts the program has taken to remediate these vulnerabilities,” according to a memorandum from Allen Crawley, assistant inspector general for systems acquisition and IT security, to Kathryn Sullivan, under secretary of commerce for oceans and atmosphere and NOAA administrator.
The system is considered to be a “High Impact” IT system for which the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic effect on organizational operations, organizational assets or individuals.
The audit, which analyzed NOAA’s IT security program, showed an unbelievable picture. In the recent audit, the report showed that the number of High-Risk vulnerabilities rose from 14,486 in the first quarter of the fiscal year (FY) 2012 to 23,868 in the second quarter of FY 2014.
“If exploited, these [high-risk] vulnerabilities may make it possible for attackers to significantly disrupt the JPSS mission of providing critical data used in weather forecasting and climate monitoring,” Crawley wrote in the memorandum.
Some of the vulnerabilities found are difficult to patch, but many of the identified high-risk vulnerabilities can be fixed easily by just making only minor modification to the current system. As more than 9,100 instances of software versions include the following issues:
- Out of date software or lacking security patches
- Insecurely configured software
- Unnecessary user privileges
Moreover, adjustments can be made to more than 3,600 instances of password and auditing settings that are incorrectly configured and do not meet JPSS policy standards, as well as to unnecessary software applications that need to be removed or disabled.
The system even included the “Heartbleed” vulnerability, which has since been remediated. Heartbleed is one of the biggest Internet vulnerabilities in recent history that left large number of cryptographic keys and private data such as usernames, passwords, and credit card numbers, from the most important sites and services on the Internet open for hackers.
“In response to our draft memorandum, NOAA concurred with our recommendations,” Crawley wrote. “NOAA indicated that it had already implemented [a] recommendation [to use system update processes for quickly applying critical patches], explaining that it remediated the Heartbleed vulnerability during the third quarter of FY 2014.”
The issue is critical because numerous of vulnerabilities within the JPSS software are publicly available from years and , furthermore, tools are also available on the internet that can be used to exploit many of the vulnerabilities.