Attackers were able to pilfer data from NASA’s Jet Propulsion Laboratory (JPL) in Southern California for almost one year before detection.
Security weaknesses allowed attackers to steal 500 megabytes of data from 23 files, including two containing restricted information related to the Curiosity rover Mars mission, according to a report in the Pasadena Star-News.
These attackers were able to use a credit card-sized computer and a compromised external user account, according to a report from the NASA Office of the Inspector General.
They operated for 10 months until the hack was discovered in April 2018.
As a result, NASA temporarily disconnected several space flight-related systems from JPL’s computer network.
In addition to this assault, attackers also broke into JPL in 2009, 2011, 2014, 2016 and 2017.
Since 1959, the California Institute of Technology (Caltech) has been under contract with NASA to manage JPL, most prominently its research and development activities, but also its network security controls.
The report found multiple IT security control weaknesses reduce JPL’s ability to prevent, detect, and mitigate attacks targeting its systems and networks, thereby exposing NASA systems and data to exploitation by cyber criminals.
“JPL uses its Information Technology Security Database (ITSDB) to track and manage physical assets and applications on its network; however, we found the database inventory incomplete and inaccurate, placing at risk JPL’s ability to effectively monitor, report, and respond to security incidents,” the report said. Moreover, reduced visibility into devices connected to its networks hinders JPL’s ability to properly secure those networks. Further, we found that JPL’s network gateway that controls partner access to a shared IT environment for specific missions and data had not been properly segmented to limit users only to those systems and applications for which they had approved access. This shortcoming enabled an attacker to gain unauthorized access to JPL’s mission network through a compromised external user system. Additionally, NASA failed to establish Interconnection Security Agreements (ISA) to document the requirements partners must meet to connect to NASA’s IT systems and describe the security controls that will be used to protect the systems and data.”
The Inspector General’s report did offer some recommendations.
“To improve JPL network security controls, we recommended the Director of the NASA Management Office instruct the JPL Chief Information Officer (CIO) to: (1) require system administrators to review and update the ITSDB and ensure system components are properly registered and the JPL Cybersecurity/Identity Technologies and Operations Group (CITO) periodically review compliance with this requirement; (2) segregate shared environments connected to the network gateway and monitor partners accessing the JPL network; (3) review and update ISAs for all partners connected to the gateway; (4) require the JPL CITO to identify and remediate weaknesses in the security problem log ticket process and provide periodic aging reports to the JPL CIO; (5) require the JPL CITO to validate, update, and perform annual reviews of all open waivers; (6) clarify the division of responsibility between the JPL Office of the Chief Information Officer and system administrators for conducting routine log reviews and monitor compliance on a more frequent basis; (7) implement the planned role-based training program by July 2019; (8) establish a formal, documented threat-hunting process; and (9) develop and implement a comprehensive strategy for institutional IT knowledge and incident management that includes dissemination of lessons learned,” the report said. “We also recommended the NASA CIO include requirements in the pending IT Transition Plan that provide the NASA SOC with sufficient control and visibility into JPL network security practices.”