Satellite weather forecast: Cloudy with a chance of p0wnage
Flaws found in ground control for Polar Satellite won't be fixed for TWO YEARS
Weather predictions could be thrown into chaos if miscreants exploited a litany of dangerous and years-old holes reported in ground control for the Joint Polar Satellite System (JPSS).
The flaws, of which 12,703 are considered high risk, have been detailed in a US Government audit report that examined the state of security of the "high impact IT" ground control system of the JPSS and the Suomi National Polar-orbiting Partnership.
The JPSS is the latest US polar-orbiting environmental satellite and provides data for weather forecasts and climate monitoring.
Allen Crawley, the US Department of Commerce's assistant inspector general for systems acquisition and IT security, found shocking flaws in the NASA and National Oceanic and Atmospheric Administration's (NOAA's) ground control station.
"As a result, few security controls are fully implemented and many high-risk vulnerabilities exist within the system," Crawley wrote in a report (pdf).
"Software used by the JPSS system contains vulnerabilities that have been publicly known for several years. Software tools to exploit several of these vulnerabilities are available on the internet.
"[Since 2012] the number of high-risk vulnerabilities in the system had increased by two-thirds despite recent efforts the program has taken to remediate these vulnerabilities."
Some flaws, including nasty ones, have persisted for years due in part to contractors having a four-year reprieve in 2010 from addressing any security flaws while the station was repurposed from a research project to the JPSS.
High risk vulnerabilities were defined as "relatively easy" for attackers to exploit and cause "significant disruption" to "critical data used in weather forecasting and climate monitoring".
Only a quarter of National Institute of Standards and Technology security controls were fully implemented at the station between fiscal years 2012 and 2013.
Worse, the majority of the security vulnerabilities identified won't be fixed for a further two years despite policy stating high-risk holes must be fixed within a month of being discovered.
In the past, it took up to 14 months for some patches to be applied and more than a year for holes identified in penetration tests to be fixed. Management confessed that IT maintenance in 2011 was suspended for almost a year.
Old holes include more than 9100 high risk unpatched vulnerabilities, bad configurations and unnecessary operating system and software privileges. 3600 password and audit settings not in-line with JPSS policy and three holes identified but not fixed in 2012 penetration tests are also present.
These holes could be fixed with only minor alteration to the ground control systems, according to the report.
Crawley recommended the station bin its failed bi-annual maintenance cycle and fix the high risk holes pronto before meteorologists begin reporting snowfall in the Alice.
"[High-risk vulnerabilities] could lead to a disruption of NOAA’s ability to command and control the Suomi NPP satellite and to provide data that is used in numerical weather models that support weather predictions and climate monitoring. The importance of remediating these vulnerabilities justifies addressing them outside the regular cycle of maintenance deployments."
NOAA's security slap-down comes after it was revealed in July that a staffer had made off with data contained on their laptop which they refused to hand over. Auditors found insecure access to corporate systems by staff consumer devices and thousands of security vulnerabilities.®