Information systems connected to the National Environmental Satellite, Data, and Information Service’s critical satellite ground support systems increases the risk of cyber attacks, the Commerce Department’s inspector general has said.
It said the Polar-orbiting Operational Environmental Satellites’ (POES) and Geostationary Operational Environmental Satellites’ (GOES) mission-critical satellite ground support systems have interconnections with systems where the flow of information is not restricted, making these critical assets more vulnerable to being hacked.
Further, NESDIS’ inconsistent implementation of mobile device protections increases the likelihood of a malware infection, according to the IG.
It said a review of selected Windows components on four NESDIS systems found that unauthorized mobile devices had been connected to POES, GOES, and the Environmental Satellite Processing Center (ESPC), and that GOES and ESPC did not consistently ensure that Microsoft Windows’ AutoRunfeature was disabled.
The IG also said NESDIS did not appropriately remediate vulnerabilities, implement required remote access security mechanisms, and implement secure configuration settings control on IT products.
Among the IG’s recommendations were for NOAA to conduct a risk assessment of NEDIS’ interconnections and to implement security mechanisms to protect against the use of unauthorized mobile devices. Other improvements are needed to provide assurance that independent security control assessments are sufficiently rigorous, according to the report: LINK
