Pentagon Weather Satellites Raise Hacking Vulnerability, Watchdog Finds
Posted at 9:54 a.m. on July 29, 2014
No one has ever done a security assessment of a Defense Department weather satellite program used by the Pentagon to monitor potential battlefield conditions, according to an inspector general report. There might not even ever be a security assessment to make sure it meets DOD’s standards, in fact. And because that system is interwoven with another program by the National Oceanographic and Atmospheric Administration, it makes that one more vulnerable to hacking.
The report was released by the Commerce Department’s IG after a Freedom of Information Act request by Greenwire. The close links between the U.S. Air Force’s Defense Meteorological Satellite Program and a system of NOAA weather satellites puts both at risk, the report found. They are interwoven “to the point where they are virtually one system. Specifically, there is no physical or logical separation between the systems (i.e., the systems operate on the same network and data can flow between the systems); they share support personnel, and they share some of the same support services and IT security controls.
“This interweaving means that deficiencies in one system’s security posture will drastically affect the other system’s security,” the report states. “Unfortunately, because USAF and NOAA disputed for several years (from 2006 to 2010) who was responsible for DMSP’s security, neither organization conducted security assessments of DMSP. Ultimately, USAF and NOAA determined in 2010 that USAF was responsible for DMSP. However, USAF has yet to fulfill its responsibilities by determining DMSP’s security posture and ensuring that the system meets the Department’s security requirements.”
What little security assessment has been done hasn’t been promising, the IG report notes. When the NOAA satellites were being assessed in fiscal year 2013, they inadvertently scanned parts of the Defense system and found vulnerabilities like weak passwords or operating systems that had well-documented holes for which fixes had been available for a decade or more.
And the systems won’t be separated for years more, at best, per the report. And the Air Force isn’t going to do any security assessment for a while.
“Further, USAF does not plan to conduct an assessment of DMSP’s security posture until it completes a technology refresh in 2016 (i.e., replace DMSP’s legacy hardware and software components),” the report states “However, there is doubt that the refresh will occur because of the USAF’s funding constraints.”
If it sounds like some of this information is sensitive, Greenwire reports at the end of its story:
The IG’s office did not initially release the report — and instead referred the public to the FOIA process — because of concerns from NOAA officials that it contained classified information about the Defense Meteorological Satellite Program. Once the Air Force had confirmed that all the report’s information was unclassified, the IG released it in full.