NASA doesn't know enough about the relationship between its IT systems that control physical systems, which could lead to dangerous incidents in both the cyber and virtual worlds, a watchdog report suggests.
In one recent incident, a security patch inadvertently stopped the monitoring equipment in an engineering oven; the lack of monitoring caused a fire that destroyed some spacecraft hardware inside the oven. When the computer rebooted, it failed to activate an alarm, so the fire was undetected for about 3.5 hours, according to a report from NASA's Office of the Inspector General.
NASA has been modernizing some of its internal technology, partially by converting systems that needed manual valve adjustments or switch flipping can be done remotely—including for cooling systems, communicating with spacecraft and other operations.
But the agency still needs to define "which systems incorporate [operational technology] components because applying traditional IT security practices to OT systems can cause the underlying systems to malfunction,” the report concluded. It also still needs a centralized inventory for its OT systems and doesn't have a standard protocol for protecting them.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
NASA has adopted some guidelines set by the National Institute of Standards and Technology, but hasn't yet incorporated the parts related to industrial control system security, the report said. Such measures might include “restricting physical access to the OT system network and devices using controls such as locks, card readers and security guards.”
Of more than 24 people the OIG interviewed, "only one had received any control system security training.”
"NASA is not well-positioned to meet the security demands of an evolving OT environment and is assuming unnecessary risk for critical agency systems and facilities with OT components,” the OIG report said. The agency has an enterprisewide information security plan, it's not scheduled to be finalized until December 2019.
The OIG recommended NASA create security procedures for OT, and create a cyber and physical risk management oversight group, among other steps. NASA concurred, at least partially, with the recommendations.
This report followed another recent OIG report that dinged NASA for using cloud services that weren't certified through the FedRAMP process. The agency has improved since an audit conducted in 2013, but poor risk management has "prevented the agency from fully realizing the benefits of cloud computing and continue to leave agency information stored in cloud environments at unnecessary risk,” that report said.
Many services on NASA's registry "lacked authorizations to operate and were not covered by an IT system security plan," the report said. NASA was using some cloud services without putting them in the registry at all and the chief information officer's team wasn't aware of—and had not approved—about 20.
The OIG recommended NASA ensure it complies with the requirement that "only approved cloud computing services be used and block access on NASA networks for unapproved services,” among other recommendations.