Mohana Ravindranath | Nextgov | February 9, 2017 | 0 Comments

Watchdog: IT Issues May Have Caused NASA To Cook A Spacecraft

Edwin Verin/Shutterstock.com

NASA doesn't know enough about the relationship between its IT systems that control physical systems, which could lead to dangerous incidents in both the cyber and virtual worlds, a watchdog report suggests.

In one recent incident, a security patch inadvertently stopped the monitoring equipment in an engineering oven; the lack of monitoring caused a fire that destroyed some spacecraft hardware inside the oven. When the computer rebooted, it failed to activate an alarm, so the fire was undetected for about 3.5 hours, according to a report from NASA's Office of the Inspector General.

NASA has been modernizing some of its internal technology, partially by converting systems that needed manual valve adjustments or switch flipping can be done remotely—including for cooling systems, communicating with spacecraft and other operations.

But the agency still needs to define "which systems incorporate [operational technology] components because applying traditional IT security practices to OT systems can cause the underlying systems to malfunction,” the report concluded. It also still needs a centralized inventory for its OT systems and doesn't have a standard protocol for protecting them.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

NASA has adopted some guidelines set by the National Institute of Standards and Technology, but hasn't yet incorporated the parts related to industrial control system security, the report said. Such measures might include “restricting physical access to the OT system network and devices using controls such as locks, card readers and security guards.”

Of more than 24 people the OIG interviewed, "only one had received any control system security training.”

"NASA is not well-positioned to meet the security demands of an evolving OT environment and is assuming unnecessary risk for critical agency systems and facilities with OT components,” the OIG report said. The agency has an enterprisewide information security plan, it's not scheduled to be finalized until December 2019.

The OIG recommended NASA create security procedures for OT, and create a cyber and physical risk management oversight group, among other steps. NASA concurred, at least partially, with the recommendations.

This report followed another recent OIG report that dinged NASA for using cloud services that weren't certified through the FedRAMP process. The agency has improved since an audit conducted in 2013, but poor risk management has "prevented the agency from fully realizing the benefits of cloud computing and continue to leave agency information stored in cloud environments at unnecessary risk,” that report said.

Many services on NASA's registry "lacked authorizations to operate and were not covered by an IT system security plan," the report said. NASA was using some cloud services without putting them in the registry at all and the chief information officer's team wasn't aware of—and had not approved—about 20.  

The OIG recommended NASA ensure it complies with the requirement that "only approved cloud computing services be used and block access on NASA networks for unapproved services,” among other recommendations.

Comments
JOIN THE DISCUSSION

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.