Mohana Ravindranath | Nextgov | February 9, 2017 | 0 Comments

Watchdog: IT Issues May Have Caused NASA To Cook A Spacecraft

Edwin Verin/Shutterstock.com

NASA doesn't know enough about the relationship between its IT systems that control physical systems, which could lead to dangerous incidents in both the cyber and virtual worlds, a watchdog report suggests.

In one recent incident, a security patch inadvertently stopped the monitoring equipment in an engineering oven; the lack of monitoring caused a fire that destroyed some spacecraft hardware inside the oven. When the computer rebooted, it failed to activate an alarm, so the fire was undetected for about 3.5 hours, according to a report from NASA's Office of the Inspector General.

NASA has been modernizing some of its internal technology, partially by converting systems that needed manual valve adjustments or switch flipping can be done remotely—including for cooling systems, communicating with spacecraft and other operations.

But the agency still needs to define "which systems incorporate [operational technology] components because applying traditional IT security practices to OT systems can cause the underlying systems to malfunction,” the report concluded. It also still needs a centralized inventory for its OT systems and doesn't have a standard protocol for protecting them.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

NASA has adopted some guidelines set by the National Institute of Standards and Technology, but hasn't yet incorporated the parts related to industrial control system security, the report said. Such measures might include “restricting physical access to the OT system network and devices using controls such as locks, card readers and security guards.”

Of more than 24 people the OIG interviewed, "only one had received any control system security training.”

"NASA is not well-positioned to meet the security demands of an evolving OT environment and is assuming unnecessary risk for critical agency systems and facilities with OT components,” the OIG report said. The agency has an enterprisewide information security plan, it's not scheduled to be finalized until December 2019.

The OIG recommended NASA create security procedures for OT, and create a cyber and physical risk management oversight group, among other steps. NASA concurred, at least partially, with the recommendations.

This report followed another recent OIG report that dinged NASA for using cloud services that weren't certified through the FedRAMP process. The agency has improved since an audit conducted in 2013, but poor risk management has "prevented the agency from fully realizing the benefits of cloud computing and continue to leave agency information stored in cloud environments at unnecessary risk,” that report said.

Many services on NASA's registry "lacked authorizations to operate and were not covered by an IT system security plan," the report said. NASA was using some cloud services without putting them in the registry at all and the chief information officer's team wasn't aware of—and had not approved—about 20.  

The OIG recommended NASA ensure it complies with the requirement that "only approved cloud computing services be used and block access on NASA networks for unapproved services,” among other recommendations.

Comments
JOIN THE DISCUSSION

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.