High-Risk flaws affect the NOAA Satellite System JPSS

The NOAA JPSS System is affected by thousands vulnerabilities, according to a memorandum from the Department of Commerce’s Office of the Inspector General.

The Satellite systems at NOAA (National Oceanic and Atmospheric Administration) are affected by thousands of severe vulnerabilities that could be exploited by threat actors hit them.

The disconcerting news refers the findings of an audit conducted by the Department of Commerce’s Office of the Inspector General (OIG), the bureaus has recently examined Joint Polar Satellite System’s (JPSS) ground system discovering a series of major flaws.

The NOAA JPSS in an example of the next generation of polar-orbiting environmental satellites, its ground system is used to collect data from several polar-orbiting weather satellites, and provide the information to the users. The JPSS infrastructure is also used control and process data for current and future weather satellites.

The NOAA JPSS is ranked as a “High Impact” IT system because any attack could cause catastrophic effects on organizational operations and individuals.

“Our analysis of the JPSS program’s assessments of system vulnerabilities found that, since FY 2012, the number of high-risk vulnerabilities in the system had increased by two-thirds despite recent efforts the program has taken to remediate these vulnerabilities,” reports a memorandum from Allen Crawley, assistant inspector general for systems acquisition and IT security, to Kathryn Sullivan, under secretary of commerce for oceans and atmosphere and NOAA administrator.

The number of high-risk vulnerabilities identified during the assessments conducted in the last couple of years is amazing, it rose from 14,486 in the first quarter of the fiscal year (FY) 2012 to 23,868 in the second quarter of FY 2014 (+ 165%).

j1

If exploited, these [high-risk] vulnerabilities may make it possible for attackers to significantly disrupt the JPSS mission of providing critical data used in weather forecasting and climate monitoring,” Crawley states in the memorandum.

Due to the nature of satellite systems and their life-cycle, some of the vulnerabilities discovered by the security experts are difficult to fix.

Fortunately, many of the identified high-risk flaws can be fixed with a little effort to apply minor alterations to the NOAA systems, for example correctly configuring more than 3,600 instances of password and auditing settings.

The vulnerability assessment revealed that:

  • More than 9,100 instances of high-risk vulnerabilities identified by vulnerability scans, including (a) out-of-date software versions or missing security patches, (b) insecurely configured software, and (c) unnecessary user privileges within the operating systems and software.
  • More than 3,600 instances where password and auditing settings need to be configured in accordance with JPSS policy.
  • Unnecessary software applications that need to be removed or disabled.
  • Three outstanding vulnerabilities identified by penetration testing conducted in June 2012.

The experts at NOAA received the recommendations in the memorandum implementing for them the necessary fix, like is happened for a Heartbleed vulnerability that was remedied during the third quarter of FY 2014.

 

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.

APPLY NOW

10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase

X