“Our analysis of the JPSS program’s assessments of system vulnerabilities found that, since FY 2012, the number of high-risk vulnerabilities in the system had increased by two-thirds despite recent efforts the program has taken to remediate these vulnerabilities,” reports a memorandum from Allen Crawley, assistant inspector general for systems acquisition and IT security, to Kathryn Sullivan, under secretary of commerce for oceans and atmosphere and NOAA administrator.
The number of high-risk vulnerabilities identified during the assessments conducted in the last couple of years is amazing, it rose from 14,486 in the first quarter of the fiscal year (FY) 2012 to 23,868 in the second quarter of FY 2014 (+ 165%).
“If exploited, these [high-risk] vulnerabilities may make it possible for attackers to significantly disrupt the JPSS mission of providing critical data used in weather forecasting and climate monitoring,” Crawley states in the memorandum.
Due to the nature of satellite systems and their life-cycle, some of the vulnerabilities discovered by the security experts are difficult to fix.
Fortunately, many of the identified high-risk flaws can be fixed with a little effort to apply minor alterations to the NOAA systems, for example correctly configuring more than 3,600 instances of password and auditing settings.
The vulnerability assessment revealed that:
- More than 9,100 instances of high-risk vulnerabilities identified by vulnerability scans, including (a) out-of-date software versions or missing security patches, (b) insecurely configured software, and (c) unnecessary user privileges within the operating systems and software.
- More than 3,600 instances where password and auditing settings need to be configured in accordance with JPSS policy.
- Unnecessary software applications that need to be removed or disabled.
- Three outstanding vulnerabilities identified by penetration testing conducted in June 2012.
The experts at NOAA received the recommendations in the memorandum implementing for them the necessary fix, like is
happened for a
Heartbleed vulnerability that was remedied during the third quarter of
FY 2014.