OIG: NASA's Operational Technology Systems Are Inadequate and Disjointed
NASA OIG: Audit of Industrial Control System Security within NASA’s Critical and Supporting Infrastructure
“Despite its significant presence across the Agency and its criticality to the success of the Agency’s multi-faceted mission, NASA has not adequately defined OT [operational technology], developed a centralized inventory of OT systems, or established a standard protocol to protect systems that contain OT components. NASA needs to know which systems incorporate OT components because applying traditional IT security practices to OT systems can cause the underlying systems to malfunction. … NASA also lacks an integrated approach to managing risk associated with its critical infrastructure that incorporates physical and cyber security considerations in all phases of risk assessment and remediation. Specifically, the security of physical and cyber components of NASA’s critical assets is managed with minimal collaboration among key Agency stakeholders and does not involve the Office of Strategic Infrastructure, which manages the supporting infrastructure associated with critical assets. This disjointed approach has led to duplication of effort and gaps in security planning and risk remediation at both the Agency and Center levels.”
Keith: Careful readers are on to your trick of running the same story over and over and over…:-)
Hot dog! An OIG report that identifies a real problem! Applying inflexible IT desktop standards to embedded electronics wastes time and money. And here is a precious quote, maybe the first time I have seen it:
“a system inaccurately categorized as “high risk” may be allocated unnecessary security resources“
Yes, it’s true! More is not better. As NIST very accurately points out, IT security precautions should not be “one size fits all” but rather be dictated by things called “technical understanding”, “practical experience” and “common sense”. Do we have to spend $100K to replace a piece of shop equipment controlled by a 386 if it is still working and not even on the network, because the computer security plan only covers windows 7?
Unfortunately the OIG report seems to be oriented toward even more centralized decision making. We will have to see how and if changes are made. It’s very hard for any manager to say that local users should have more flexibility.