NASA OIG Finds Pervasive Problems With JPL Cybersecurity
NASA OIG: Cybersecurity Management and Oversight at the Jet Propulsion Laboratory
“Multiple IT security control weaknesses reduce JPL’s ability to prevent, detect, and mitigate attacks targeting its systems and networks, thereby exposing NASA systems and data to exploitation by cyber criminals. … We also found that security problem log tickets, created in the ITSDB when a potential or actual IT system security vulnerability is identified, were not resolved for extended periods of time – sometimes longer than 180 days. … Further, we found that multiple JPL incident management and response practices deviate from NASA and recommended industry practices. … Finally, while the contract between NASA and Caltech requires JPL to report certain types of IT security incidents to the Agency through the NASA SOC incident management system, no controls were in place to ensure JPL compliance with this requirement nor did NASA officials have access to JPL’s incident management system. Collectively, these weaknesses leave NASA data and systems at risk. Despite these significant concerns, the contract NASA signed with Caltech in October 2018 to manage JPL for at least the next 5 years left important IT security requirements unresolved and instead both sides agreed to continue negotiating these issues. As of March 2019, the Agency had not approved JPL’s plans to implement new IT security policies and requirements NASA included in its October 2018 contract.”
NASA Needs A New Chief Information Officer, earlier post
“NASA’s CIO has been asleep at the wheel for years. Its time for a reboot.”
Which is ironic, since JPL security in general is intrusive to the point of significantly interfering with their work. Both for computer and physical security, I really think they just like being seen, obviously and visibly, paying attention to security. Whether or not it’s effective may not be relevant. It’s a, “What we do is clearly important because we need to have a big lock on the door,” attitude.
Computer security has its challenges at other NASA centers as well. We can no longer access NASA email except from a NASA computer. Linking anything nonstanddard to the network requires an IT security plan that is likely to be cost prohibitive.
I can understand security requirements which interfere with getting things done. But it would be nice if they were limited to things which require that level of security, and if they actually work. I can also understand poor security if that’s necessary for a desired level of openness and accessibility. But this OIG report implies the worst of both worlds.
Is there an industry study or recognized standard that establishes the optimal tradeoff between the cost of overly weak security and the productivity lost to overly strong security? That would be useful, if it hasn’t been done.