NASA’s Jet Propulsion Laboratory (JPL) may know how to send delicate equipment to Mars, but basic cybersecurity best practices appear to pose an issue for it. A comprehensive federal review has detailed an April 2018 security incident that compromised mission systems – stemming from multiple IT security-control weaknesses exposing NASA systems and data.

The review, released Tuesday and carried out by the U.S. Office of the Inspector General, said that the weaknesses “reduce JPL’s ability to prevent, detect and mitigate attacks targeting its systems and networks.”

Specifically, poor practices when it comes to network segmentation and third parties were source of a cyberattack in April 2018, OIG said.

In that incident, hackers targeted a Raspberry Pi computer that was not authorized to be attached to the JPL network, exploited it, and then proceeded to take advantage of the network’s lack of segmentation to find a network gateway and pivot deeper into the system.

Houston, We Have a Problem

The attack had deep-space repercussions (literally) that spread to mission control in Houston. The adversaries were able to move between various systems connected to the pwned gateway, including those involved in multiple JPL mission operations and the Deep Space Network (DSN), which is NASA’s international array of giant radio antennas that supports interplanetary spacecraft missions.

“As a result [of the hack], in May 2018 IT security officials from the Johnson Space Center (Johnson), which handles such programs as the Orion Multi-Purpose Crew Vehicle and International Space Station, elected to temporarily disconnect from the gateway due to security concerns,” OIG explained.

By properly segmenting a network, an organization creates boundaries an attacker can’t easily cross by eliminating connections to other systems. In contrast, JPL’s shared environment lacked appropriate security controls to prevent partners from accessing a variety of exploration and human space flight mission data, OIG said. In the attack, the adversaries were thus able to “gain unauthorized access to JPL’s mission network through a compromised external user system,” according to the report.

“Johnson officials were concerned the cyberattackers could move laterally from the gateway into their mission systems, potentially gaining access and initiating malicious signals to human space flight missions that use those systems,” OIG said. “At the same time, Johnson IT security officials discontinued use of DSN data because they were concerned it could be corrupted and unreliable.”

OIG added that “team coordination issues” got in the way of being able to contain and remediate the incident.

And, another issue that contributed to the success of the attack was a lack of visibility into JPL systems, according to OIG. JPL uses something called the Information Technology Security Database (ITSDB) to track and manage physical assets and applications on its network. While that’s a good approach in theiry, OIG found that the database inventory was incomplete and inaccurate.

“One system administrator told us he does not regularly enter new devices into the ITSDB as required because the database’s updating function sometimes does not work and he later forgets to enter the asset information,” the report noted. “Consequently, assets can be added to the network without being properly identified and vetted by security officials.

OIG added, “The [Raspberry Pi] device should not have been permitted on the JPL network without the JPL OCIO’s review and approval.”

Johnson reestablished its gateway connection to JPL in November 2018 and restored use of limited spacecraft data in March of this year. However, as of March, Johnson had not restored its use of all communications data from JPL and the DNS because of continuing concerns about its reliability, according to OIG.

Deep Vulnerabilities Throughout JPL

The OIG report also details other shortcomings that JPL is tasked with rectifying.

For instance, OIG said that NASA and JPL had failed to establish interconnection security agreements (ISAs) with partners, which lay out the requirements that partners must meet in order to be able to connect to NASA’s IT systems. These also describe the security controls that will be used to protect the systems and data.

Meanwhile, JPL hasn’t been timely in addressing security problems when they’re identified. For instance, log tickets, created in the ITSDB when a potential or actual IT system security vulnerability is identified, were sometimes not resolved for longer than 180 days, OIG found.

“While system administrators may request a waiver when they cannot resolve such tickets within six months, we found waivers were not reviewed annually as required, resulting in unnecessary waivers and potentially outdated compensating security controls that expose the JPL network to exploitation by cyberattacks,” OIG said.

Further, JPL system administrators have “misunderstood” their responsibilities.

At the time of OIG’s investigation, “JPL had not implemented a threat-hunting program recommended by IT security experts to aggressively pursue abnormal activity on its systems for signs of compromise, and instead rely on an ad-hoc process to search for intruders,” OIG found. “In addition, JPL had not provided role-based security training or funded IT security certifications for its system administrators.”

As if that weren’t enough, multiple JPL incident management and response practices don’t comply with standard recommendations, the report added.

For example, “unlike NASA’s Security Operations Center (SOC), JPL’s SOC does not maintain round-the-clock availability of IT security incident responders,” OIG said.

In addition to incident response potentially not being available after an attack, JPL’s processes for documenting and sharing cyber-threat information across JPL to help prevent future incidents “fall short,” according to the report.

NASA has described corrective actions it plans to take to address all of this, OIG said, noting that it will verify that they happen. One item regarding establishing better cybersecurity threat-hunting capabilities however remains outstanding, since NASA disagrees with OIG’s recommendation.

JPL and NASA have faced incidents in the past, in addition to the April 2018 attack that OIG lays out in its report. In December NASA admitted that it was hacked by an unauthorized intruder in October. However, that incident didn’t affect mission data or systems; it involved the compromise of personally identifiable information (PII) for thousands of employees, including Social Security numbers, after the hack of an HR database.