Updated at 4:35 p.m. EDT
WASHINGTON — Ground stations for the United States’ next civilian polar-orbiting weather satellite system contain several “significant” and high-risk vulnerabilities to would-be attackers, according to a new report from a U.S. government watchdog.
The U.S. National Oceanic and Atmospheric Administration is taking far too long to address these vulnerabilities, according to the report by the U.S. Commerce Department’s Office of Inspector General. NOAA is part of the Commerce Department.
In the Aug. 21 report, delivered to NOAA Administrator Kathryn Sullivan, the inspector general said many of the security problems with the Joint Polar Satellite System (JPSS) ground network require minor fixes, such as updating software or applying security patches. But NOAA has often taken 11 to 14 months to fix the software, far longer than the three months the inspector general recommended and the 30 days spelled out in the JPSS system requirements.
In all, the report cited 9,100 instances where the JPSS ground network was left exposed by out-of-date software, missing security patches, incorrectly configured software or unnecessarily granted user privileges.
The JPSS is the nation’s next generation of polar-orbiting weather satellites, used for short-term weather forecasts and long-term climate monitoring. The first JPSS satellite is slated for launch in 2017, but a precursor satellite dubbed Suomi NPP launched in 2011 and is being used operationally.
“The remediation of high-risk vulnerabilities is critical to the continued success of the JPSS mission and should have a high priority,” the report said. “The more high-risk vulnerabilities that exist in the system, the higher the probability is that an attacker could compromise it. This could lead to a disruption of NOAA’s ability to command and control the Suomi NPP satellite and to provide data that is used in numerical weather models that support weather predictions and climate monitoring.”
Despite recent efforts to limit the vulnerabilities, the number of “high-risk” security gaps has increased by nearly 66 percent since 2012, the report said. If exploited, those vulnerabilities would allow attackers to “significantly disrupt” the JPSS mission, the report said.
The report followed up on a broader security audit by the inspector general in July that found that NOAA’s satellite data system is facing increased risks of cyberattacks, including malware, and needs more rigorous security controls.
Raytheon Intelligence, Information and Services of Dulles, Virginia, is the prime contractor for the JPSS ground system. Working with NOAA, NASA manages the JPSS ground station network.
The August report noted that the JPSS ground segment was originally designed for a precursor mission to the National Polar-orbiting Operational Environmental Satellite System, a civil-military project that was canceled due to delays and massive cost overruns. That was a likely reference to the NPP Suomi craft, which originally was intended to be a sensor testbed for the civil-military system but wound up being placed in an operational role.
“The ground system now in place was not originally intended to support operational satellites nor was it designed to meet Department of Commerce IT [information technology] security requirements,” the report said. “Few security controls are fully implemented and many high-risk vulnerabilities exist within the system.”
NOAA officials said in their response to the report that they have started working to more quickly limit the ground station vulnerabilities.
In an Aug. 27 statement, Raytheon said it agreed that enhancements were needed and that security measures were not as robust as they were in 2006, when the system deployed.
“A new JPSS ground control system, which will meet current stringent Federal security requirements, is being developed and will be deployed in October 2015,” the statement read. “In the past several years, Raytheon has remediated vulnerabilities on the deployed system consistent with NOAA’s remediation action plans and requirements necessary for continued operation. We are committed to continuing to address vulnerabilities in the current system and delivering the next generation system in approximately 13 months.”