Editorial | A Breach Waiting To Happen

by

The U.S. National Oceanic and Atmospheric Administration has literally let its guard down with respect to its polar-orbiting weather satellite program.

According to an Aug. 21 report by the U.S. Commerce Department’s Office of Inspector General — released, interestingly, at the height of hurricane season — the ground segment for NOAA’s Joint Polar Satellite System is rife with vulnerabilities that the agency’s software engineers have been too slow to fix. Despite the fact that most of the security gaps are relatively easy to close through software updates and other measures, many have remained open for more than a year, whereas program requirements specify 30 days. The report cited 9,100 instances in which the system was exposed in some way for some period of time.

Clearly the JPSS ground segment has not been getting the attention it requires. Although it probably isn’t possible to completely eliminate vulnerabilities for such a complex piece of infrastructure, the issues outlined in the report argue for a reordering of NOAA’s priorities.

Hardly a day passes without news of a major network security breach, be it in the government or private sector. The government, the military in particular, rarely misses an opportunity to highlight the relentless threat posed by armies of faceless hackers around the world who are out to steal money or national or industrial secrets, or to simply create cybermayhem. 

Satellite networks have the same vulnerabilities as other computer networks, government and industry officials say, though they generally decline to be specific. However, NASA has publicly acknowledged incidents in which unauthorized signals were transmitted to at least two of its Earth observation satellites, one of which closely resembles a weather satellite, in 2007 and 2008.

That makes the vulnerabilities outlined in the inspector general’s report all the more troubling. Satellites, particularly those that perform critical functions, make tempting, high-profile targets for cybertroublemakers, whatever their cause. It is all too easy to imagine a security breach disrupting the collection or distribution of weather forecasting information.

The report noted that the current JPSS ground system was designed for a satellite that was originally intended as an instrument test bed for a civil-military program, meaning it carried less-stringent security requirements. But that’s not terribly reassuring: The fact that the Suomi NPP precursor satellite would have to assume an operational role following the cancellation of the National Polar-orbiting Operational Environmental Satellite System was known well in advance of its October 2011 launch. Besides, as the report noted, the number of “high-risk” security gaps increased by 66 percent since 2012.

It does appear that the problem has gotten NOAA’s attention — the agency said in its response to the report that it has begun taking steps to more quickly resolve security issues as they crop up. It should not have taken a stinging inspector general’s report to spur the agency to action, but as the saying goes, better late than never.

For its part, JPSS ground system prime contractor Raytheon said a new system “that will meet current stringent Federal security requirements” will be in place by October 2015, some two years ahead of the scheduled launch of the JPSS-1 satellite, which is similar in design to the Suomi NPP craft.

Let’s hope so. 

But in the meantime, Congress and the White House, who agree on the indispensability of weather satellites — if nothing else — should give NOAA whatever it needs to beef up JPSS system security, and stay on top of the agency to ensure that the job gets done sooner rather than later.