Computer servers on NASA's agency-wide mission network have high-risk vulnerabilities that can be exploited from the internet, a US government report has revealed.
"Until NASA addresses these critical deficiencies and improves its IT security practices, the agency is vulnerable to computer incidents that could have a severe to catastrophic effect on agency assets, operations and personnel," says the US Office of Inspector General (OiG) report
The report, which is titled Inadequate Security Practices Expose Key NASA Network to Cyber Attack, says inspectors found six servers involved in spacecraft control vulnerable to remote attacks that could render them inaccessible or compromise them entirely.
Once inside the agency-wide mission network, the attacker could use the compromised computers to exploit other weaknesses, which could severely degrade or cripple NASA's operations, the report says.
Inspectors reported network servers that revealed encryption keys, encrypted passwords and user account information to potential attackers.
The report blames NASA's failure to assess and mitigate risks to its agency-wide mission network and slowness to assign responsibility for IT security oversight to ensure the network is adequately protected.
In a May 2010 audit report, the OiC recommended that NASA immediately establish an IT security oversight programme for this key network, but the recommendation has not yet been implemented, the report says.
"Until NASA addresses these critical deficiencies and improves its IT security practices, the agency is vulnerable to computer incidents that could have a severe to catastrophic effect on agency assets, operations and personnel," the report says.
Investigators say NASA needs to establish an IT oversight programme, identify internet-accessible computers, mitigate risks, and conduct an IT security risk assessment to ensure all threats are identified and addressed.