Security vulnerabilities endanger NOAA's Joint Polar Satellite System. (NOAA illustration)
A key satellite operations and data collection system at the National Oceanic and Atmospheric Administration has significant security flaws which leave the program open to attack, according to an inspector general report released Aug. 21.
The Joint Polar Satellite System’s (JPSS) ground system at NOAA—which gathers and routs data from several satellites to users around the world—had 23,868 high-risk vulnerability instances in the second quarter of fiscal 2014, much more than the 14,486 it had in fiscal 2012, according to the report.
While NOAA should remove any high-risk vulnerabilities within 30 days of identification it took the agency 11 to 14 months to remediate some of them, according to the report. Software updates that would remediate some of the problems only occurred once a year.
And while the agency promised to release two maintenance patches per year over the last two years it has only released one patch so far, according to the report.
“The remediation of high-risk vulnerabilities is critical to the continued success of the
JPSS mission and should have a high priority. The more high-risk vulnerabilities that exist in the system, the higher the probability is that an attacker could compromise it,” the report said.
The IG recommended that NOAA and the JPSS program should:
■ Review the types of vulnerabilities identified in the IG investigation and correct them as soon as possible.
■ Update system processes and patch high-risk areas in order of the most vulnerable.
■ Require that any new vulnerabilities be remediated within three months.