The vast majority of NASA's IT systems "including many containing high-value assets or critical infrastructure" are not covered by its current insider threat programme, its watchdog has warned, urging action.
That's because NASA's insider threat programme only applies to classifed systems and the vast majority of IT assets fall outside that designation, meaning they are exempt from the classified programme's user activity monitoring, insider threat training, and expanded procurement disclosure requirements.
In a report this month, NASA's Office of Inspector General (OIG) emphasised that NASA's risk exposure from insider threats is "significant and varied" -- acknowledging that "staffing challenges, technology resource limitations, and lack of funding to support such an expansion [of the classified designation across IT systems] would need to be addressed." (NASA's total budget for fiscal year 2021 was $23.3 billion).
See also: Hiring a CISO? Know this...
In a warning call that deserves reflection more broadly across the enterprise world the OIG pointed to "cross-discipline challenges surrounding cybersecurity expertise" -- noting that at NASA, responsibilities for unclassified systems are largely shared between the Office of Protective Services and the Office of the CIO.
"In addition, Agency contracts are managed by the Office of Procurement while grants and cooperative agreements are managed by the Office of the Chief Financial Officer. Nonetheless, in our view, mitigating the risk of an insider threat is a team sport in which a comprehensive insider threat risk assessment would allow the Agency to gather key information on weak spots or gaps in administrative processes and cybersecurity..."
NASA insider threat warnings come after Raspberry Pi incident
In April 2018 unknown hackers breached NASA's network and stole data related to Mars missions -- using a Raspberry Pi device connected to the IT network of the NASA Jet Propulsion Laboratory (JPL) without authorisation from senior technology staff. The OIG said it should have required JPL CIO approval.
In a report published June 2019 in the wake of that incident the OIG painted a picture of worryingly lax cybersecurity at NASA, saying: "JPL established a network gateway to allow external users and its partners, including foreign space agencies, contractors, and educational institutions, remote access to a shared environment for specific missions and data. However, JPL did not properly segregate individual partner environments to limit users only to those systems and applications for which they had approved access."
"The cyberattacker from the April 2018 incident exploited the JPL network’s lack of segmentation to move between various systems connected to the gateway, including multiple JPL mission operations and the DSN.
Astonishingly, IT security officials from the Johnson Space Center (Johnson), which handles the International Space Station among other NASA projects, were so concerned that they "elected to temporarily disconnect from the gateway due to security concerns. Johnson officials were concerned the cyberattackers could move laterally from the gateway into their mission systems, potentially gaining access and initiating malicious signals to human space flight missions that use those systems. At the same time, Johnson IT security officials discontinued use of DSN data because they were concerned it could be corrupted and unreliable" the OIG warned in its 2019 report.
With regard to tackling the NASA insider threat, the OIG has called on the space agency to "improve cross-discipline communication by establishing a Working Group that includes the Office of Protective Services (OPS), the Office of the CIO, the Office of Procurement, human resources officials, and any other relevant Agency offices to collaborate on wide-ranging insider threat related issues for both classified and unclassified systems."