NASA OIG: Audit of Industrial Control System Security within NASA’s Critical and Supporting Infrastructure
Full report
WHY WE PERFORMED THIS AUDIT
In keeping with the evolution of technology, NASA has increasingly moved away from isolated, manually controlled operational technology (OT) systems to an environment in which physical processes are controlled with sophisticated and interconnected information technology (IT) equipment. As more devices become “smart” through wireless connectivity, OT systems that once required hands-on manipulation such as adjusting a valve or flipping a switch can now be controlled remotely. Many of these OT systems are part of the Agency’s critical infrastructure used to test rocket propulsion systems, control and communicate with spacecraft, and operate ground support facilities, or are associated with the electrical power, heating and cooling systems, and other supporting infrastructure. While the convergence of IT and OT can lead to cost savings and other efficiencies, it also means OT systems are potentially vulnerable to the types of security challenges more common to IT systems, including malicious hacking.
In this review, we examined whether NASA has implemented effective policies, procedures, and controls to protect the systems it uses to operate its critical infrastructure. To complete this work, we examined NASA’s critical infrastructure listing, systems inventory, IT security database, procedural requirements, and documented industry best practices. We also conducted interviews with key NASA personnel and partner agency subject matter experts.
WHAT WE FOUND
Despite its significant presence across the Agency and its criticality to the success of the Agency’s multi-faceted mission, NASA has not adequately defined OT, developed a centralized inventory of OT systems, or established a standard protocol to protect systems that contain OT components. NASA needs to know which systems incorporate OT components because applying traditional IT security practices to OT systems can cause the underlying systems to malfunction. For example, a security patch caused monitoring equipment in a large engineering oven to stop running, resulting in a fire that destroyed spacecraft hardware inside the oven. The computer reboot caused by the software upgrade also impeded alarm activation, leaving the fire undetected for 3.5 hours before it was discovered. Further, limited awareness of OT systems across the Agency has led to systems lacking the application of comprehensive security best practices. Moreover, NASA’s current policies do not distinguish OT from IT, and the Agency does not offer training focused on protecting OT systems. As a result, NASA is not well-positioned to meet the security demands of an evolving OT environment and is assuming unnecessary risk for critical Agency systems and facilities with OT components.
NASA also lacks an integrated approach to managing risk associated with its critical infrastructure that incorporates physical and cyber security considerations in all phases of risk assessment and remediation. Specifically, the security of physical and cyber components of NASA’s critical assets is managed with minimal collaboration among key Agency stakeholders and does not involve the Office of Strategic Infrastructure, which manages the supporting infrastructure associated with critical assets. This disjointed approach has led to duplication of effort and gaps in security planning and risk remediation at both the Agency and Center levels. Further, based on the inconsistent security practices we observed at various Centers, we question the overall efficacy of NASA’s process for identifying critical infrastructure. Finally, inadequate guidance and oversight, coupled with insufficient funding and record keeping, limit the visibility and insight into NASA’s critical infrastructure protection processes and ultimately impair the Agency’s ability to protect its vital assets.
WHAT WE RECOMMENDED
To ensure the Agency is adequately assessing risk for, applying security controls to, and identifying its critical assets, we made six recommendations: (1) develop a framework to coordinate security efforts across the Agency, (2) develop a standardized process to assess Agency cyber and physical assets for NASA critical infrastructure, (3) ensure appropriate Agency personnel are included in functional reviews of NASA’s critical infrastructure assets and facility security assessments, (4) coordinate the development of a methodology for the identification and protection of interdependencies, (5) develop security policy and procedures for managing the protection of OT that addresses key areas identified during this review, and (6) establish an integrated cyber and physical risk management committee or oversight body to ensure NASA is adequately identifying critical infrastructure and supporting interdependencies and appropriately protecting its OT systems.
We provided a draft of this report to NASA management who concurred or partially concurred with our recommendations and described corrective actions the Agency has taken or will take to address them. For recommendations 2 through 5, the Agency partially concurred, pointing to the recent implementation of the Enterprise Protection Program (EPP), which the Agency says will focus on protecting critical capabilities and technologies. However, the response describes the EPP and associated board as advisory in nature. Given the governance concerns we highlighted in this and other reports, we encourage NASA to ensure EPP leadership has sufficient technical authority and support from other responsible components to direct the change required to meet the intent of our recommendations. We believe given the proper authority, EPP can implement appropriate corrective action. Accordingly, our recommendations are resolved and will be closed upon completion and verification of the proposed corrective actions.