US missile defence systems fail cybersecurity audit
Mon 17 Dec 2018
Security controls and processes for ballistic missile defense system (BMDS) not consistently implemented leaving technical information exposed, according to a security audit released by the US Department of Defense Inspector General (DOD IG)
A US DOD cybersecurity audit of US missile defence systems has revealed officials are failing to implement basic cybersecurity controls such as multifactor authentication and data encryption.
The report, released last Friday, was compiled after investigators visited five sites where BMDS ballistic missiles are located. BMDS is a DOD program that protects US territories by launching ballistic missiles to take down incoming nuclear rockets.
The facilities, run by the US Army, Navy and Missile Defense Agency, process, store and transmit missile defence technical information — information that is not being protected from ‘unauthorised access and use’, the report concludes. If the information was ever intercepted by rogue actors, the consequences could be catastrophic:
“Inadequate security controls that result in unauthorised access to or disclosure of BMDS technical information may allow U.S. adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to missile attacks that threaten the safety of U.S. citizens and critical infrastructure,” the report reads.
In almost all aspects of cybersecurity, the Army, Navy and MDA were found wanting. The DOD identified weaknesses in cybersecurity controls, processes, and technology used for managing network and system authentication, vulnerabilities, and data storage and transfers, as well as physical security controls such as facility access.
Which leads to the question: How on earth could one of the most sensitive systems on the planet have been so insecure? CSOs and CIOs look away now, as we take a closer look at the most problematic areas: multifactor authentication, server rack security, and data encryption.
Inconsistent use of multifactor authentication
DoD regulations stipulate that users at the facilities must use multifactor authentication mechanisms to access information systems. Allowing users to access networks using single-factor authentication increases the risk that cyberattackers could exploit passwords and access sensitive missile system information, via dictionary attacks, phishing or brute force attacks.
Most BMDS facilities opt to provide workers with a Common Access Card (CAC) in addition to a username and password to gain access – forming a multifactor setup.
However, the report reveals sites have either failed to configure the network to allow only CAC-holding users access or are not enforcing the use of CACs. This has resulted in many users using just their usernames and passwords to gain access to classified networks. A user at one facility did not use their CAC to access systems for seven years.
Server racks inconsistently secured
Investigators also discovered that data centre managers at BMDS facilities were not consistently securing their server racks in their data centres. DOD policy strictly requires all network infrastructure devices to be located in a secure room with limited access, and DOD officials to physically secure network devices using locked cabinets.
When auditors told one manager of the requirements, his response was wince-worthy in the extreme, stating he ‘was not aware of the requirement’.
Leaving racks unlocked increases the risk that unauthorised individuals could access or tamper with servers, potentially compromising or stealing sensitive data. It is common practice to lock server racks as it provides another layer of security over sensitive information that protects it from malicious individuals – either if they are authorised to be there or if they have somehow slipped past physical security measures.
Data on removable media not always encrypted or monitored
DOD officials are required to encrypt all sensitive data stored on removable media in addition to monitoring the type of and volume of data transferred to and from it by individual users. Not doing so, naturally, increases the risk that protected and classified information critical to US national security can fall into the hands of malicious actors.
Auditors must have been alarmed to discover that security managers at BMDS facilities were not enforcing the use of encryption. Managers said they were relying on legacy systems that lacked the ability to encrypt data, that they did not have the resources to purchase encryption software, or that the encryption software they used did always integrate with DOD software.
However, the report points out resources that enable DOD officials to easily implement encryption have been available since 2014.
“The National Security Agency publishes capabilities packages that provide architecture and configuration requirements that allow organisations to implement secure solutions to protect data at rest using
commercial off-the-shelf products,” reads the report.
Given the audit’s damning indictment of US missile cybersecurity: it’s probably safe to say the jobs of many DOD officials at the visited facilities are probably just as vulnerable as the systems they manage. You can read the full (albeit heavily redacted) report here.
Over the last decade the scale of cyber attacks have increased dramatically and there has been a huge increase in the scale of cyber attacks against global IT infrastructures.