US ballistic missile defense systems (BMDS) open to cyber attacks
U.S. Ballistic Missile Defense Systems Fail Cybersecurity Audit
US DoD Inspector General’s report revealed United States’ ballistic missile defense systems (BMDS) fail to implements cyber security requirements.
The U.S. Department of Defense Inspector General published a report this week that revealed that lack of adequate cybersecurity for the protection of the United States’ ballistic missile defense systems (BMDS).
Ballistic missile defense systems are crucial components of the US Defense infrastructure, they aim to protect the country from short, medium, intermediate and long-range ballistic missiles.
Experts warn of cyber attacks against these systems launched by nation-state actors.
Back on March 14, 2014, the DoD Chief Information Officer announced the DoD plans of implementing the National Institute of Standards and Technology (NIST) security controls to improve cybersecurity of systems.
More than four years later the situation is worrisome, according to a new DoD report the BMDS facilities have failed to implement security controls requested by the standard.
“We determined whether DoD Components implemented security controls and processes at DoD facilities to protect ballistic missile defense system (BMDS) technical information on classified networks from insider and external cyber threats.” reads the DoD report.
“We analyzed only classified networks because BMDStechnical information was not managed on unclassifiednetworks. The classified networks processed, stored, andtransmitted both classified and unclassified BMDStechnical information.”
The report states the BMDS did not implement security controls such as multifactor authentication, vulnerability assessment and mitigation, server rack security, protection of classified data stored on removable media, encrypting transmitted technical information, physical facility security such as cameras and sensors. Operators at BMDS facilities did not perform routine assessments to verify the level of cybersecurity implemented.
“We determined that officials from … the did not consistently implement security controls and processes to protect BMDS technical information.” continues the report.
In a BMDS facility, users used single-factor authentication for up to 14 days during account creation, in another facility users were allowed to access a system that does not even support multifactor authentication.
The report also shows the failure in patch management for systems in many facilities. For some facilities, there were found vulnerabilities that had not been patched since their discovery in 2013.
“Although the vulnerability was initially identified in 2013, the still had not mitigated the vulnerability by our review in April 2018. Of the unmitigated vulnerabilities, the included only in a POA&M and could not provide an explanation for not including the remaining vulnerabilities in its POA&M” continues the report.
According to the report, facilities were also failing in encrypting data that was being stored on removable devices, they also failed in using systems that kept track of what data was being copied.
“In addition, officials did not encrypt data stored on removable media. The system owner for the [redacted] and the Information System Security Officer for [redacted] stated that their components did not encrypt data stored on removable media because the [redacted] did not require the use of encryption,” continues the report. “Although the [redacted] did not require data stored on removable media to be encrypted, system owners and Information System Security Officers have a responsibility to implement and enforce Federal and DoD cybersecurity policies and procedures for encrypting data stored on removable media. In May 2018, the [redacted] directed [redacted] to begin encrypting data stored on removable media using Federal Information Processing Standard 140-2 certified methods by October 9, 2018, as a condition to operate on the [redacted].”
The report also reported physical security issues such as server racks not being locked, open doors to restricted locations, and the absence of security cameras at required locations.
The report also includes the following recommendations:
- using multifactor authentication;
- mitigating vulnerabilities in a timely manner;
- protecting data on removable media;
- implementing intrusion detection capabilities