The U.S. Department of Defense Inspector General published a report this week that revealed that lack of adequate cybersecurity for the protection of the United States’ ballistic missile defense systems (BMDS).
Ballistic missile defense systems are crucial components of the US Defense infrastructure, they aim to protect the country from short, medium, intermediate and long-range ballistic missiles.
Experts warn of cyber attacks against these systems launched by nation-state actors.
Back on March 14, 2014, the DoD Chief Information Officer announced the DoD plans of implementing the National Institute of Standards and Technology (NIST) security controls to improve
More than four years later the situation is worrisome, according to a new DoD report the BMDS facilities have failed to implement security controls requested by the standard.
“We determined whether DoD Components implemented security controls and processes at DoD facilities to protect ballistic missile defense system (BMDS) technical information on classified networks from
“We analyzed only classified networks because
The report states the BMDS did not implement security controls such as multifactor authentication, vulnerability assessment
“We determined that officials from … the did not consistently implement security controls and processes to protect BMDS technical information.” continues the report.
In a BMDS facility, users used single-factor authentication for up to 14 days during account creation, in another facility users were allowed to access a system t
The report also shows the failure in patch management for systems in many facilities. For some facilities, there were found vulnerabilities that had not been patched since their discovery in 2013.
“Although the vulnerability was initially identified in 2013, the still had not mitigated the vulnerability by our review in April 2018. Of the unmitigated vulnerabilities, the included only in a POA&M and could not provide an explanation for not including the remaining vulnerabilities in its POA&M” continues the report.
According to the report, facilities were also failing in encrypting data that was being stored on removable devices, they also failed in using systems that kept track of what data was being copied.
“In addition, officials did not encrypt data stored on removable media. The system owner for the [redacted] and the Information System Security Officer for [redacted] stated that their components did not encrypt data stored on removable media because the [redacted] did not require the use of encryption,” continues the report. “Although the [redacted] did not require data stored on removable media to be encrypted, system owners and Information System Security Officers have a responsibility to implement and enforce Federal and DoD cybersecurity policies and procedures for encrypting data stored on removable media. In May 2018, the [redacted] directed [redacted] to begin encrypting data stored on removable media using Federal Information Processing Standard 140-2 certified methods by October 9, 2018, as a condition to operate on the [redacted].”
The report also reported physical security issues such as server racks not being locked, open doors to restricted locations, and the absence of security cameras at required locations.
The report also includes the following recommendations:
(Security Affairs – United States’ ballistic missile defense systems (BMDS), DoD)