American missile systems failed a recent security audit
Digital forensics specialists from the International Institute of Cyber Security report that the Inspector General of the U.S. Department of Defense has published a paper that reveals the security flaws relevant to the protection of Ballistic Missile Defense Systems (BMDS).
These systems are considered a fundamental element in the military infrastructure of the United States, since among its main tasks is the operation of the defense against attacks with missiles of short, medium and long range. In the report, experts warn of possible cyberattacks on these systems, mainly attack campaigns operated by other nations.
In March 2014, the Information Director of the Department of Defense (DOD) reported plans to implement in the defense infrastructure the controls endorsed by the National Institute of Standards and Technology (NIST) to improve the protocols of cybersecurity in U.S. military systems. However, four years have passed since the announcement and the state of cybersecurity of these systems remains critical, according to experts in digital forensics, as many of the standards announced remain unimplemented.
“We evaluated the DOD’s systems to verify whether NIST-backed controls were properly implemented for the purpose of protecting technical details about the operation of these systems, which we consider critical,” says the DOD Inspector General’s report.
With regard to the report, it indicates that BMDS lacks basic controls such as two-factor authentication, vulnerability assessment, classified data protection, transmission encryption, hardware security and security elements such as surveillance cameras and motion sensors. “We have concluded that DOD officials did not systematically implement security controls and processes to protect BMDS technical information”, the report continues.
“Some BMDS officials did not encrypt data stored in removable media, as they thought this was not required or necessary”, the report mentions. According to experts in digital forensics, the report also mentions the flaws in the administration of patches for systems in multiple facilities. In some cases, uncorrected vulnerabilities were found since the year 2013.
The report also highlights security problems in physical infrastructure, such as lack of adequate access control, exposed restricted locations, and lack of security cameras at critical points in some facilities.
The DOD report also includes some recommendations such as the use of multi-factor authentication, removable storage media protection, and the implementation of potential intruder detection systems.