Simply put, "the device should not have been permitted on the JPL network without the JPL Office of the Chief Information Officer's (OCIO) review and approval," the report states. Nevertheless, hackers leveraged a vulnerable Raspberry Pi to swipe 500 megabytes of data from one of the network's major mission systems, and ultimately dive deeper into the network.
"The cyberattacker from the April 2018 incident exploited the JPL network’s lack of segmentation to
move between various systems connected to the gateway, including multiple JPL mission operations and
the DSN. As a result, in May 2018 IT security officials from the Johnson Space Center (Johnson), which
handles such programs as the Orion Multi-Purpose Crew Vehicle and International Space Station,
elected to temporarily disconnect from the gateway due to security concerns," the report states.
Dozens of Johnson officials noted concerns that cyberattackers could move laterally from the gateway into the mission systems, potentially granting hackers access to places they are not permitted. Should that happen, hackers would then be able to initiate malicious signals to human space flight missions that use those systems.
It's not just vulnerabilities in hardware that the report shined a light on, it also found "significant deficiencies" in JPL's event monitoring and security controls.
"We reviewed the 8 system security plans associated with the 13 systems we judgmentally sampled and
found significant deficiencies. Specifically, these plans had a total of 5,406 unresolved Security Problem Logs (SPLs)—about
86 percent of which were rated high or critical—and four plans contained 666 open SPLs with critical
vulnerabilities," the report states.
The report highlights several poor security practices that you would not expect to exist at NASA. It concludes with recommended fixes for the various security issues, all but one of which NASA has committed to implementing, that being the establishment of a formal threat-hunting process.