US Ballistic Missile Systems Have No Antivirus, No Data Encryption, and No 2FA, DOD Report Finds

An anonymous reader writes from a report via ZDNet: No data encryption, no antivirus programs, no multi-factor authentication mechanisms, and 28-year-old unpatched vulnerabilities are just some of the cyber-security failings described in a security audit of the U.S.' ballistic missile system released on Friday by the U.S. Department of Defense Inspector General (DOD IG). The report [PDF] was put together earlier this year, in April, after DOD IG officials inspected five random locations where the Missile Defense Agency (MDA) had placed ballistic missiles part of the Ballistic Missile Defense System (BMDS) -- a DOD program developed to protect U.S. territories by launching ballistic missiles to intercept enemy nuclear rockets.

Here is a summary of the findings: (1) Multi-factor authentication wasn't used consistently. (2) One base didn't even bother to configure its network to use multifactor authentication. (3) Patches weren't applied consistently. (4) One base didn't patch systems for flaws discovered in 1990. (5) Server racks weren't locked. (6) Security cameras didn't cover the entire base. (7) Door sensors showed doors closed when they were actually open. (8) Base personnel didn't challenge visitors on bases without proper badges, allowing access to secure areas. (9) One base didn't use antivirus or other security software. (10) Data stored on USB thumb drives was not encrypted. (11) IT staff didn't keep a database of who had access to the system and why.

Re: Why would the DOD need a report?

The last time this type of report came out they were still using floppy discs

I'm okay with floppy disks being used as a step to activate nuclear weapons. Force an air gap and real people to be involved. I'm not sure a system that fires a ballistic missile should have an antivirus, since they should never ever ever be running anything that hasn't had its pedigree gone through to the last semicolon. Basically I'd rather have the design be old, but known good, and require a person to take some esoteric list of manual steps, than have it all connected to a network with Windows on it, and plug and play. That esoteric list of steps and weird things like floppies may be a pain to maintain, but it provides some solid security against any kind of remote exploitation.

Of course the rest of the article summary sounds like shear incompetence. Defence in depth is not optional for critical systems.

Summary Appears Broken

[Dr.+Evil]

I'm not sure where the article summary got their list of findings. The report mentions USB *once*, and that's in a reference to a NIST glossary for removable media.

Whomever summarized the summary appeared to not understand the report and added their own color and errors to it.

"USB Thumb Drives" seems to be fabricated from the submitter reading "removable media"

The ZDNet article is also guilty of this. E.g.,

"DOD IG officials also discovered that at one MDA location, IT administrators failed to install an intrusion detection and prevention system --also known as an antivirus or security product.

No. Just no.

The report looks interesting though, far more nuanced.

Re:Why would the DOD need a report?

[butzwonker]

Sounds like a penetration test was conducted, including physical access testing. That's normal and good procedure, just a bit shocking that they do it only now and bugs from 1990 haven't been fixed yet...

Re: WRONG.

[c6gunner]

Whoever wrote that is just clueless. The Ballistic Missile Defense System is a system which protects against ballistic missiles, not one which fires ballistic missiles.