Diving deeper into the system gave the hackers access to several major missions, including NASA’s Deep Space Network — its network of spacecraft communication facilities. As a result, the security teams of some sensitive programs, such as the Orion Multi-Purpose Crew Vehicle and the International Space Station, have chosen to disconnect from the agency’s network.

In addition to having reduced visibility to devices connected to its network and to not keeping different parts of its network separate, investigators have also found instances of security tickets not being resolved for extended periods of time. In some cases, the tickets sat unresolved for as long as 180 days. The investigators have also noted that JPL’s incident management and response practices deviate from NASA’s recommendations.

The OIG recommended a fix for all those issues, and NASA agreed to all of them except one: establishing a formal threat-hunting process to find flaws before they even cause issues. It will verify if JPL follows through before closing the investigation entirely.