GAO: NASA Faces 'Inconsistent' Cybersecurity Across Spacecraft
The space agency needs to implement stricter policies and standards when it comes to its cybersecurity practices, but doing so the wrong way would put machinery at risk, a federal review found.
May 3, 2024
NASA has gone some way to addressing its cybersecurity challenges, according to a government watchdog, but, it says, too many of its security policies and standards are still optional.
The US Government Accountability Office (GAO) recently completed a review of three NASA projects: the Gateway Power and Propulsion Element, the Orion Multi-Purpose Crew Vehicle, and the Spectro-Photometer for the History of the Universe, Epoch of Reionization and Ices Explorer (SPHEREx). GAO found that contracts relating to these projects required contractors to address cybersecurity by, for example, adequately addressing and testing positioning, navigation, and timing systems.
However, since issuing its Space System Protection Standard in 2019, NASA hasn't updated its policies and standards pertaining to those contracts. Plus, NASA issued a Space Security: Best Practices Guide last December, but the guidance is optional for spacecraft programs.
In concluding its report, GAO recommended that NASA "develop a plan with time frames" to update its policies.
Solving security at NASA is "not going to happen overnight," notes Kevin Kirkwood, deputy CISO at LogRhythm. "It's going to be an interesting and long journey: first to get the foundation in place from a policy perspective, and then the technology has to follow that through. And if they don't figure out a way to make it work, they're going to be in worse trouble than they are today."
Security vs. Practicality
In his response to the report, NASA CIO Jeffrey Seaton agreed with "the need to ensure continuous improvement of policies and standards," but pushed back on GAO's final recommendation. Among his reasons, Seaton pointed out two inescapable realities of cybersecurity in space.
First, spacecraft are very diverse; NASA launches small satellites and manned aircraft, and "therefore, it is not feasible to develop one set of essential controls applicable to all types of mission spacecraft," Seaton wrote.
Second, spacecraft machinery is unlike the computers used on Earth. The engineering constraints involved make safely implementing cutting-edge cybersecurity capabilities "non trivial."
"It comes down to space, weight, and power," explains Jeff Hall, principal security consultant and North American aerospace lead at NCC Group. "Adding things takes away from your space, weight, and power budget, which is critical, because you're already very constrained." This is especially problematic if a spacecraft is already built — with that budget already accounted for — and one tries tacking on security after the fact.
"I've dealt with this firsthand on the engineering side, with aircraft and missiles and weapons systems for DoD," Hall adds. A lot of the people that are on the IT side of things — you know, CIOs, CISOs — don't have operational technology experience and they try to come at you with traditional IT solutions. Operational technology is very memory-limited. It's very processor limited. It's designed to do specific functions and nothing else. So hosting additional software — endpoint detection, anything like that — just does not work for a system like this."
Finding the right balance between engineering constraints and security robustness is necessary, Kirkwood warns, in the face of those worst-case scenario, science-fiction-level threats to NASA's most valuable systems.
"If you can inject yourself anywhere in the [spacecraft's] pipeline, you can begin to do funny things like send a signal that changes the way it's navigating," he says. "Or you can heat things up that need to be cold, like food. You could send a signal up to the space station to tell the whole environment to shut off. Deep space is pretty cold — the astronauts are going to notice that they're a little chilly and they're going to need to do something about it.
"It's things like that that should be thought through and architecturally fixed before you actually ever put somebody up in a spacecraft."
About the Author
You May Also Like
Cybersecurity Day: How to Automate Security Analytics with AI and ML
Dec 17, 2024The Dirt on ROT Data
Dec 18, 2024