Houston, we may have a problem.
NASA's cybersecurity framework for spacecraft development is inconsistent and needs improvement, according to a 34-page review by the U.S. General Accounting Office (GAO).
GAO's report emphasized the need for mandatory cybersecurity updates across the space agency's $83 billion portfolio of space projects.
The U.S. government agency has asked NASA to develop a plan with a deadline for policy updates. “NASA risks inconsistent implementation of cybersecurity controls and lacks assurance that spacecraft have layered and comprehensive defenses against attacks,” the report said. Says.
This review focused on three projects managed by three different research centres. the Gateway Power and Propulsion Element, the Orion Multipurpose Crew Vehicle, and the Spectrophotometer for Space History, Reionization Era, and Ice Exploration (SPHEREx).
While the contracts for the reviewed projects include cybersecurity requirements, the Space Systems Protection Standard NASA-STD-1006, approved in October 2019, provides limited guidance on cybersecurity.
Chris Warner, ICS/OT security strategist at GuidePoint Security, said: “Cyber threats are rapidly evolving as attackers constantly develop new techniques and tools to exploit vulnerabilities.” You can update your measures.”
Warner warned that this could lead to serious consequences, including unauthorized access to sensitive data and compromise of mission-critical systems, making it easier for attackers to penetrate systems before they reach space.
NASA needs an implementation schedule
GAO warned that without a clear plan, implementation timing remains uncertain, creating the risk of inconsistent cybersecurity controls and inadequate defenses against cyber threats.
NASA space projects involve significant investments and operate in a high-threat cyber environment. Addressing these vulnerabilities is critical to mission protection and success.
“As cyber threats become more prevalent, so too do threats to NASA spacecraft,” the GAO report warns. “A cyberattack could result in the loss of critical data or loss of control of the spacecraft.”
GAO asks NASA to implement implementation measures to “update spacecraft acquisition policies and standards to incorporate the critical controls necessary to protect against cyber threats” to the chief engineer, CIO, and chief advisor for enterprise protection. It was recommended that a plan be drawn up.
NASA becomes a target for nation states
Narayana Pappu, CEO of Zendata, noted that in recent years, nation-state and insider threats have targeted NASA and its affiliates to steal employee information, mission data, and other sensitive information. did.
“It is critical for organizations to have strong and mandatory cybersecurity measures in place,” said Pape. “There is a good chance that NASA's system protection standards are far behind current best practices.”
In his response to the report, NASA CIO Jeffrey Seaton said that due to the diversity of mission spacecraft, there is no one mandatory set of controls that can be applied to all types of mission spacecraft. We have outlined the challenges in developing .
Pappu suggested following a modular architecture of microservices or control. This allows customization of each mission without duplication of countermeasures, controls, and approaches. “Using red teams and conducting third-party security assessments is a good way for NASA to reduce significant cybersecurity risks,” Papp added.
Warner said treating cybersecurity as an essential and non-negotiable aspect of operational strategy is not only desirable, but necessary. He said, “Spacecraft are very diverse and should be treated like operational technology, recognizing that they are different from ground-based computing equipment.”
To do this, we need to ensure that these systems are unique across platforms and interoperable systems to protect controls, sensitive information, supply chain security, economic loss prevention, customer trust, and resiliency to evolving threats. Well-thought-out governance policies and standards should be implemented that incorporate risks.
“These governance policy stacks are built with an approach that encompasses various layers of security, compliance, and operational guidelines tailored to the specific needs and risks of aerospace operations across a variety of platforms for both space and ground support systems. We should,” Warner said.
AI could enhance NASA's cybersecurity efforts
Autonomous threat, anomaly, and drift detection is one way artificial intelligence and machine learning (AI/ML) can help NASA reduce cyber risk.
AI has the potential to significantly enhance cybersecurity by processing vast data sets quickly and detecting anomalies and threats more efficiently than human operators. “AI also helps with rapid incident response by analyzing data to quickly identify the source and nature of attacks, accelerate mitigation and reduce damage,” Warner said.
These technologies strengthen your security strategy against evolving threats and ensure defenses are updated based on the latest data.
“AI can also secure communications between Earth and spacecraft through automatic encryption and anomaly detection,” Warner said.
Photo credit: NASA
Recent articles by author
