NASA has come up with a solution Cyber security challengesHowever, many of its security policies and standards are still optional, the government watchdog said.
The General Accounting Office (GAO) recently completed its review of three NASA projects. Spectrophotometer for Gateway Power and Propulsion Elements, Orion Multipurpose Crew Vehicle, Space History, Reionization Era, and Ice Probes. (Sphereex). GAO found that contracts related to these projects require contractors to address cybersecurity, including adequately addressing and testing positioning, navigation, and timing systems.
However, since its publication, Space system protection standards As of 2019, NASA has not updated its policies and standards for these contracts.Additionally, NASA Space Security: A Best Practice Guide However, this guidance is optional for spacecraft programs.
GAO concluded its report by recommending that NASA “develop a time-bound plan” to update its policies.
NASA's security issues “are not going to go away overnight,” said Kevin Kirkwood, deputy CISO at LogRhythm. “This is going to be an interesting, long journey. First they have to put the foundation in place from a policy perspective and then the technology follows. And if they can't find a way to make it work, they “They will be in a worse situation than they are today.'' ”
Security and practicality
In a response to the report, NASA CIO Jeffrey Seaton agreed with “the need to ensure continuous improvement of policies and standards,” but pushed back on GAO's final recommendations. Among his reasons, Seaton pointed to two unavoidable realities of cybersecurity in space.
Firstly, spacecraft are very diverse. NASA launches small satellites and manned aircraft, “therefore, it is impractical to develop a set of essential controls that can be applied to all types of mission spacecraft,” Seaton wrote.
Second, the spacecraft's machinery is different from the computers used on Earth. Implementing cutting-edge cybersecurity features securely is “not trivial” due to engineering constraints.
“At the end of the day, it’s about space, weight and power,” explains Jeff Hall, principal security consultant and head of North American aerospace at NCC Group. “As you add things, you reduce space, weight, and power consumption, which is very important because you're already very constrained.” This is because the spacecraft has already been built and the budget This is especially problematic when security has already been accounted for and you are trying to improve security after the fact.
“I have worked directly on this issue on the engineering side, including aircraft, missiles, and weapons systems for the Department of Defense,” Hall added. Many people on the IT side (CIOs and CISOs) have no operational technology experience and try to provide traditional IT solutions. Production technology is very memory limited. Processors are very limited. It is designed to perform only a specific function. Therefore, hosting additional software (such as endpoint detection) will not work on such systems. ”
Kirkwood cautions that finding the right balance between engineering constraints and security robustness is necessary. Worst-case scenario, sci-fi level threat For NASA's most valuable systems.
“If I could inject myself anywhere in my body, [spacecraft’s] Pipelines allow you to start doing interesting things, like sending signals that change the way the pipeline moves. ” he says. “Or you could warm up something that should be cold, like food. You could send a signal to the space station telling it to shut down its entire environment. Deep space is pretty cold. Astronauts can We'll realize we're a little cold and need to do something about it.
“Things like this need to be well thought out and structurally fixed before we actually put people on a spacecraft.”
