NASA Must Improve Spacecraft Cybersecurity, GAO Report Finds – Source: securityboulevard.com

Houston, we may have a problem.

NASA’s cybersecurity framework for spacecraft development is inconsistent and must be improved, according to a 34-page review by the U.S. Government Accountability Office (GAO).

The GAO report highlighted the need for mandatory cybersecurity updates throughout the space agency’s $83 billion space development project portfolio.

The U.S. government agency urged NASA to develop a plan with timeframes for policy updates. “NASA risks inconsistent implementation of cybersecurity controls and lacks assurance that spacecraft have a layered and comprehensive defense against attacks,” the report said.

The review focused on three projects managed out of three different research centers: the Gateway Power and Propulsion Element, the Orion Multipurpose Crew Vehicle, and the Spectro-Photometer for the History of the Universe, Epoch of Reionization and Ices Explorer (SPHEREx).

While contracts for reviewed projects include cybersecurity requirements, the space system protection standard, NASA-STD-1006, approved in October 2019, provides limited guidance for cybersecurity.

“Cyber threats evolve rapidly as attackers constantly develop new techniques and tools to exploit vulnerabilities,” said Chris Warner, ICS/OT security strategist at GuidePoint Security. “With regular updates, security measures can be updated to defend against these new threats, such as AI.”

Warner warned that this could lead to severe consequences, such as unauthorized access to sensitive data or even the compromise of mission-critical systems, making it easier for attackers to breach systems before they reach space.

NASA Needs Implementation Timetables

The GAO cautioned that the implementation timing remains uncertain without a clear plan, posing risks of inconsistent cybersecurity controls and inadequate defense against cyber threats.

NASA’s space projects involve significant investments and operate in a high-threat cyber environment. Addressing these vulnerabilities is crucial for mission protection and success.

“As cyber threats become more prevalent, so do threats to NASA’s spacecraft,” the GAO report cautioned. “A cyberattack could lead to losing critical data, or possibly losing control of the spacecraft.”

The GAO recommended that NASA ensure the chief engineer, CIO and principal advisor for enterprise protection develop an implementation plan to “update spacecraft acquisition policies and standards to incorporate essential controls required to protect against cyber threats.”

NASA a Target of Nation-States

Narayana Pappu, CEO at Zendata, pointed out that in recent years, nation-states—and insider threats— have targeted NASA and its affiliated organizations to steal employee information, mission data, and other sensitive information.

“It is absolutely crucial for organizations to have robust and mandatory cybersecurity measures,” Pappu said. “There is a good chance that NASA system protection standards are far behind the current best practices.”

In his response to the report, NASA CIO Jeffrey Seaton outlined the challenges in developing one set of essential controls applicable to all types of mission spacecraft due to their diversity.

Pappu suggested following a microservices or modular architecture of controls, which would allow customizability for each mission without introducing duplication in measures, controls, and approaches. “Using red teams and performing third-party security assessment are good ways for NASA to mitigate high-consequence cybersecurity risks,” Pappu added.

It’s not only advisable but necessary to treat cybersecurity as an essential and non-negotiable aspect of operational strategy, said Warner. “Realizing that spacecraft are very diverse and different from terrestrial computing equipment, they should be treated like operational technology.”

This requires implementing well-thought-out governance policies and standards that incorporate the unique risk of these systems across platforms and interoperable systems to protect controls, sensitive information, supply chain security, economic loss prevention, customer trust, and resiliency against evolving threats.

“These governance policy stacks should be structured with an approach encompassing various layers of security, compliance, and operational guidelines tailored to aerospace operations’ specific needs and risks across different platforms for both space and terrestrial supporting systems,” Warner said.

AI Could Enhance NASA Cybersecurity Efforts

Autonomous threat and anomaly and drift detection are among the ways artificial intelligence and machine learning (AI/ML) could help reduce NASA’s cyber risks.

AI could significantly enhance cybersecurity by rapidly processing vast data sets to detect anomalies and threats more efficiently than human operators. “AI also aids in swift incident response by analyzing data to quickly pinpoint attack sources and nature, speeding up mitigation and reducing damage,” Warner said.

These technologies are force multipliers in security strategies to evolving threats, ensuring defenses are updated based on fresh data.

“AI can also secure communications between Earth and spacecraft with automatic encryption and anomaly detection,” Warner said.

Photo credit: NASA