Via Aerospace America | By Sarah Wells — NASA’s cybersecurity track record has been a troubled one, but as far as the public record shows, the troubles have not reached the International Space Station. What should NASA do to keep it that way? Sarah Wells spoke to cybersecurity experts to find out.
While it is easy — and even romantic — to imagine the International Space Station as a safe haven from Earthly pressures, the orbiting lab is, in reality, digitally connected to our terrestrial world, and therefore vulnerable, at least in theory, to the kind of targeted and malicious cyber threats we face on Earth from anyone with a grudge and a keyboard.
Of course, ISS is not connected directly to the internet. Before birthday wishes, photos and social media are allowed into NASA’s network and bounced to the station via the geosynchronous Tracking Data Relay Satellite System, they are checked by NASA and mirrored by a computer at NASA’s Johnson Space Center in Texas. With their NASA-provided laptops, U.S. crew members can remotely view this computer’s desktop and control it via the laptop’s track pad.
Still, the public prominence of the station has made the ISS a potentially juicy target for hackers worldwide — though likely not in the catastrophic, careening-out-of-orbit way that we might see in an action movie. More likely, experts believe, are data thefts and efforts to undermine the prestige of the ISS partner nations, probably carried out by finding a way around this secure computer.
The closest to anything like that came in 2011, when an unencrypted notebook computer containing ISS command and control algorithms was stolen, though NASA maintained that there was never an operational risk to the station. Nevertheless, NASA’s poor cybersecurity record throughout other parts of the agency has independent experts and retired officials counseling even greater vigilance to protect ISS, especially with 90% of the workforce working remotely since March.
“We must recognize that while basic cyber hygiene practice is relatively doable under normal circumstances, these are not normal times,” said Diana Burley, a cybersecurity researcher at American University in Washington, D.C., in a September congressional hearing.
Even before the pandemic, internal audits and reports by NASA’S Office of the Inspector General and the congressional Government Accountability Office indicated that NASA had repeatedly fallen short on cybersecurity of its computer networks and the proper data hygiene of its employees.
After repeated attempts for comment from NASA’s associate chief information officer for cybersecurity and privacy, Mike Witt, and others in the Information Security Office in charge of NASA’s cyber posture, I was able to connect with Renee Wynn, who was on the receiving end of some of those reports before retiring in April after five years as NASA’s chief information officer.
Arriving as NASA’s CIO in 2015, Wynn says she found independent scrutiny essential for identifying where NASA’s corporate information technology has fallen short, and she acknowledges that it has indeed fallen short.
“One of the big challenges for NASA is that it invented some of the IT [the agency] needed to launch super cool science missions,” she explains. And some of that IT, for example, communications software for receiving data from the Voyager space probes, has continued to be used well after what many would consider its prime. In the 1970s when these probes were launched, cybersecurity was not a top concern, says Wynn.
As for technology not tied up in nearly half-century long missions, Wynn says the importance of shoring up — or introducing — cybersecure technology and policies has become a priority in recent years. But devising the best way to do so has not been without its challenges.
To understand how to best plug NASA’s cybersecurity holes, Wynn says that under her watch the agency took a risk-based-assessment approach and began to evaluate a variety of scenarios and risks of all programs, including the human spaceflight program that operates the ISS.
“We certainly found a green field of opportunity” for improving security, she says.
Despite Wynn’s efforts, in 2018, the NASA-funded Jet Propulsion Laboratory in California had 500 megabytes of undisclosed data stolen through an unsecured and unmonitored Raspberry Pi, a credit-card-sized hobbyist computer. NASA and cybersecurity reviewers from other agencies have released little information about the incident, but we do know the hacker used the Raspberry Pi to access NASA’s Deep Space Network, which routes commands to spacecraft beyond Earth orbit and receives scientific data back from them. They also penetrated an internal communications network that connects JPL with other NASA centers and contractors. A 2019 NASA audit report says that Johnson, the center responsible for ISS, disconnected from the infected internal network altogether.
“Johnson officials were concerned the cyber attackers could move laterally from [the internal network] into their mission systems, potentially gaining access and initiating malicious signals to human space flight missions that use those systems,” according to the report, “Cybersecurity Management and Oversight at the Jet Propulsion Laboratory.”
While NASA reports that no serious damage was done during this breach, records suggest that the agency has continued to struggle with cyber threats. In an independent review of federal records between 2018 and 2019, Atlas VPN, an online privacy company based in New York, reported that cybersecurity incidents at NASA were up 360% from 2018, with a total of 1,468 cyber incidents in 2019. This assessment is echoed by concerns voiced in a NASA inspector general report issued in June, “Evaluation of NASA’s Information Security Program,” which cited the agency for poor implementation and maintenance of cybersecurity infrastructure and protocols at its various centers.
NASA’s Office of Inspector General explained to me in an email that these shortcomings threaten “the confidentiality, integrity, and availability of NASA information maintained in those [computers and databases.]”
SOURCE OF THE PROBLEM
Although analyses to date have not specifically named the ISS as a concern, cybersecurity researchers I spoke to say there could be as-yet-undiscovered weaknesses at the root of the agency’s tangle of information computer networks, software and personnel, that might leave the station vulnerable.
As for how NASA amassed a poor cyber record, Emmanuel Lesser, a software product assurance engineer at the European Space Agency who researches cybersecurity solutions for satellites and deep space probes, thinks he knows, and it has to do with history.
“The kind of security implemented in space systems was security through obfuscation,” he says. Lesser explains that major science and technology organizations, like NASA, that were building advanced hardware, software and craft for space exploration simply believed that malicious actors would find it too hard to obtain the communications protocols or appropriate transmitters necessary to hack their computers, let alone to understand the information once they got it. “They really believed [they were] not worth the effort to hack.”
But, while the sheer complexity of spacecraft and their communications networks may have been enough to safeguard them in the past, hackers can learn a lot about those technologies from information that’s available online, and they can add to that knowledge with each breach. This has left NASA rushing to catch up to modern cyber threats that stretch from its ground-based operations all the way, at least in theory, to the ISS.
In the June report, NASA’s Office of Inspector General contends that this lack of security does not necessarily come from a lack of funding or lack of overall infrastructure capabilities, but instead from a more human problem: inconsistent management.
Part of the cause for this, says Wynn, is the diversity of protocols and organizational structure in different parts of the agency itself. During her tenure, she recognized that she would need solutions tailored for the specific needs of the different programs.
While some offices proved to be challenging to work with, the station managers were not.
“I immediately found partnership with the human space program,” says Wynn, including managers of the ISS. When coming to discuss the cyber risks of the program, Wynn says she was prepared for resistance but instead “found people were already thinking about it and really putting some great ideas into practice.”
Part of what drove this early adoption of cyber posture, Wynn suggests, is the concern for astronaut safety among those in the human spaceflight program. For them, cybersecurity was another critical element of that safety.
Of course, a desire for security is one thing, finding it is another. Dr. Bhavani Thuraisingham, who is the executive director of the University of Texas at Dallas Cyber Security Research and Education Institute, the Cybersecurity Research and Education Institute at the University of Texas in Dallas, says that securing a spacecraft such as ISS is far more complicated than, for example, securing a retail store.
“The retail industry, like many industries, uses computers, iPads, and smartphones that are all integrated into databases and your operating system,” says Thuraisingham. Targeting one piece of technology within a network of devices, say the microprocessor of a single iPad, is equivalent to an attack on the whole information network — from the iPad fleet to the financial databases they might be connected to — because of its interconnectivity, she says. This means that these networks are truly only as powerful as their weakest link.
So, retail stores are continually updating their software and devices for security. That’s much harder to do with spacecraft far from Earth whose weaknesses might be outdated code or low-memory capacity for cybersecurity upgrades, says Gregory Falco, a security researcher at Stanford University.
The good news is that ISS is close to Earth, relatively speaking, and astronauts can regularly update its computers.
In fact, ISS is certainly not stuck in the 1960s — or even ’90s — when it comes to technology, says Pamela Melroy, a retired Air Force colonel and NASA astronaut who piloted or commanded three space shuttle missions to ISS. Melroy, now director of space technology and policy at Nova Systems in Australia, spoke during the virtual DefCon in August in a session titled “Cybersecurity Lessons Learned From Human Spaceflight.” Hardware and software updates have even been made in recent years to accommodate new commercial spacecraft, she noted, the first of those being Northrop Grumman’s Cygnus cargo capsules and SpaceX’s Dragon and Crew Dragon capsules.
But with added complexity and capability, points out Thuraisingham, comes the possibility of cybersecurity breaches or mishaps. For example, the process from designing specialized hardware and software for a new spacecraft all the way through docking it at ISS can mean the participation of not only many NASA centers but private-sector partners as well. Any misstep in the process can create weak points, says Thuraisingham, and assigning blame can be nearly impossible.
To finish reading the rest of this article, please visit Aerospace America.
Source | Aerospace America | Article Written By Sarah Wells
ABOUT THE UT DALLAS COMPUTER SCIENCE DEPARTMENT
The UT Dallas Computer Science program is one of the largest Computer Science departments in the United States with over 3,600 bachelors-degree students, more than 800 master’s students, 160Ph.D. students, 51 tenure-track faculty members, and 44 full-time senior lecturers, as of Fall 2020. With the University of Texas at Dallas’ unique history of starting as a graduate institution first, the CS Department is built on a legacy of valuing innovative research and providing advanced training for software engineers and computer scientists.