Governance & Risk Management , Government , Industry Specific
NASA Releases First Space Cybersecurity Best Practices Guide
Agency Set to Bolster Space Cybersecurity Efforts Across Public and Private SectorsGround control to the space industry: Take your static cybersecurity practices and upgrade them to a dynamic model. So says NASA's first-ever security best practices guide for space communications, part of an effort to make mission security requirements more accessible to the cybersecurity community.
The new guidance issued Friday aligns NASA's flight project parlance with security controls outlined in the National Institute of Standards and Technology catalog of security controls for government agencies, known as SP 800-53.
See Also: Zero Trust Unleashed: Keeping Government Secrets Safer Than the Crown Jewels
Cybersecurity "principles are meant to be easily achievable regardless of mission, program, or project size, scope, or whether international, corporate, or university," according to NASA. The agency said the goal of the guidance is to aid organizations in adapting to increasingly integrated and interconnected information systems and operational technologies for space systems and activities.
Consciousness about space vulnerabilities from hackers crossed a red line into reality with Russia's February 2022 attack on satellite broadband communication provider Viasat. According to a paper by German academics published in April, a survey of satellite developers included the admission that some orbitals outright lack cyber defense measures while many others count on "security by obscurity" as a deterrent. Documents leaked this spring by an air guardsman and reviewed by the Financial Times show the military is worried that China is using cyber weapons to "seize control" of satellites.
The guidance urges public and private sector organizations conducting space activities to establish a continuous process of mission security risk analysis and risk response in order to routinely identify and address security risks related to specific operations. NASA also advises organizations to apply the principles of domain separation and least privilege designs across their enterprises to better mitigate supply chain attacks and other operational vulnerabilities.
Misty Finical, deputy principal adviser for enterprise protection at NASA, said the guidance "represents a collective effort to establish a set of principles that will enable us to identify and mitigate risks and ensure continued success of our missions, both in Earth's orbit and beyond."
Reports detail a variety of challenges that organizations have faced in recent years while responding to emerging cybersecurity threats in space. A 2019 Government Accountability Office assessment found that the Department of Defense had struggled to adopt new approaches to protect U.S. satellites from cyberattacks by foreign adversaries and from the increasing threat of space debris.
NASA said in its guidance that threat actors can exploit ground systems to gain unauthorized access and maliciously interact with space vehicles and operations. The agency encouraged organizations to ensure only authenticated and authorized personnel and software are allowed access to space mission systems.
The guidance also recommends establishing a mediated access mechanism to help prevent unauthorized access to critical subsystems in the space segment, block unintended traffic and better maintain security logs.