Governance & Risk Management , Government , Industry Specific

NASA Releases First Space Cybersecurity Best Practices Guide

Agency Set to Bolster Space Cybersecurity Efforts Across Public and Private Sectors
NASA Releases First Space Cybersecurity Best Practices Guide
Floating hundreds of miles above the Earth is no guarantee against being hacked. (Image: Shutterstock)

Ground control to the space industry: Take your static cybersecurity practices and upgrade them to a dynamic model. So says NASA's first-ever security best practices guide for space communications, part of an effort to make mission security requirements more accessible to the cybersecurity community.

The new guidance issued Friday aligns NASA's flight project parlance with security controls outlined in the National Institute of Standards and Technology catalog of security controls for government agencies, known as SP 800-53.

See Also: Zero Trust Unleashed: Keeping Government Secrets Safer Than the Crown Jewels

Cybersecurity "principles are meant to be easily achievable regardless of mission, program, or project size, scope, or whether international, corporate, or university," according to NASA. The agency said the goal of the guidance is to aid organizations in adapting to increasingly integrated and interconnected information systems and operational technologies for space systems and activities.

Consciousness about space vulnerabilities from hackers crossed a red line into reality with Russia's February 2022 attack on satellite broadband communication provider Viasat. According to a paper by German academics published in April, a survey of satellite developers included the admission that some orbitals outright lack cyber defense measures while many others count on "security by obscurity" as a deterrent. Documents leaked this spring by an air guardsman and reviewed by the Financial Times show the military is worried that China is using cyber weapons to "seize control" of satellites.

The guidance urges public and private sector organizations conducting space activities to establish a continuous process of mission security risk analysis and risk response in order to routinely identify and address security risks related to specific operations. NASA also advises organizations to apply the principles of domain separation and least privilege designs across their enterprises to better mitigate supply chain attacks and other operational vulnerabilities.

Misty Finical, deputy principal adviser for enterprise protection at NASA, said the guidance "represents a collective effort to establish a set of principles that will enable us to identify and mitigate risks and ensure continued success of our missions, both in Earth's orbit and beyond."

Reports detail a variety of challenges that organizations have faced in recent years while responding to emerging cybersecurity threats in space. A 2019 Government Accountability Office assessment found that the Department of Defense had struggled to adopt new approaches to protect U.S. satellites from cyberattacks by foreign adversaries and from the increasing threat of space debris.

NASA said in its guidance that threat actors can exploit ground systems to gain unauthorized access and maliciously interact with space vehicles and operations. The agency encouraged organizations to ensure only authenticated and authorized personnel and software are allowed access to space mission systems.

The guidance also recommends establishing a mediated access mechanism to help prevent unauthorized access to critical subsystems in the space segment, block unintended traffic and better maintain security logs.


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.