NASA's cybersecurity framework for spacecraft development is inconsistent and must be improved, according to a 34-page review by the U.S. Government Accountability Office.
The GAO report highlighted the need for mandatory cybersecurity updates throughout the space agency's $83 billion space development project portfolio.
The U.S. government agency urged NASA to develop a plan with timeframes for policy updates.
The review focused on three projects managed out of three different research centers: the Gateway Power and Propulsion Element, the Orion Multipurpose Crew Vehicle, and the Spectro-Photometer for the History of the Universe, Epoch of Reionization and Ices Explorer.
While contracts for reviewed projects include cybersecurity requirements, the space system protection standard, NASA-STD-1006, approved in October 2019, provides limited guidance for cybersecurity.
Warner warned that this could lead to severe consequences, such as unauthorized access to sensitive data or even the compromise of mission-critical systems, making it easier for attackers to breach systems before they reach space.
The GAO cautioned that the implementation timing remains uncertain without a clear plan, posing risks of inconsistent cybersecurity controls and inadequate defense against cyber threats.
NASA's space projects involve significant investments and operate in a high-threat cyber environment.
Addressing these vulnerabilities is crucial for mission protection and success.
Narayana Pappu, CEO at Zendata, pointed out that in recent years, nation-states-and insider threats- have targeted NASA and its affiliated organizations to steal employee information, mission data, and other sensitive information.
In his response to the report, NASA CIO Jeffrey Seaton outlined the challenges in developing one set of essential controls applicable to all types of mission spacecraft due to their diversity.
Pappu suggested following a microservices or modular architecture of controls, which would allow customizability for each mission without introducing duplication in measures, controls, and approaches.
It's not only advisable but necessary to treat cybersecurity as an essential and non-negotiable aspect of operational strategy, said Warner.
This requires implementing well-thought-out governance policies and standards that incorporate the unique risk of these systems across platforms and interoperable systems to protect controls, sensitive information, supply chain security, economic loss prevention, customer trust, and resiliency against evolving threats.
Autonomous threat and anomaly and drift detection are among the ways artificial intelligence and machine learning could help reduce NASA's cyber risks.
AI could significantly enhance cybersecurity by rapidly processing vast data sets to detect anomalies and threats more efficiently than human operators.
These technologies are force multipliers in security strategies to evolving threats, ensuring defenses are updated based on fresh data.
This Cyber News was published on securityboulevard.com. Publication date: Thu, 09 May 2024 23:13:05 +0000