NASA releases Space Security Best Practices Guide for mission cybersecurity in interconnected space

The U.S. National Aeronautics and Space Administration (NASA) released the first iteration of its Space Security Best Practices Guide to bolster mission cybersecurity efforts for the public sector and private sector space activities, as space missions and technologies grow increasingly interconnected. The document aims to provide best practices for adapting to these new challenges and implementing safety and security measures. It also leverages security controls as defined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 and serves as a translation guide between NIST verbiage and NASA flight project parlance.

The Best Practices Guide provides guidance specific to missions, programs, and projects not already covered in the existing NPRs and Standards. This guide does not replace agency requirements for missions to develop a System Security Plan (SSP) as identified in NPD 2800.1, NPR 2810, and NPR 7120.5. Due to the significant architectural, developmental (lifecycle), and operational differences between the space mission and ground segments, this document sets forth principles in both space mission and ground segments.

“At NASA, we recognize the importance of protecting our space missions from potential threats and vulnerabilities,” Misty Finical, deputy principal advisor for Enterprise Protection at NASA, said in a media statement. “This guide represents a collective effort to establish a set of principles that will enable us to identify and mitigate risks and ensure continued success of our missions, both in Earth’s orbit and beyond.”

In terms of both information systems and operational technologies, space systems are becoming more integrated and interconnected. These developments carry benefits – NASA and other organizations have unprecedented new possibilities for working, communicating, and gathering data in space. But new, complex systems can also have vulnerabilities. The guide reflects NASA’s continued commitment to helping develop clear cybersecurity principles for its space systems, encapsulated in its Space System Protection Standard. 

The principles in the guide are meant to be achievable regardless of mission, program, or project size, scope, or whether international, corporate, or university. The principles selected focus on a risk-based approach to mitigating vulnerabilities, that are impediments to mission success. Principles were identified as an initial starting point of critical implementations for missions to consider. The underlying security principles and associated controls were identified through an iterative process to address prevailing cyber hackers TTPs (tactics, techniques, and procedures) were used in attempts to compromise mission capabilities. 

The Best Practices Guide is to be used as an initial starting point to mitigate against any efforts to deny, degrade, disrupt, deceive, or destroy information and technology used to accomplish NASA’s mission success. The agency developed the handbook to further support the goals of Space Policy Directive 5, Cybersecurity Principles for Space Systems. NASA will collect feedback from the space community to integrate into future versions of the guide.

In addition to the principle language and rationale, there are four additional pieces of information (controls) – Aerospace Space Threat Actor Capabilities, MITRE ATT&CK Threat Actor Tactics, NIST 800-53 Revision 5 applicable cybersecurity controls; and Space Mission Security and Protection Key Performance Parameters. 

There are seven Threat Actor Capabilities tied to the original Aerospace Technical Operating Report (Aerospace TOR-2021-01333), where the cyber hacker may invoke multiple capabilities. These include the ability to access networks, discover and exploit vulnerabilities, defeat cryptography and authentication, command and control sophistication, affect cyber and/or physical systems, gain physical access, and sophistication of human influence.

Additionally, the MITRE ATT&CK Threat Actor Tactics were explored to provide the reader with potential paths for mitigations, as the NASA guide identified. “There are twelve tactics that were introduced from Industrial Control Systems (ICS) or Operational Technologies (OT). Why would one use ICS or OT tactics vs traditional cybersecurity tactics on a space mission system? ICS and OT systems have very similar requirements to space mission systems for timing and are often networked together,” it added. 

The MITRE ATT&CK Threat Actor Tactics used were Initial Access, Execution, Persistence, Privilege Escalation, Evasion, Discovery, Lateral Movement, Collection, Command and Control, Inhibit Response Function, Impair Process Control, and Impact.

The Best Practices Guide said that the Space Mission Security and Protection Key Performance Parameters were used to round out the risk-based approach. These key performance parameters are divided into three areas or pillars to ensure a space mission system survivability/resiliency – prevent that designs principles that remove the likelihood of cyber events; mitigate that designs principles that reduce the impact and/or likelihood of cyber events; and recover that designs principles that enable resiliency and restoration of capabilities impaired due to a cyber event.

The NASA guidance outlined that space-based mission systems often have multiple operating systems on a variety of processors that often need to be protected (except the command link). “Further since Government and commercially developed spacecraft are currently incorporating common standards and architectures such as TCP/IP and UDP in their design to enable systems interconnection and communication,” it added.

Additionally, the Best Practices Guide addresses the incorporation of newer technologies, such as artificial intelligence (AI) and machine language (ML) applications that will potentially expand the protection needs. As the integration and interconnection of systems continue to occur in the future, it is important to consider the spacecraft from both information system and operational technology views. Also, protecting increasingly more complex space systems will necessitate the adaptation and implementation of Best Practices as they relate to design, intended operations, interconnections, and zero-trust perspectives.

As there is no risk management framework for end-to-end integrated space mission systems, combining these four practices provides the beginnings of an informed risk management framework for space missions. This combination will eventually enable engineers, program managers, and leaders to make informed risk management decisions for space mission cybersecurity and protection based on a system similar to what already exists for other risk decisions that are comfortable and known. This system will be developed in the second release of the guide.

Last May, the U.S. Department of State released a framework to promote and explain the nation’s policy on cybersecurity and information and communications technologies (ICTS) in space, space-related critical infrastructure security and resilience, and space asset resiliency on the international stage. 

The European Council has more recently approved conclusions on the initial EU Space Strategy for Security and Defence. The Council emphasized the EU’s enduring dedication to international law and the values and guiding principles established within the United Nations framework. Additionally, EU member states have reaffirmed their readiness to continue working to establish norms, rules, and principles of responsible behaviors across the full range of space activities.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.