Psyche Review Finds Institutional Problems at JPL

Psyche is a JPL mission to study an asteroid orbiting between Mars and Jupiter. This asteroid is unique because it’s suspected to be from the core of a planet due to the nickel-iron makeup. The launch window was missed earlier this year due to delays in development and testing of its flight software. After this delay, an independent reviewer was commissioned by NASA to investigate.

A report was published with the findings. While they agreed regarding the delays in development and testing in the flight software, there were more systemic findings as well. Unresolved software issues, incomplete verification and validation of vehicle systems as well as insufficient preparation for mission operations also may have been contributing causes. The root cause to this was found to be the inability to hire and retain technically sound engineers.

This has a couple of cybersecurity concerns. If their flight software was insufficient in testing and implementation, it seems likely cybersecurity was put on the backburner as well. Also, if they are having trouble getting skilled engineers and retaining them, the influx of employees in and out leaves them more vulnerable to attack.

In 2019 another report was released by the US Office of the Inspector General detailing breaches from the previous ten years. There was a wide variety of incidents including individuals and nation-state actors were data was stolen from critical missions including launch codes and flight trajectories. Recommendations were given including ensuring inventory tracking of assets, improving incident responses and ticketing procedures, implementing a security training program, and more. All of these recommendations are more difficult to implement if employees are coming in and leaving frequently, especially since they have adopted a hybrid approach since the pandemic.

I believe it would be beneficial to adopt a limited permissions architecture where access to systems is granted on an individual basis and continuously re-evaluated based on location, the exact information needed, etc, especially if JPL plans to continue to offer a hybrid approach for their engineers. More oversight would also be a good idea to continuously check in with employees.

Sources:

Psyche review finds institutional problems at JPL

https://www.attackiq.com/2019/06/24/nasa-jpl-breaches-a-reminder-of-basic-cyber-security-hygiene/