Forcing Cybersecurity in Space

The National Aeronautics and Space Administration (NASA) is known for developing, designing, and operating some of the most technologically advanced and important space missions, such as the Mars Rover, James Webb Telescope, Artemis moon missions, and the lunar gateway. NASA continues to push the boundaries of science and technology in space, albeit at a slower pace than its commercial competimates, it is usually at a much larger scale. Being at the tip of the spear means ensuring all aspects of the missions are thought about and designs are in place to account for these aspects. One aspect of space missions that NASA has not been a leader in is the incorporation of Cybersecurity into their designs, but that may change in the not to distance future. The Spacecraft Cybersecurity Act has been introduced to the House of Representatives. If this act is passed NASA could very well have to holistically change the way they procure and build spacecraft. ‘NASA would have to incorporate rigorous cybersecurity measures from the very start of the design and development process in an effort to protect them against attack’1. A recent Government Accountability Office (GAO) report found while NASA has cybersecurity requirements in operations, NASA is lacking in requirements and mandatory guidelines for ensuring cybersecurity protections and best practices are in the font end of the development life cycle. ‘The GAO report found alarming vulnerabilities in NASA’s current cybersecurity practices.’1.

We have discussed in class the lack of cybersecurity emphasis the civil side of space development. We have even discussed different ways we could get the civil side to place a higher priority on cybersecurity in their development. The Spacecraft Cybersecurity Act is a way the civil side of the space industry would have to place an emphasis on this design aspect and the testing of it.

The Act is currently introduced to the House and still has a ways to go to become law, but if it does NASA would have 270 days to update its acquisition policies to incorporate a stricter Cybersecurity posture.

A few of the cybersecurity mitigations that NASA could employ to help adhere to the Act consist of;3

  • Consider the entire system when developing cybersecurity plans, Ground Segment, Space Segment, Link Segment, and User Segment
  • Deploying network segmentation and segmentation principles and employ strong encryption where possible.
  • Develop robust supply chain security plans and programs
  • Implement network security governance policies
  • Employ the concept of least functionality
  • Ensure supply chain vendors are employing proper cybersecurity measures
  1. https://www.space.com/nasa-science-missions-at-risk-from-hackers-new-law-could-protect, Sharon Lemac-Vincere
  2. https://www.congress.gov/bill/118th-congress/house-bill/8965/all-actions
  3. https://www.cisa.gov/sites/default/files/2024-06/Recommendations%20to%20Space%20System%20Operators%20for%20Improving%20Cybersecurity%20%28508%29.pdf