NASA Spacecraft Lacks Cybersecurity Standards, GAO Finds – MeriTalk

NASA’s spacecraft development programs lack mandatory cybersecurity controls for acquisition policies and standards, placing the technology at risk of cyberattacks, the Federal government’s top watchdog said this week.

“As cyber threats become more prevalent, so do threats to NASA’s spacecraft – like the Orion Multi-Purpose Crew Vehicle,” a new Government Accountability (GAO) report warns. “A cyberattack could lead to losing critical data, or possibly losing control of the spacecraft.”

The space agency has taken steps in recent years to enhance its cybersecurity requirements, but GAO found that NASA’s most recent security guidance is not required for spacecraft programs.

In 2019, NASA identified a set of cybersecurity requirements for spacecraft to address. For example, NASA requires spacecraft to protect positioning, navigation, and timing systems, the 34-page report says. And in 2023, NASA issued a space best practices guide containing information on cybersecurity principles and controls, threat actor capabilities, and potential mitigation strategies, among other things.

“However, this guidance is optional for spacecraft programs. NASA officials explained that one key reason they have not yet incorporated this guidance into required acquisition policies and standards is because of the length of time it takes to do so,” the report says.

The GAO also found that NASA does not have an implementation plan and time frame to incorporate additional security controls into acquisition policies and standards. “As a result, NASA risks inconsistent implementation of cybersecurity controls and lacks assurance that spacecraft have a layered and comprehensive defense against attacks,” the report says.

In his response to the report, NASA CIO Jeffrey Seaton said that the agency “incorporates controls based on their specific type of cyber and risk threats,” that could impact specific mission vehicles, from crewed spacecraft to small satellites. Seaton said that it’s “not feasible to develop one set of essential controls applicable to all types of mission spacecraft.”

In its report, GAO recommended that NASA develop an implementation plan with time frames to update its spacecraft acquisition policies and standards to incorporate essential controls required to protect against cyber threats.

While NASA agreed with the recommendation to update its policies, it disagreed with the need to establish a timeline for doing so due to concerns that “transitioning traditional cybersecurity capabilities into a space environment requires careful consideration to avoid impacts to the spacecraft’s objectives and the ability to operate safely.”

The government watchdog agency said it maintains its original recommendation, because without a plan it is unknown when implementation would occur.