It’s not surprising NASA has a lot of technology to protect — it is, after all, the agency that put men on the moon. But the space agency is now taking steps to enhance its cybersecurity, in part by embracing a key Department of Homeland Security program and also by coordinating its own efforts internally.
In November, NASA began implementing the first phase of the DHS’s Continuous Diagnostics and Mitigation (CDM) program, a NASA official told FedScoop. Meanwhile, following a report from NASA’s Office of Inspector General about safety concerns regarding the agency’s operational technology, NASA says it is working to harmonize its cybersecurity efforts.
In 2013, DHS teamed up with the General Services Administration on a five-year, $6-billion effort to give civilian agencies the tools and services required to monitor their IT systems and then respond almost instantaneously to vulnerabilities. CDM allows agencies to identify cybersecurity risks on an ongoing basis, and then prioritize the risks based upon how severe they might be in an effort to let cybersecurity personnel mitigate the most significant problems first, according to DHS.
The first phase of CDM focuses on securing endpoints, managing hardware and software assets, as well as configuration management and vulnerability management. The second phase focuses on access control management; security-related behavior; and managing credentials, authentication and privileges. Most agencies are still on the first phase of the program.
NASA Tackles Cybersecurity via CDM
The CDM program is allowing NASA to address a long-overdue need for enhanced security tools, Willie Crenshaw, CDM program executive in the IT security division of NASA’s Office of the CIO, told FedScoop.
“That’s been a long-standing issue in the past, both when I was a contractor to the federal government and now being a federal worker. It was always: we know what’s out there, we know the tools are available, we know the capabilities are available, but the budgets weren’t always there,” Crenshaw says. “And then also, technology changes so quickly, that you buy a tool and then by the time you buy it and implement it, it’s pretty much obsolete.”
CDM allows NASA to adopt best-of-breed cybersecurity tools, as well as services and an agency partner in GSA to help integrate the tools, Crenshaw says. NASA is underway with the first phase of CDM and has started on the second. NASA expects to finish phase one by the end of fiscal year 2017 (the end of September 2017), Crenshaw told FedScoop.
Crenshaw says NASA’s largest challenge with the first phase of CDM has been understanding the scope of what needed to be done. “It’d have been difficult to cover the entire agency if we had not had something driving this, and CDM has been driving us to get these capabilities in place,” he said.
Since NASA is such a large agency — it has more than 17,000 employees — Crenshaw says that, as the agency’s internal CDM team goes through the deployment of the program, it is both trying not to break anything and also communicating what is happening at all levels of the agency. That is allowing NASA to educate employees on cybersecurity.
“When you educate people as to — here’s what we’re trying to do, here’s what we need to protect, here’s what we’re protecting, you kind of learn a lot more about the organization as a whole because now you know what you’re protecting and know what work everyone is doing,” he says.
Crenshaw says he’s learned a lot as well. “I’m learning exactly what each mission does, and how they’re operating, what’s important to them,” he says. “And you can see what your crown jewels are for your agency and for your corporation, and protect that.”
NASA Must Protect its OT
Meanwhile, NASA has another cybersecurity challenge on its hands. The agency’s inspector general issued a report in February that found that NASA has not adequately defined its operating technology (OT), developed a centralized inventory of OT systems, or established a standard protocol to protect systems that contain OT components. “NASA needs to know which systems incorporate OT components because applying traditional IT security practices to OT systems can cause the underlying systems to malfunction,” the report notes.
Laura Nicolosi, director of mission support at NASA’s inspector general office, told Federal News Radio that NASA defines critical infrastructure as essential facilities, mission services, equipment and interdependencies that enable the agency to fulfill its national goals and agency mission. “Given that very broad definition, many mechanisms fall under that category,” she says, including everything from systems that support satellites to rocket propulsion test beds. Those systems need to be protected, especially as they get further entwined with IT.
The report highlights the case of a large-scale engineering oven that uses OT to monitor and regulate its temperature. The oven lost that ability when a connected computer was rebooted after a security patch update was applied, which was intended for standard IT systems, according to Laura Nicolosi.
The reboot caused the control software to stop running, which resulted in the oven temperature rising and a fire that destroyed spacecraft hardware inside the oven. The reboot also impeded the activation of an alarm, which left the fire undetected for three and a half hours before it was discovered by an employee, the report notes.
“Our concern really stems from OT components and systems being built now with sophisticated IT technology, and communicating more and more today over IT networks using the same or similar protocols as are used in traditional IT networks,” Nicolosi says. “So this convergence, if you will, of IT with operational technology presents several unique security challenges.”
NASA needs to protect operational technology such as rocket propulsion test beds. Photo credit: NASA/Wikimedia Commons
First, security solutions designed for IT systems may not be immediately transferrable to an OT environment, according to Nicolosi. Additionally, she says, “many legacy OT system components use small processors with limited computing capabilities, making it difficult to run even basic malware protection software or other security applications.”
Since OT systems often control sensitive physical processes like cooling or heating that must operate continuously, NASA must take great care to minimize operational disruptions when applying security controls designed for IT systems, she adds.
Further, OT systems often use specialized, proprietary software that have vulnerabilities that cannot be identified using traditional IT tools, according to Nicolosi. And OT components tend to have long life cycles, which means embedded software may continue to operate long after the manufacturer has stopped providing IT support.
“So, once connected to an IT network, of course, the same vulnerabilities exist that could impact your standard IT networks and data, but then you’ve got these special vulnerabilities that pertain specifically to those environments that are a hybrid of IT and OT components,” Nicosoli says.
There are different offices at NASA that manage the elements of its critical infrastructure: The Office of Protective Services, the Office of Strategic Infrastructure and the CIO’s office.
The report recommends, among other steps, that NASA “develop a framework to coordinate security efforts” across the agency, and that it “develop a standardized process to assess agency cyber and physical assets for NASA critical infrastructure.”
NASA says that its recently launched Enterprise Protection Program will focus on protecting critical capabilities and technologies, and it’s developing a plan to coordinate security efforts across the agency and promote enterprise-level solutions.
In terms of CDM, the report notes that “while implementation of the CDM security tool suite may not address security concerns in all of NASA’s OT environments, proper identification of the agency’s OT systems along with the implementation of a network segmentation strategy — results anticipated from the CDM initiative — should bring much needed cybersecurity resources to projects that have otherwise been left without comprehensive cybersecurity management.”