The Spacecraft Cybersecurity Act was recently introduced in the House this past summer. The legislation would require NASA to secure a cybersecurity protection plan from manufacturers applying to use federal dollars to build NASA spacecrafts. The introduction comes after thousands of cyberattacks from malicious actors, including China and Russia, have been launched against NASA, threatening the safety of Americans, including our astronauts. So what can and needs to be done to make sure cyber protections are considered during the manufacturing stage?  Shane Fry, chief technology officer of the software security firm RunSafe Security, joined The Space Hour to discuss.

Interview transcript:

Shane Fry As we look at more commercial spaceflight happening with Space X and Blue Origin and others, there’s really been an emphasis on “what’s the mission?” And appropriately so. If we don’t put something in space, if we can’t carry out the mission in space, there’s no point in doing cyber. But as time goes on we’re doing software updates on the Mars rover on another whole planet. That’s crazy. And that’s really cool. But we’ve got to make sure that those processes are secure. We’re doing a lot of communication of data and information from sensors on the space station and other spaceships. And so we really need to start thinking about how we secure those systems. And NASA’s had a requirement since, I think, 2019 to have cybersecurity requirements for the missions they fly. But we really haven’t seen a whole lot in terms of flow down requirements to the contractors doing that work. And especially not as we look at the whole ecosystem of something that’s flying in space. Easy to say, well, hey, I can talk to the ISS. We have conversations with astronauts daily, so we can have conversations, which means we can have cyber attacks that can be through those same vectors. It’s also important to be thinking about the entire lifecycle of a spacecraft. It’s not just when it’s orbiting in space or when it’s launching and going into space, but also design and manufacturing those systems that are flashing software onto engine controllers and thrusters and things like that are all prone to compromise, whether that’s insider threats or malicious adversaries. And it’s really pertinent with the war in Ukraine right now where we see Space X putting StarLink out there and saying, Ukraine, you can use this and then maybe pulling that back a little bit. But then recently Russia came out and said, hey, if if the West doesn’t stop interfering in our stuff over here, we might take out GPS and other satellites in space. So we’ve got a direct threat from a nation state actor now on space assets.

Eric White Yeah, when a threat is made like that and maybe when it’s not perfectly laid out for us, what is the first response that should be done to protect what they are threatening to go after? And what are some of the considerations that have to be made when shoring up cybersecurity for satellites and ground control, you name it? There are plenty of targets that they can take their pick from.

        Learn what you need to know as you make your annual health care benefits choices during Federal News Network's Open Season Exchange 2024. Register today!

Shane Fry Yeah. Well unfortunately, when the threats made, you’re a little behind the power curve to start thinking about cyber. And so I think there’s kind of a practical approach, which is what’s the feasibility? Let’s take a look at how these systems are designed, how they’re communicating what ground stations are they talking to? How often are they in in a line of sight for a nation state or a bad actor to actually target them? And that’s one of the unique things about space, especially as we think about satellites and things like that, where you don’t have 100% of the day that you can talk to it because it’s going to fly out of comms reach. And so really getting a good risk assessment for how do we interact, What could someone do from an adversarial perspective? And are there any holes that can be fixed easily? Can we even patch them? There’s definitely some satellites that are in operation that probably don’t have software update capabilities. Those are just going to kind of be out there. There’s not much you can do there. But for more modern satellites that have stuff for update mechanisms, how quickly can we get software patched up there? For ground stations, what all do we need to do to secure those? Those are much easier to do software updates to apply updated software, open source software that you’ve got or deploy any new fixed versions of software that maybe you’ve been waiting because you didn’t want to drive somebody out to the ground station. Now, you can kind of look at that perspective, but then I think you’ve also got to look at future missions. I don’t think it’s a shock to anybody that’s been in the military space, the Department of Defense space, that nation states might want to attack space assets. And so we really ought to be thinking about what are we doing to secure new missions that are going up, as well as retrofitting existing space infrastructure and space assets with as much cyber as we can.

Eric White So, yeah, what are we doing and also what can we be doing? What action can Congress and these agencies take to ensure that they answer all of those questions before we keep on keeping on with sending more stuff up there?

Shane Fry Yeah, I mean, I think the the first is Representative Frost put a bill out in July of this year that’s trying to follow those cybersecurity requirements for NASA to the contractors. And they’re looking at the big picture, not just the asset going into space, but everything along with it and really putting a timeline on it. Because one of the things that I’ve seen in cyber spaces as far as like regulations go, is oftentimes Congress has said you must do cyber. Well, what does that mean? Is it incident response? Is it antivirus? Is it secure design principles? Is it software bill of materials? What is the actual thing you have to do? And so programs drag their feet. Organizations drag their feet in doing that. And so that’s one of things I really like about this Spacecraft Cybersecurity Act is that it puts NASA on a timeline. I think it’s 270 days for them to put a plan together for how they’re going to push these requirements and enforce those requirements on their contractors. And I think that’s a huge thing. A lot of the work that CISA is doing around secure-by-design should apply to space as well. A lot of that work has really been focused on critical infrastructure and space assets, I think, fall under that, but depends on who you talk to. And I think a lot of those principles are important in space as well. People in the space community do a lot of safety things, which is great, but safety and cybersecurity aren’t always the same thing. And just because you’re safe doesn’t mean you’re secure.

Eric White Yeah. What are some of the unique challenges to implementing some cyber measures for space hardware and software? You mentioned how CISA is taking a real close look at all the work going around critical infrastructure. It’s not just applying what you do to a water treatment plant, to a GPS satellite. I mean, what is it about space hardware and software that really needs to be hemmed in and looked at when trying to get some sort of cybersecurity measures in place?

Shane Fry Yeah, I think the first obvious challenge is size and weight. If we design some sort of hardware that’s got to go into space, everybody in that community understands that any additional weight that you add onto the system is more weight, more fuel that you need to get into space. And there’s a lot of redundant systems on spacecraft, which is great. But if that means that you’ve got to employ an additional computer on that system, you’ve now got to do two potentially or three. And so that’s a lot of extra weight you’re adding to do cyber. So we’ve got to find ways to do cybersecurity protections that don’t require additional hardware upgrades or even additional hardware entirely that wasn’t part of the mission plan. And that can be challenging. There’s definitely some solutions out there that kind of fit that space, but a lot of times people are trying to think about how do I take IT solutions for security and apply them to critical infrastructure, apply them to space. And we’ve seen that in in some requirements coming down from various DoD organizations where you need to have a complex password on something that doesn’t have a human touching it. So how does that work? We need to be focused in on how can we actually do this for space in ways that make sense? And encrypted communications is one of them, being able to have security of the communications going to and from the device. But we also need protections. A lot of software running in space is in low level languages. It’s in Assembly, it’s in C or C++. And so we need solutions that can help protect against memory corruption vulnerabilities, where an adversary can use an external interface or sensor or a wireless communications interface and take over that space system. And that’s a scary thought. So we really need to focus in on the whole picture and then find solutions that aren’t bolting on additional hardware because obviously you can’t do that for systems that are in space and it’s more expensive to do for systems that are on the ground and still being developed.

Eric White More and more of the devices up there are owned by it, and you’re from the commercial side, so I wanted to ask what role the commercial side of the commercial space industry has to play in making sure that it’s not sending up vulnerable devices that are just going to cause headaches for everybody both in the private and public sector.

Shane Fry Yeah, it’s really an important thing that I don’t think gets enough focus, really. When Space X launched all the StarLink satellites, there was a lot of talk about congestion in space, and adding all these satellites that are going to eventually have to go out to pasture in space. And while space is big, we still don’t want large debris fields. But from an adversarial perspective, if a nation state were to target those StarLink satellites and alter their burn or their trajectory in space, their orbit, you can have major impacts to ability to service, but also threats to other critical infrastructure in space. So commercial, as we’re seeing more and more things go into space, if those get attacked by malicious actors, bad things can happen. We think about often in space community, we don’t want to have another Challenger incident. And we’ve taken great strides to improve on the physical side of things, of how we get in the space safely and return. But we’re not really there on the commercial side for cyber. And as I watch the the Boeing capsule come back from the Space Station recently it’s great that we’ve got a plan to get those astronauts back. But it would be really bad for for Boeing if a cyberattack had targeted that capsule on its way back. It’s a fully autonomous system, no human that can intervene. Things could have been tragic if that had gone poorly. Think about how it’s coming back in and landing. So if it doesn’t land in White Sands, but if it lands over [Los Angeles] or somewhere else, that could be a very deadly incident. And cyber really needs to be at the forefront of of these commercial companies putting stuff in the space.

Eric White And doing my journalistic responsibility to end things on the lighter side: What is it about some strides that we’ve made in this arena that is a bit of good news? And it’s obviously not too late. Things are still running pretty smoothly because of the hard questions being asked by regulators. And that process is what it is, but there’s a reason for it. What’s good about this that’s going on right now?

        Read more: The Space Hour

Shane Fry Yeah, I mean, I think there are definitely going to be companies that are looking at spaceflight going, hey, we’ve got to get ahead of the cybersecurity requirements that are coming or we want to do it because it’s the right thing. One of those companies, Emergent Space Flight, they’re ahead of the game when it comes to cybersecurity of their spacecraft. And that’s kind of interesting. There’s not necessarily a monetary gain to be had there, but they understand it’s the right thing to do. And they’re working with us to secure their systems in space. And I think we’re going to see more of that, especially as we get towards space tourism. It’s really exciting, the prospect of being in space as a human, like that’s something that we really need to to accomplish in life. And as we see more space tourism coming up there’s going to be companies that want to get that cybersecurity right to make people feel comfortable. So I think there’s definitely people leading the space and we’ll see more of that.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.