Outer-space hacking a top concern for NASA's cybersecurity chief
Source: NAFEESA SYEED
NASA scientists glean valuable data about powerful space explosions and the energy of black holes from their Swift and Fermi satellites. The projects were supposed to last a few years. Instead, they’ve survived for more than a decade.
That’s great for researchers but a challenge for Jeanette Hanna-Ruiz because of the projects’ aging computer operating systems. As the space agency’s chief information security officer, she has to secure the data sent to and from planet Earth against cyberattacks.
“It’s a matter of time before someone hacks into something in space,” Hanna-Ruiz, 44, said in an interview at her office in Washington. “We see ourselves as a very attractive target.”
Cybersecurity at the National Aeronautics and Space Administration extends from maintaining email systems at the agency’s Washington headquarters to guarding U.S. networks in Russia, where Americans serve on crews working with the International Space Station. The agency also has to protect huge amounts of in-house scientific data and the control systems at its 20 research centers, laboratories and other facilities in the U.S.
Among Hanna-Ruiz’s concerns is hackers breaching communications between NASA and one of its 65 spacecraft transmitting research data.
“There could be a company that wants it, there could be a nation-state that wants it,” Hanna-Ruiz said. The challenge, she said, is, “How do I harden these streams and communications flows?”
Her nightmare is a direct cyberattack on a satellite, perhaps even allowing adversaries to commandeer the controls.
Hanna-Ruiz, a lawyer, started her stint at NASA in August. She previously managed Microsoft Corp.’s consulting services and also served in cybersecurity advisory roles at the Department of Homeland Security and the White House during the Obama administration.
Her goal in the next 12 to 18 months, she said, is to “get control of our internal network” and work with the agency’s space missions on cybersecurity.
Last year, NASA reported 1,484 “cyber incidents,” including hundreds of attacks executed from websites or web-based applications, as well as the loss or theft of computing devices, according to the Office of Management and Budget’s annual report to Congress in March on federal cyber performance.
NASA aims to show “we’re leading the way in security — that’s the place we want to get to,” Hanna-Ruiz said.
Building secure rockets, satellites and other instruments before they’re launched is key. Engineers submit equipment to tests to see whether it can withstand space, from subjecting it to severe vibration to temperature checks in deep-freeze chambers.
“We have a lot of people who are focused on getting this particular thing to space,” Hanna-Ruiz said. “They may not be necessarily thinking of security. The truth is I don’t know if I want them to be thinking about security. I want them to be excited and passionate about going to space.”
So Hanna-Ruiz’s cybersecurity teams step in to look for vulnerabilities in coding, firmware and other areas. The agency is also working to “harden” old industrial-control systems, such as those used to launch spacecraft, according to Hanna-Ruiz.
“At NASA that’s a big conversation for us now: What is the most valuable data and how do we secure that?” she said.
NASA hasn’t sent people beyond low-Earth orbit since the final moon missions more than 40 years ago. But American astronauts travel to the International Space Station on Russian Soyuz capsules that take off from Kazakhstan. U.S. teams monitor NASA’s networks and data at the agency’s multiple offices across Russia.
“We’re always looking at those networks, we’re always looking at those systems to figure out if they’re vulnerable,” Hanna-Ruiz said, including data coming from the space station. “The great thing is NASA has a good history of working with Russia on space exploration and partnering with them to get our astronauts up to space, and that’s really worked out well for us.”
So far, that collaboration has endured amid tensions after U.S. intelligence agencies concluded Russia hacked into last year’s U.S. presidential campaign.
As Hanna-Ruiz works to bolster NASA’s cybersecurity, she says the agency’s center in Silicon Valley provides opportunities to connect with technologists attuned to the task.
“It would be great to have more people who are like aerospace engineers who have a background in cybersecurity, or who are Earth-science gurus and also have a cybersecurity background,” she said. “That niche of person is difficult to find.”