The U.S. National Aeronautics and Space Administration (NASA) this week confirmed that its Jet Propulsion Laboratory (JPL) has been hacked. An audit document from the U.S. Office of the Inspector General was published by NASA this week. It reveals that an unauthorized Raspberry Pi computer connected to the JPL servers was targeted by hackers, who then moved laterally further into the NASA network. How much further? Well, the hackers apparently got as far as the Deep Space Network (DSN) array of radio telescopes and numerous other JPL systems.
The extent of the breach, which happened in April 2018, was such that the Johnson Space Center, with responsibility for programs including the International Space Station, decided to disconnect from the gateway altogether. The audit report states that, “Johnson officials were concerned the cyber attackers could move laterally from the gateway into their mission systems, potentially gaining access and initiating malicious signals to human space flight missions that use those systems.”
If that sounds pretty serious stuff, it’s because it is. What’s more, the report says that while the use of limited spacecraft data was restored in March this year, as of that date, “Johnson had not restored its use of all communications data because of continuing concerns about its reliability.”
Without going into all the technical detail of every mistake that has been identified by this audit, needless to say it paints a very poor picture of JPL network security indeed. Everything from poor IT asset visibility and security violation ticket resolution shortcomings, through to untimely delays in patching known vulnerabilities were detailed by the auditors. All in all it reads like a security basics 101 list that has been ignored. System administrators lacked security certifications, no role-based security training was in place and JPL, unlike the main NASA security operations center (SOC), didn’t even have a round-the-clock incident reporting capability.
According to information security analyst Mike Thompson, NASA is right up there when it comes to high profile targets. “Many purely associate them with space related activities,” Thompson explains, “but their depth of research and development includes patents covering cutting edge science that nation states would literally kill for.” John Opdenakker, an ethical hacker, admitted in conversation this afternoon that “hackers might still be in their network, without them even knowing,” and pondered why the audit report was published now when there is no confirmation that all the problems have been fixed in the meantime. In fact, the report itself states that: “in spite of its efforts to protect these assets, critical vulnerabilities remain that place JPL at risk of cyber intrusions resulting in the theft of critical information.”
The somewhat huge challenge that NASA faces from the cybersecurity perspective shouldn’t be underestimated though. Scientists tend to default to collaboration after all. “Imagine trying to do cybersecurity focused on advanced threat actors when many of the members of the scientific community work in those adversarial countries,” Ian Thornton-Trump, head of security at AmTrust International, says. “You can’t simply turn Russia off at the firewall, for example, when you are partnered with Russia,” Thornton-Trump concludes, “it’s almost mission impossible for NASA from an infosecurity point of view.”
Thornton-Trump’s comments resonate with the conclusion of the audit report which states: “the inability to protect against cyberattacks in general and advanced persistent threats in particular places the Agency’s status as a global leader in space exploration and aeronautics research at risk…”
I have contacted NASA for a comment and will update the story should one be forthcoming.
Update June 20 12:05 ET
In response to my request for a comment on this story, Karen Northon from NASA headquarters referred me to the agency’s response in the audit report. In a letter dated June 13 to the assistant inspector general for audits, Renee P. Wynn, NASA chief information officer, and Marcus Watkins, director of the NASA management office, address ten recommendations made in the audit report. NASA concurs with nine of the ten, giving estimated completion dates ranging from July 30, 2019 through to January 15, 2020. NASA did not concur with one of the recommendations, to establish a formal and documented threat-hunting process, stating that NASA’s position being, “that this is not the responsibility of Caltech as a NASA contractor.”