The war against space hackers: how the JPL works to secure its missions from nation-state adversaries

NASA’s Jet Propulsion Laboratory designs, builds, and operates billion-dollar spacecraft. That makes it a target. What the infosec world calls Advanced Persistent Threats — meaning, generally, nation-state adversaries — hover outside its online borders, constantly seeking access to its “ground data systems,” its networks on Earth, which in turn connect to the ground relay stations through which those spacecraft are operated.

Their presumptive goal is to exfiltrate secret data and proprietary technology, but the risk of sabotage of a billion-dollar mission also exists. Over the last few years, in the wake of multiple security breaches which included APTs infiltrating their systems for months on end, the JPL has begun to invest heavily in cybersecurity. I talked to Arun Viswanathan, a key NASA cyber security researcher, about that work, which is a fascinating mix of “totally representative of infosec today” and “unique to the JPL’s highly unusual concerns.” The key message is firmly in the former category, though: information security has to be proactive, not reactive. Each mission at JPL is like its own semi-independent startup, but their technical constraints tend to be very unlike those of Valley startups. For instance, mission software is usually homegrown/innovative, because their software requirements are so much more stringent: for instance, you absolutely cannot have software going rogue and consuming 100% of CPU on a space probe. Successful missions can last a very long time, so the JPL has many archaic systems, multiple decades old, which are no longer supported by anyone; they have to architect their security solutions around the limitations of that ancient software. Unlike most enterprises, they are open to the public, who tour the facilities by the hundred. Furthermore, they have many partners, such as other space agencies, with privileged access to their systems. All that … while being very much the target of nation-state attackers. Theirs is, to say the last, an interesting threat model. Viswanathan has focused largely on two key projects. One is the creation of a model of JPL’s ground data systems — all its heterogeneous networks, hosts, processes, applications, file servers, firewalls, etc. — and a reasoning engine on top of it. This then can be queried programmatically. (Interesting technical side note: the query language is Datalog, a non-Turing-complete offshoot of venerable Prolog which has had a resurgence of late.) Previous to this model, no one person could confidently answer “what are the security risks of this ground data system?” As with many decades-old institutions, that knowledge was largely trapped in documents and brains. With the model, ad hoc queries such as “could someone in the JPL cafeteria access mission-critical servers?” can be asked, and the reasoning engine will search out pathways, and itemize their services and configurations. Similarly, researchers can work backwards from attackers’ goals to construct “attack trees,” paths which attackers could use to conceivably reach their goal, and map those against the model, to identify mitigations to apply. His other major project is to increase the JPL’s “cyber situational awareness” — in other words, instrumenting their systems to collect and analyze data, in real time, to detect attacks and other anomalous behavior. For instance, a spike in CPU usage might indicate a compromised server being used for cryptocurrency mining. In the bad old days, security was reactive: if someone had a problem and couldn’t access their machine, they’d call, but that was the extent of their observability. Nowadays, they can watch for malicious and anomalous patterns which range from the simple, such as a brute-force attack indicated by many failed logins followed by a successful one, to the much more complex, e.g. machine-learning based detection of a command system operating outside its usual baseline parameters. Of course, sometimes it’s just an anomaly, not an attack. Conversely, this new observability is also helping to identify system inefficiencies, memory leakage, etcetera, proactively rather than reactively. This may all seem fairly basic if you’re accustomed to, say, your Digital Ocean dashboard and its panoply of server analygics. But re-engineering an installed base of heterogeneous complex legacy systems for observability at scale is another story entirely. Looking at the borders and interfaces isn’t enough; you have to observe all the behavior inside the perimeter too, especially in light of partners with privileged access, who might abuse that access if compromised. (This was the root cause of the infamous 2018 attack on the JPL.) While the JPL’s threat model is fairly unique, Viswanathan’s work is quite representative of our brave new world of cyberwarfare. Whether you’re a space agency, a big company, or a growing startup, your information security nowadays needs to be proactive. Ongoing monitoring of anomalous behavior is key, as is thinking like an attacker; reacting after you find out something bad happened is not enough. May your organization learn this the easy way, rather than joining the seemingly endless of headlines telling us all of breach after breach.

Leave a Reply