Blog Security

This is Major Tom to Ground Control – You’ve Really Failed the Grade

Joanne Lennon Senior Manager, Product Marketing Published 28 Apr 2021

The hackers who breached NASA do not care… Now it’s time to face the fall-out if you dare

Fifty years ago, July 1969, David Bowie released his iconic ‘Space Odyssey’ song, NASA launched Apollo 11, and astronauts took their first steps on the moon. It was a momentous time in the history of space travel.

Little did NASA or any of us know back then, that fifty years later, the danger would lurk – not in some unknown planet, but a different type of world – namely the ‘online’ world.

We can all be excused for this oversight since back then the ‘online’ world was yet to be discovered. There was no Internet or Wi-Fi. Acronyms such as BYOD and IoT would only take meaning decades later, and Raspberry Pi was still thought of as a dessert, not a small computer vulnerable to attack.

Fifty Years Later

The world is a very different place today. We live in the era of the Internet, where everyone and everything is connected.  NASA is no exception; they have networks that control spacecraft, collect scientific data, and perform critical operations. Like other organizations, their networks are constantly under attack by cybercriminals.

A report by the NASA Office of the Inspector General was published last month and outlined its findings from an investigation into a security breach affecting NASA’s Jet Propulsion Laboratory (JPL) in March 2018.

In summary:

  • An account belonging to an external user was compromised.
  • The attackers accessed the JPL network by targeting a Raspberry Pi computer that was not authorized to be attached to the network.
  • The attackers exfiltrated ~500MB of data, including International Traffic in Arms Regulations info related to the Mars Science Laboratory Mission.
  • The nature of the architecture of the network allowed the attackers to expand their access upon entry and move laterally across the network. 
  • The attack went undetected for nearly a year.
  • Officials were sufficiently concerned about the possibility of the cyber-attackers moving laterally into their mission systems, and potentially gaining access and initiating malicious signals to human space flight missions, that they opted to disconnect the international space station temporarily.  

The Cyber-Attack ‘Narrative’

The comprehensive NASA report makes for an interesting read – not because the breach is different from other breaches you read about, but instead because of how eerily similar the cybersecurity attack ‘narrative’ has become.  

For example, the narrative typically goes as follows:

  • A network is breached – often due to a device connected to it that no one knew about
  • The hacker goes unnoticed for an unspecified period
  • The hacker roams around the network causing more damage
  • The breach is finally detected
  • An investigation is launched, and preventive steps are taken

In many ways, the NASA breach is no different to the Sony Pictures breach back in 2014, or many other breaches. The Sony breach resulted from a compromised password. However, the real damage occurred due to the unprecedented breadth and sensitivity of the data that the hacker gained access to as they roamed at will and unnoticed on the network for months. Data included everything from employees’ personal information, yet-to-be-released movies, and executive emails.

A Monumental Challenge

Like space travel was fifty years ago, cybersecurity is a monumental challenge faced by society today. While we may not have all the answers, as we learn about more attacks and their similarities, there are some points worth repeating. Specifically:

1) No company is immune from cyber-attacks

If cyberattacks and data breaches can happen to the world’s best-known brands – NASA, Sony, Target, Home Depot, Saks, British Airways, T-Mobile, and others – they can happen to any company.  No company can take security for granted. Tackling security is a journey, and a multi-layered approach is critical.

2) Network visibility is essential

In the NASA breach, the Raspberry Pi had been attached to the network by an employee; however, insufficient security controls meant that NASA administrators did not know it was there. That oversight left the device unmonitored on the network, allowing the attacker to take control of it and use it to steal data. Not only are many businesses unaware of the endpoints connected to their networks, but they also lack the in-depth visibility to know what, where, and with who devices may be communicating. Network security requires visibility. Investing in analytics is a great place to start, as discussed in the 6 Things You Need to Know About IoT Security in 2019 blog post.

3) Contain the damage with network segmentation

One of the most overlooked security strategies continues to be network segmentation and isolation. It is critical to segment a network and only give users, and devices access to the information and parts of the network they need. If a person has a malicious or criminal intent, the potential for damage can be contained, as highlighted in the How the Right Network Design Can Prevent a Catastrophic “Headline-Making” Security Attack blog post.

To learn more about network security, check out some of the resources below:

Get the latest stories sent straight to your inbox!

Related Enterprise Stories