June 26, 2019

Attackers have hacked into NASA, making off with mission data from the space agency’s Mars rover landings.

The breach affected NASA’s storied R&D division the Jet Propulsion Laboratory (JPL) – and went undetected for 10 months.

JPL discovered in April that one of its accounts owned by an external supplier had been hacked. The criminals used the access to roam the network and steal some 500 megabytes of data from the laboratory’s mission systems.

The breach had its own unique launch pad. Attackers exploited a Raspberry Pi, one of the small, inexpensive, single-board computers developed in the UK to promote teaching of basic computer science in schools. It was attached to the JPL network without authorisation and used for account access.

NASA isn’t saying who was behind the intrusion or who connected the tiny computer (RRP £25.00) to its systems. The agency’s oversight body isn’t well pleased with the apparent weaknesses in its cybersecurity posture.

A pattern of cyber-passivity

A report by the Office of the Inspector General says the JPL has seen several notable cybersecurity incidents over the past 10 years that compromised major parts of its IT infrastructure.

Numerous shortcomings in NASA’s network security controls left systems and data at risk, limiting the JPL’s ability to detect attacks on its systems and networks.

The breach prompted disconnecting a space station from compromised Earthbound IT systems.

The Raspberry Pi incident happened because of ‘reduced visibility into devices connected to NASA’s networks’. New devices added to the network weren’t always subject to cybersecurity checks, and the agency didn’t know which devices were connected to its network.

In addition, the audit noted …

  • Lack of network segmentation, which cybercriminals exploited to move laterally between connected IT systems.
  • Security log tickets for adding software patches or updating system configurations sometimes sat unresolved for more than six months.
  • The system hacked using the Raspberry Pi could have been patched for that vulnerability, but hadn’t been.

Finally, some of the breached systems were connected to NASA’s International Space Station. Security teams actually disconnected the space station from the JPL network for a time due to fears that cyberattackers might gain the ability to access space station mission systems and send malicious signals to astronauts onboard.

All too human failures

So far NASA’s breach hasn’t been widely reported. It’s an odd one – the motivations for stealing Mars mission data are hard to fathom. But the risks to future mission safety were real enough to prompt disconnecting a space station from compromised Earthbound IT systems.

Fear is over-egged in cybersecurity and our industry is packed with people stoking breach anxiety. We prefer not to go there – but it’s fair to raise the red flag when an astronaut might find his or her mission (or life) jeopardised by a breach.

Large organisations like NASA have formal rules and procedures designed to protect their systems, but alongside those they have an informal culture: informal processes, common language, customs, and department-specific behaviours that can be a bigger factor in determining how people act at work than any company manual.

Shared awareness is part of the culture, forming a group ‘workthink’ that shapes how well procedures and processes are adhered to, and influences how people prioritise tasks.

Leaving systems unpatched, leaving networks unsegmented, leaving open-source and insecure network-connected devices unvetted – are these are failures of culture, of processes, of individuals, or all the above?

Changing shared security awareness

When you look closely at breaches, you’ll find that most are:

  • Avoidable: Patch when prompted, segment networks to make lateral movement difficult
  • Directly observable: In the case of the Equifax Breach, criminals made 9,000+ queries to its database while looking for data to steal – which no thought unusual
  • Detectable: if people have been educated to the signal behaviours of an attack on the network.

At the world’s leading space agency or a mid-sized manufacturer, maintaining a strong cybersecurity posture is difficult. There’s no single fix. Securing data and systems is an ongoing challenge that changes from month to month.

Along with effective management systems and best-in-class cyber technology, employees have to be engaged as a front line defence. Companies can promote this with security awareness training.

Research from Forrester shows that that only a quarter of workers know what to do when a breach occurs. That lack of knowledge needs to be addressed.

We can turn the tables on criminals by arming employees with the skills they need to identify attacks when they occur, or note a potential vulnerability as they’re going about their daily tasks – and report it.

Want to learn more about strengthening your employees’ security awareness?  Why not sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this: