The war against space hackers: how the JPL works to secure its missions from nation-state adversaries

NASA’s Jet Propulsion Laboratory designs, builds and operates billion-dollar spacecraft. That makes it a target. What the infosec world calls Advanced Persistent Threats — meaning, generally, nation-state adversaries — hover outside its online borders, constantly seeking access to its “ground data systems,” its networks on Earth, which, in turn, connect to the ground relay stations through which those spacecraft are operated.

Their presumptive goal is to exfiltrate secret data and proprietary technology, but the risk of sabotaging a billion-dollar mission also exists. In the wake of multiple security breaches, including APTs infiltrating their systems for months on end, the JPL has begun to invest heavily in cybersecurity.

I talked to Arun Viswanathan, a key NASA cyber security researcher, about that work, which is “totally representative of infosec today” and “unique to the JPL’s highly unusual concerns.” The key message is firmly in the former category, though: information security has to be proactive, not reactive.

Each mission at JPL is like its own semi-independent startup, but their technical constraints tend to be very unlike those of Valley startups. For instance, mission software is usually homegrown because their software requirements are so much more stringent; for instance, you absolutely cannot have software going rogue and consuming 100% of CPU on a space probe.

Successful missions can last a very long time, so the JPL has many archaic systems, multiple decades old, which are no longer supported by anyone; therefore, they have to architect their security solutions around the limitations of that ancient software. Unlike most enterprises, they are open to the public, who tour the facilities by the hundreds. Furthermore, JPL has many partners, such as other space agencies, with privileged access to their systems.

All that while being very much the target of nation-state attackers. JPL has an interesting threat model to say the least.

Viswanathan has focused largely on two key projects: the creation of a model of JPL’s ground data systems — all its heterogeneous networks, hosts, processes, applications, file servers, firewalls, etc. — and a reasoning engine on top of it. This is then queried programmatically. (Interesting technical side note: the query language is Datalog, a non-Turing-complete offshoot of venerable Prolog which has had a resurgence of late.)

Previous to this model, no one person could confidently answer “what are the security risks of this ground data system?” As with many decades-old institutions, that knowledge was largely trapped in documents and brains.

With the model, ad hoc queries such as “could someone in the JPL cafeteria access mission-critical servers?” can be asked, and the reasoning engine will search out pathways, and itemize their services and configurations. Similarly, researchers can work backwards from attackers’ goals to construct “attack trees,” paths which attackers could use to conceivably reach their goal, and map those against the model, to identify mitigations to apply.

His other major project is to increase the JPL’s “cyber situational awareness” — in other words, instrumenting their systems to collect and analyze data, in real time, to detect attacks and other anomalous behavior. For instance, a spike in CPU usage might indicate a compromised server being used for cryptocurrency mining.

This is a departure from reactive security measures taken in the past (noticing a problem and then making a call). Nowadays, JPL watches for malicious and anomalous patterns such as a brute-force attack indicated by many failed logins followed by a successful one to machine-learning based detection of a command system operating outside its usual baseline parameters.

Of course, sometimes what looks like an attack is anomaly. Conversely, this new observability is also helping to identify system inefficiencies (like memory leakage) proactively rather than reactively.

This may all seem fairly basic if you’re accustomed to, say, your Digital Ocean dashboard and its panoply of server analytics. But re-engineering an installed base of heterogeneous complex legacy systems for observability at scale is another story entirely. Looking at the borders and interfaces isn’t enough; you have to observe all the behavior inside the perimeter, too — especially in light of partners with privileged access who might abuse that access if compromised. (This was the root cause of the infamous 2018 attack on the JPL.)

While JPL’s threat model is fairly unique, Viswanathan’s work is quite representative of cyber warfare. Whether you’re a space agency, a big company or a growing startup, your information security nowadays needs to be proactive. Ongoing monitoring of anomalous behavior is key, as is thinking like an attacker. Reacting is not enough. May your organization learn this the easy way, rather than joining the headlines telling us about breach after breach.