NASA’s cybersecurity challenges continue to bubble up. About a week after my month-long investigative report into major shortcoming with the space agency’s approach to patching software, a private sector non-profit is calling NASA out for not moving fast enough on a potential cybersecurity breakthrough.
The Institute for Critical Infrastructure Technology (ICIT) is calling on NASA to unleash Gryphon X in a bulletin it published on March 23.
“Gryphon X was one of those proposals we’ve been waiting since the summer to hear more about,” said James Scott, ICIT’s co-founder and senior fellow. “We have good relationships with the C-level people at Ames Research Center, and we were on the Hill with NASA in the Senate in the fall, and it keeps coming up. There are several questions about what’s being done to secure technology, the Internet of Things connectivity of the critical infrastructure. We said, ‘Why not talk about Gryphon X?” and so we did. We didn’t think the proposal would be placed on ice for this long.”
Scott said Gryphon X is a concept that could change the cybersecurity game, and a little friendly push to NASA would help drum up more interest.
“People forget that about 90 percent of the nation’s critical infrastructure is managed by the private sector, and when we talk to these guys running the power grids or industrial control systems and supervisory control and data acquisition (SCADA) systems that are adversarial priority targets, they always say what they need is a hyper-evolved cloud type testing facility where they can run through scenarios and prepare for attacks. Gryphon X covers that need,” he said.
An email to NASA seeking comment on the Gryphon X proposal was not immediately returned.
ICIT said the NASA Ames proposal, called Gryphon X, is a training and fusion center.
“The main approach to Gryphon X is to manage security risk across NASA’s critical infrastructure and to improve the resiliency of its networks. The implementation of the advanced technologies, facilities, and practices associated with the program will mitigate the cyber risks posed to NASA’s extensive list of mission programs and projects,” ICIT says in its bulletin. “Currently, cyber threats to NASA’s projects and missions can degrade, disrupt, or destroy mission critical assets. NASA Ames is offering to facilitate, and lead the development and execution of a holistic, mission assurance focused cyber vulnerability mitigation strategy that ensures network integrity across the plethora of missions, research projects, and programs under NASA’s jurisdiction.”
Scott said there are four pieces to Grypon X:
A physical facility where Ames would host classified and unclassified components to apply cutting edge, advanced applied cyber research and development, and testing and evaluation, and training on mission critical and emerging technologies.
Both a virtual and a physical advanced training and institute.
A virtual cyber range in the cloud where Ames and other cyber experts could test tools on a true attack surface where they could learn.
Cybersecurity information sharing and integration capabilities.
Scott said the cloud-based cyber range is the most intriguing part of this proposal.
“You could load software in to this environment and hit it with everything you’ve got from red team hackers to malware to advanced attacks to see if the systems can be penetrated, and in the end you will see vulnerabilities and can share that information across the public and private sector communities to better protect all systems and data,” he said.
In the bulletin, ICIT expands on the potential of the cyber range.
“Gryphon-X would remediate that on-going cybersecurity deficit and enables organizations to develop and premeditate the best plan of defense, under a variety of conditions, before an attack ever occurs,” the bulletin stated. “In Gryphon X, adversarial tactics can be simulated to gain insight into the attackers’ tools, techniques, and procedures, or to train personnel to respond to a specific threat.”
Scott said ICIT is getting a lot of interest about the bulletin, and would like to see NASA publicly discuss the proposal with lawmakers and private sector cyber companies and stakeholders.
He said if NASA wants to become the pinnacle of next generation innovation around cybersecurity, Gryphon X has to be part of that effort.
“The threat is hyper evolving and it’s warping the historically next generation movement of what was NASA for so long,” he said. “One thing about NASA is they are super focused on mission critical stuff, and what they are slow to understand is that for that mission critical stuff, cybersecurity is a profound ingredient in all that mission critical stuff.”
Scott’s point shouldn’t be lost on the fact that many of the shortcomings highlighted in my story come from the same misperceptions between mission and cybersecurity.