Applying lessons from NASA to Cybersecurity
The subject of this applying lessons from NASA to cybersecurity might seem like an odd choice but there are a few reasons I chose this route. Firstly, why use NASA and not some other science and engineering organisation? I have always admired and enjoyed reading and learning about the work of NASA with particular topics being the now-retired Space Shuttle Programme, the still going Voyager
satellites and NASA's research into Astrobiology. (an interdisciplinary scientific field concerned with the origins, early evolution, distribution, and future of life in the universe). Also, by using an area of work in this related to NASA can provide a different take on problems we are trying to solve. By looking at seemingly, unrelated areas we can find new ideas or ways of thinking about a problem. Over the past ten years, NASA through their website has released various ebooks for free covering various topics including history, aeronautics science etc. This blog post will use some of those ebooks as the basis for talking about applying lessons from NASA to cybersecurity. I will also include the links to each chosen ebook.
- Breaking the Mishap Chain: Human Factors Lessons Learned from Aerospace Accidents and Incidents in Research, Flight Test, and Development by By Peter W. Merlin, Gregg A. Bendrick, and Dwight A. Holland (https://www.nasa.gov/pdf/643903main_BreakingMishapChain-ebook.pdf)
This ebook contains a collection of case studies of mishaps involving experimental aircraft, aerospace vehicles, and spacecraft in which human factors played a significant role. In all cases, the engineers involved, the leaders and managers, and the operators (i.e., pilots and astronauts) were supremely qualified and by all accounts superior performers. Such accidents and incidents rarely resulted from a single cause but were the outcome of a chain of events in which altering at least one element might have prevented disaster. As such, this work is most certainly not an anthology of blame. It is offered as a learning tool so that future organizations, programs, and projects may not be destined to repeat the mistakes of the past. These lessons were learned at high material and personal costs and should not be lost to the pages of history.
The theme of the ebook is divided into design, psychological and organisational factors which also happen to be often the causes of cybersecurity failures. Taking lessons from other areas is a vital step if we are ever going to reduce the rates of successful cyberattacks.
- The Apollo of Aeronautics: NASA's Aircraft Energy Efficiency Program, 1973-1987 by Mark D. Bowles (https://www.nasa.gov/pdf/601247main_ApolloAeronautics-ebook.pdf)
The fuel crisis of the 1970s threatened not only the airline industry but also the future of American prosperity itself. It also served as the genesis of technological ingenuity and innovation from a group of scientists and engineers at NASA, who initiated planning exercises to explore new fuel-saving technologies. What emerged was a series of technologically daring aeronautical programs with the potential to reduce by an astonishing 50 per cent the amount of fuel used by the nation's commercial and military aircraft. The research has led to current passenger aircraft with there increased fuel efficiency compared to previous generations of aircraft.
With every year there always seems to be an increase in the number of recorded security incidents. We need to get a point where the number of recorded security incidents decrease year on year. Some steps from a regulator area and new laws on an EU level are a right step in the direction though it will be a few years until their effect becomes evident.
- Crash Course: Lessons Learned from Accidents Involving Remotely Piloted and Autonomous Aircraft by Peter W. Merlin. (https://www.nasa.gov/pdf/732718main_crash_course-ebook_r2.pdf)
This volume contains an investigation of remotely piloted research vehicle (RPRV) and unmanned aircraft system (UAS) mishaps and will examine their causes, consequences, resultant corrective actions, and lessons learned. Most undesired outcomes usually do not occur because of a single event, but rather from a series of events and actions involving equipment malfunctions and/or human factors. This book comprises a series of case studies focusing mostly on accidents and incidents involving experimental aircraft. The information provided should be of use to flight-test organizations, aircraft operators, educators, and students, among others. These lessons are not unique to the UAS environment and are also applicable to human aviation and space flight activities. Common elements include crew resource management, training, mission planning issues, management and programmatic pressures (e.g., schedule, budget, resources), cockpit/control station design, and other factors.
Besides examining the design and systems elements that led to these accidents. They also analysed human factors in accidents. In cybersecurity, there are also design problems and human factors behind cybersecurity failures. Taking lessons from other engineering areas may show ways or methods that allow us to analysis cybersecurity failures and mitigate against them.
- Archaeology, Anthropology, and Interstellar Communication by Douglas A. Vakoch (https://www.nasa.gov/sites/default/files/files/Archaeology_Anthropology_and_Interstellar_Communication_TAGGED.pdf)
Addressing a field that has been dominated by astronomers, physicists, engineers, and computer scientists, the contributors to this collection raise questions that may have been overlooked by physical scientists about the ease of establishing meaningful communication with extraterrestrial intelligence. These scholars are grappling with some of the enormous challenges that will face humanity if an information-rich signal emanating from another world is detected. By drawing on issues at the core of contemporary archaeology and anthropology, we can be much better prepared for contact with an extraterrestrial civilization, should that day ever come.
This ebook might seem like an odd choice or have seemly has no relation to cybersecurity issues but I believe the theme discussed in it are useful. Cyber attacks generally originate online and where also reside in different cyber communities which may conduct cyberattacks either for criminal purposes or for other reasons. To mitigate or prepare ourselves for potential attacks we need to understand how these communities operate and function. Basically, it is about using threat intelligence. Furthermore, the methods that makeup archaeology, anthropology and study of communications will or could allow us to gain information about these online communities which can then be used to protect systems, services and people.
- NASA Systems Engineering Handbook - Revision 2 (https://www.nasa.gov/sites/default/files/atoms/files/nasa_systems_engineering_handbook_0.pdf)
In 1995, the NASA Systems Engineering Handbook (NASA/SP-6105) was initially published to bring the fundamental concepts and techniques of systems engineering to the National Aeronautics and Space Administration (NASA) personnel in a way that recognized the nature of NASA systems and the NASA environment. Since its initial writing and its revision in 2007 (Rev 1), systems engineering as a discipline at NASA has undergone rapid and continued evolution. This revision (Rev 2) of the Handbook maintains that original philosophy while updating the Agency’s systems engineering body of knowledge, providing guidance for insight into current best Agency practices, and maintaining the alignment of the Handbook with the Agency’s systems engineering policy.
The update of this Handbook continues the methodology of the previous revision: top-down compatibility with higher-level Agency policy and a bottom-up infusion of guidance from the NASA practitioners in the field. This approach provides the opportunity to obtain best practices from across NASA and bridge the information to the established NASA systems engineering processes and to communicate principles of good practice as well as alternative approaches rather than specify a particular way to accomplish a task. The result embodied in this Handbook is a top-level implementation approach on the practice of systems engineering unique to NASA.
While we are slowly getting better are integrating security into the design process we are still making mistakes. So taking a systems engineering perspective might a good idea when integrating cybersecurity into devices, systems and services. Also, the definition of systems engineering does include the human element, "a system is the combination of elements that function together to produce the capability required to meet a need. The elements include all hardware, software, equipment, facilities, personnel, processes, and procedures needed for this purpose." This design mindset is needed to stop us from seeing cybersecurity as a stand-alone set of tools which are bolted/added on at the end of the design process they integrated as the system, device or service is being made.
Hopefully, these five ebooks showcase ideas and how they might give a fresh perspective on solving or tackling the problems within cybersecurity. From learning lessons from failure, to how we might gather threat intelligence and finally why we need to take a systems engineering approach to use cybersecurity and not treating it as a stand-alone area.