Hardware-Enforced Isolation and the NASA breach

The US National Aeronautics and Space Administration (NASA) was hacked. Yes, you read that correctly. The US Federal Government’s leading agency for space exploration, who’s annual Budget is $22 Billion USD, has been breached numerous times in the past 10 years, most recently by a $35 Raspberry Pi.

On June 18th, NASA’s Office of the Inspector General released and audit report called Cybersecurity Management and Oversight at the Jet Propulsion Laboratory (JPL). It provides a detailed outlined the NASA’s security architecture flaws, as there were numerous unreported breaches that spanned as far back as 2009. It was clear that NASA was ill-equipped to protect and monitor attacks.

The most recent breach happened in April 2018, when attackers used the Raspberry Pi, connected physically to NASA’s Jet Propulsion Lab (JPL) network to gain remote access, allowing them to move laterally within NASAs network. From the report:

JPL discovered an account belonging to an external user used to log into JPL’s mission network had been compromised. Given the architecture of JPL’s network, the attackers were able to expand their access upon entry and move laterally across the network. Classified as an advanced persistent threat, the attack went undetected for nearly a year.

Lateral network movement from a single gateway is mitigated by Endpoint Microsegmentation through Hardware-Enforced Isolation. Every connected Byos μGateway physically isolates hosts from the network, protecting these devices from inbound attacks, while alerting network administrators of suspicious outbound traffic as well.

NASA had Additional Unreported Breaches

“In 2017, a JPL server that runs source code used in ground operations for scientific spacecraft was compromised by foreign hackers who exploited a flaw in the software, hardware, or firmware that was previously unknown to JPL. Analysis by the OIG determined the system had not been patched on time nor did the system owner timely review the application log to identify suspect activities.”

Hardware-Enforced Isolation using the Byos μGateway provides full CPU and RAM isolation from the network, preventing threats from accessing stored information in the host RAM or CPU. No injection of malicious code can be executed against the host device with protection from the Byos μGateway.

Every device with a connected Byos μGateway can be monitored by the Byos Management Console, for real-time visibility and control of the network endpoints. The Management Console will alert network administrators upon detection of suspicious network activity. Byos also has the capability of acting independently to cut off access to the gateway upon detection of suspicious activity preventing the attack from the outset. These features would have mitigated the breach in 2017.

Over-reliance on Software Security

NASA was over reliant on software updates for patching security vulnerabilities, as was exploited by an attack in 2014:

“In 2014, Investigation of the compromise revealed the administrator failed to update the software in a timely manner, providing the attacker an opportunity for unauthorized access via a JPL computer.”

With a Byos’ Hardware-Enforced Isolation approach, IT teams will have complete protection of their endpoints in the network stack regardless of any externally facing outdated software breach.

It is clear that traditional cryptographic transmission protocols do not provide enough protection to networking devices, leaving critical data vulnerable to LAN-based threats like eavesdropping and exploits, as shown by the 2016 breach:

“The use of Secure Sockets Layer, which ensures that all data transmitted between the web server and browser remains encrypted, prevented JPL’s network security monitoring tools from identifying the actions taken by the bad actor prior to detection.”

Hardware-Enforced Isolation using the Byos μGateway prevents any attacker from sniffing traffic, but also gives Network Administrators full visibility into the activity of said Byos-enabled devices, which allowed for the 2011 breach:

“In 2011, Intruders resided within the system for 2 weeks before being detected and analysis of intrusion detection system log files revealed 87 gigabytes of data had been uploaded to the attackers’ IP addresses.”

In 2009, every networking device at NASA with a connected Byos μGateway could have blocked all web traffic by relevant country-based servers and IP address blacklists, stopping the 2009 attack from a Chinese IP address:

“In 2009, [Attackers] extracted approximately 22 gigabytes of program data by illegally transferring the information to an Internet Protocol (IP) address in China”


Overall, the Report states that “NASA is unable to properly monitor assets on the JPL network” as “no controls are in place to ensure that JPL complies with this requirement.”

The Research and Development (R&D) programs NASA runs produce intellectual property and nation-state trade secrets that, for hackers, are invaluable on the global markets. Security measures protecting these networks should be more sophisticated and up to modern standards.

Although the Byos was created for mobile employees, it should also be used to protect the endpoints on internal corporate networks.

Unauthorized lateral movement across networks is prevalent when inadequate network security infrastructure is in place. Even VPNs and Secure Web Gateways (SWG) are inadequate to stop this type of attack.

Having a Byos μGateway connected to every device on the network provides a modern approach to security architectures: Endpoint Microsegmentation through Hardware-Enforced Isolation.

Source: https://oig.nasa.gov/docs/IG-19-022.pdf

The Problem with VPNs

The 10 Commandments of Hardware-Enforced Isolation using the Byos µGateway