NASCAR, NASA and the secret to cybersecurity

Stock-car racing and space exploration may seem to have little in common, but they hold a common key to cybersecurity success.

NASCAR race

NASCAR drivers practice for the 2004 Daytona 500. (Air Force image via Wikimedia Commons.)

One is a storied federal agency, the other a source of entertainment for millions. One races into space, the other races at breakneck speeds around a track. What do NASA and NASCAR have in common?

They probably have a better approach to managing risk and security than you do.

At both organizations, risk management and security are huge parts of their respective missions. A failure to protect NASA's networks could have disastrous effects; a failure to provide drivers with adequate security could be deadly. As a result, both groups build in those top priorities right at the front – and not as an afterthought, as is all too common at many departments scrambling to protect their IT assets.

"Our problems are bureaucratic, institutional, systemic. Integrating security into architecture, system development lifecycle, systems engineering process and acquisition – those four areas would go a long way into enhancing cybersecurity," said Ron Ross, senior computer scientist and information security researcher at the National Institute of Standards and Technology. "When you get to the point where security is done because people recognize it's central to the mission and success, then we've crossed that Rubicon and we're looking at security not as a cost, but more as an investment in our productivity, survivability and everything needed to compete today."

Of course, that may be easier said than done. Today the word "investment" alone will stop program leaders in their tracks because it means money – a precious resource in a climate of sequestration and budget cuts. But that climate itself is a stepping stone to better cybersecurity, Ross said.

"Program managers and mission and business owners care about schedule, cost and performance. So how do you get all of this started?" he said. "You have to look for forcing functions to start down the road to 'thinning the herd,' or reducing complexity. The current declining budget and frustrations we're enduring at the federal level is a great forcing function for reducing the costs of IT infrastructure."

As it happens, society as a whole – including the government – are swimming in IT. It's cheap, it's powerful and as a result everyone actually has more of it than is really needed, Ross noted.

"Studies show a lot of what we procure, we never deploy or use effectively. This is where to focus on simplifying architecture: When you use things like enterprise architecture, you by very definition consolidate, standardize and optimize the IT infrastructure," he said. "You build a leaner and meaner IT infrastructure. That simpler architecture provides more efficient services, is less expensive to deploy and maintain, and provides security professionals a better opportunity to protect what we own and deploy."

But how can departments and companies get to that improved architecture? As at NASA, security professionals need to have a seat at the table, whether that is a board room or the boss's office. All too often those in charge of information security – the ones overseeing the architecture and IT infrastructure – are not part of decision-making.

"NASA builds their spacecraft with integrated project teams; every stakeholder sits around the table and the mission doesn't move forward until every stakeholder has given a thumbs up. Our security teams and people need to be stakeholders at the table in order to integrate the important cybersecurity concepts, principles and technologies into the systems early in the lifecycle – and not as an afterthought," Ross said.

If threats and security are part of the plan from the very beginning, operators have a much better chance at resiliency when they do come under attack, or in the case of NASCAR, experience a high-speed crash. That survivability is a key metric for determining the strength of a department's defenses.

"In our business, when you talk about risk management and risk assessment, you deal with four things: threats, vulnerabilities, impact to the organization if threats are exploited and how likely threats are to be exploited," Ross said. "In NASCAR, their threat is the 200-mph race car potentially hitting the wall. NASCAR doesn’t sit around wringing their hands about the threat. They can't reduce the speed; they wouldn't have any fans in the stands. So they build the threat into the business model."

The result, which came after the  2001 death of Dale Earnhardt Sr. in a fiery crash at the Daytona 500: NASCAR officials designed a piece of equipment called the head and neck safety device, and since they instituted that, no driver has died from a neck injury sustained in a race, Ross said.

While the safety device successfully addressed a critical NASCAR vulnerability, it is not exactly the same as employing enterprise architecture at a major government agency, where the stakes involve many more people and less tactile threats.

But the vignette underscores the need for departments to move beyond patching systems, configuring firewalls and locking down components. Those are all important housekeeping duties, Ross said, but they do not go far enough.

"We can control only what we can control. We can't control the threat or the adversary or the attacks. What we can control is how we build and architect our systems to be stronger and more penetration-resistant," he said. "I'm passionate about integrating that into enterprise architecture, with the security team working right there as a partner ensuring security controls are in place. Until we do that, security will be an afterthought."

 

 

 

 

NEXT STORY: A graphic look at NSA

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.