Job One for Space Force: Space Asset Cybersecurity

Introduction

When we think about critical infrastructure, the first assets that come to mind include the electric grid, water networks and transportation systems. Further unpacking the definition of critical infrastructure, we consider industries such as agriculture, defense or the financial sector. However, we rarely think about where the underlying systems that enable technology functionality across these sectors physically reside, who developed the technology, and who can access and manage that technology.

Much of the United States’ critical infrastructure relies on space systems. I define space systems as assets that either exist in suborbital or outer space or ground control systems—including launch facilities for these assets. Space asset organizations are organizations that build, operate, maintain or own space systems. Some examples of critical infrastructure’s reliance on space systems are agribusiness’ reliance on weather and climate satellites, the U.S. military’s reliance on intelligence satellites, and various transportation industries’ reliance on global positioning system (GPS) satellites. Several critical infrastructure sectors also rely on space systems for global communications. We also rely on space systems for scientific discovery, which often requires highly specialized and advanced equipment. Such equipment originally designed for scientific discovery is later used in critical infrastructure sectors upon further testing and commercialization of the intellectual property.

Despite efforts to improve the cybersecurity of critical infrastructure in the U.S., there has been little focus on cybersecurity for space systems. While security standards for critical infrastructure are often technically sufficient to deter many attacks, they remain a challenge to implement due to time and resource constraints. Space systems, however, are more complex than critical infrastructure from a technology development, ownership and management perspective. Thus far, this has led to a lack of guidance in the form of standards that govern space system security and, ultimately, policies that enforce these standards. I will first review some of the major cybersecurity threats to space systems and the potential motivations for why cyber criminals or nation states would be interested in compromising space systems. Next, I will evaluate the challenges for managing space system cybersecurity. I will then evaluate steps currently being taken by companies and government agencies to secure these systems. Finally, I will propose policy recommendations to streamline cybersecurity for space systems across the public and private sectors. A selection of these recommendations are below.

Space Asset Organizations should:

• Apply existing cybersecurity standards and best practices to space assets and where necessary, develop new, tailored standards for unique components of space assets;

• Assign security experts with distinguished expertise based on the function of each space asset and enable this resourcing by establishing cybersecurity as a mission line-item in budgets. For example,do not assign a server security expert to work on the security of a satellite endpoint. Instead, designate security experts with satellite endpoint knowledge to secure these systems;

• Develop and incentivize a cybersecurity culture that prioritizes security across the teams working on space assets. For example, gamify good security behavior, such as running an internal phishing program where top performers are rewarded;

• Use appropriate cybersecurity tools such as encryption or threat intelligence. Encrypt communications even if the data transmitted from satellites will ultimately be public and open source to better protect the integrity of that information (such as weather data); and

• Develop relationships with security researchers that allow for researchers to access company data and provide solutions to remediate vulnerabilities in the company’s systems.

Policymakers should:

• Hold space asset organizations accountable for cybersecurity deficiencies in the components of space systems that they develop, operate, and own. For example, require all space asset organizations that contract with the government to comply with key performance parameters for system survivability that covers cybersecurity;

• Expand the Code of Federal Regulations for the Department of Defense-Defense Industrial Base Cybersecurity Activities (32 CFR Part 236) to include required reporting of cyber incidents by space asset organizations that are responsible for space assets that enable other critical infrastructure; and

• The Department of Homeland Security should create a space system Information Sharing and Analysis Center (ISAC) that requires participation from government agencies that rely on space assets and encourage participation of the private sector’s space asset organizations.

The Space System ISAC should:

• Require disclosure of credible sector cyber threats to other space system organizations within a certain time period so that others have the chance to act on the intelligence;

• Document and maintain space system security best practices and encourage member organizations to implement these security protocols; and

• Cooperate with ISACs for oil/gas, electricity and emergency services to assess space system vulnerabilities that underpin terrestrial systems for these critical sectors, and work to remediate accordingly.