September 2020 could be looked at as a pivotal month in regards to the relationship between the U.S. government and cybersecurity in space. In September, the National Space Council (NSC) issued Space Policy Directive-5 (SPD-5), which aims to foster best practices within the U.S. government and commercial space operations that protect space assets and their supporting infrastructure from cyber threats. This was the first cyber policy from the NSC, which has issued directives on the U.S. Space Force, and commercial use of space over the past few years.
The directive has been well-received among space cybersecurity influencers. “YES, they have finally heard us!” was the first reaction from Chris Childers, CEO of the National Defense Group, who believes this will lead to a much more secure environment for satellite communications.
Childers believes the CyberSat community played a key role in heightening awareness of the issues of cybersecurity and space, and was the first to discuss and promote this issue publicly. He says protecting satellite networks from cyber attacks had been overlooked for far too long. “I am very glad this topic is finally gaining the attention it deserves. We can finally start working toward protecting our space assets. I was actually surprised this issue has made it to the attention of the president,” Childers says. “This is just the first step to get the ball rolling. I'm sure once it gets fleshed out by the appropriate government agency or agencies, it will be far more comprehensive.”
Others were also positive. Cameron Over, Cyber and Privacy lead for CrossCountry Consulting says the SPD-5 framework is an important and foundational framework that highlights key security principles specifically for space systems. She says that unfortunately security is often defined as an afterthought in the design and operation of complex systems. She believes this framework will be useful to drive an expectation of security from the start and through the lifecycle of the space system asset, and that the principles set forth in SPD-5 should be the foundation for best practices and regulations to come.
The Importance of a Cyber Framework
Many in the cyber industry believe a framework like this was long overdue. Crystal Lister, co-founder of cybersecurity company GPSG says this framework gives the federal and commercial space community a common cyber language to address cybersecurity challenges. She says in this case; the government is encouraging the National Institute of Standards and Technology (NIST) to advance the cybersecurity dialogue on solutions and best practices between the federal and commercial space organization.
“The U.S. government is continuing to raise awareness of the seriousness of the overall cyber threat to the space community by issuing this latest directive, notably with emphasis on insider and supply chain risk, and encryption,” Lister says.
Vince Walisko, CCO of Optimal Satcom says that while the space industry is a global (or at-least multi-national) industry, unilateral implementation of standards by the U.S. is a double-edged sword. At one end, he says, it drives innovation and resiliency, but it can also create overheads and place U.S. companies at a competitive disadvantage in international markets. Walisko mentioned that organizations that contract with the U.S. government are already subject to International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), NIST, and other regulations, and this must be considered.
“The specifics and implementation are non-trivial when looking at the unintended effects programs like ITAR and EAR have had on the U.S. players in the industry,” he says. “As the U.S. space industry embraces SPD-5, the industry needs to harmonize it with the complex and intertwined compliance environment that is in place.”
Over of CrossCountry Consulting says the framework will set the urgency, tone and guidelines as space vendors, contractors, and the government coalesce on a common set of principles. “This sort of legislation needs more of the ‘how,’ and to be driven down to the organizations, vendors and commercial companies that use these technologies, and firmly entrenched in their business processes, technology development, and ongoing operations,” she says.
Bob Gourley, founder and CEO of OODA, believes that before SPD-5, cybersecurity policies on U.S. government activities in space were fragmented and sometimes totally lacking. He calls SPD-5 a pinnacle document that provides a vision and guidance. “There are serious cyber threats to programs that watchers like me have been articulating, including the cyber threats to NASA's project Artemis. These are threats that individual agencies might not be motivated to care so much about. I know that sounds silly, but some agencies don't share common views of threats. This directive will help them care whether they want to or not,” he says.
What’s Missing from SPD-5?
SPD-5 has been embraced in the cyber world to help U.S. companies keep space assets secure — but is anything missing? Gourley calls SPD-5 “the best space cybersecurity policy we have ever had,” but says there is always room to improve now that the first step has been taken. In particular, he would like to see the government endorse, support, and follow the lead of the Space Information Sharing and Analysis Center (Space ISAC). “Observing human nature and how large organizations behave regarding cyberspace leads me to conclude that directives like this must be followed by inspection to ensure government agencies are complying. The corporate world should be shown how beneficial this can be to them by sharing information on the threats,” he says.
Walisko noted SPD-5’s lack of an actual Risk Management Framework (RMF) or other specifics, although the directive recommends collaboration between owners and operators, which he says could lead to an industry consortium to create an RMF. “Ground, software, and other systems control and interact with space system and would need to be included in any framework. I have worked across a broad segment of the industry, and have had the opportunity to have a role in standardization, modernization, and transformational initiatives and to experience which were effective and which were not. We would be open to applying that experience and perspective to work with others to flesh-out a cybersecurity for space systems industry initiative," Walisko says.
Over calls SPD-5 a good start, but she says it is still high-level and additional depth needs to be provided in order for technologies to be modified to ensure compliance, resilience, survivability, and security hygiene of the technology. “I would have liked to seen threat modeling highlighted as a key component to effective risk management,” she says.
Supply Chain Vulnerabilities
We live in difficult times amid a global pandemic. We are also in an era of geopolitics where there appears a lack of global harmonization. While activities in space have generally bought the world together, we may now have entered an era, where space assets could be targeted more. One of the big topics being discussed is the supply chain weaknesses and how this could impact the space industry. A framework like SPD-5 could play a significant role here.
Satellite systems are very attractive targets to hackers because they involve various manufacturers, integrators, and special technologies that expand the attack surface when combined together, Lister says. She says COVID-19 has even further complicated this by exposing the volatility and cracks in global supply chains, but SPD-5 begins to address the issue.
“This puts new cyber supply chain pressures on satellite and space-based companies, such as finding and vetting alternative suppliers to meet product criteria, quantity, and timelines. For example, it is critical to ensure that hardware and software from suppliers for space-based asset IT and OT systems and payload chain of custody is not compromised. SPD-5 provides a broad brush, an initial starting point for managing supply chain risk. [It] specifically seeks to raise awareness of supplier due diligence and inventory provenance, both of which are crucial for managing this type of risk,” Lister says.
Walisko believes from a U.S. perspective, it would make sense to acknowledge, if not incorporate, the Cybersecurity Maturity Model Certification (CMMC) and Infrastructure Asset Pre-Assessment (IA-Pre) since significant progress has already been made on these and they are applicable to commercial space systems supporting U.S. Government requirements. “Both of these acknowledge and address supply chain concerns. Organizations operating in other countries would probably want to tie their existing cybersecurity risk frameworks to any new space cybersecurity initiatives,” he says.
Gourley comments that hypothetically this directive can help to mitigate some supply chain risks but that it will take further leadership to do so. “Supply chain still needs to be called out and focused on,” he says.
Influence Beyond the U.S.
Will the influence of SPD-5 ultimately go beyond U.S. borders and encourage other nations to adopt similar policies? Childers emphatically says the answer is “yes.” He adds, “I believe this is the start of all players in the space game thinking about keeping their assets safe before thinking ‘how fast and cheap can we get it up?’”
Lister says SPD-5 is critical guidance at a pivotal time for the space community as satellite systems are becoming increasingly complex and more attractive to hackers. She believes that hopefully that this framework will serve as a foundation for the space community to address cybersecurity threats and build upon as emerging technology and the threat landscape continue evolving.
Walisko adds, “I think it is a significant [directive] not for what it is but for how we in the space industry can step up to respond to it.”
A More Remote COVID Era Means More Attacks
U.S. space companies have had to adapt their operations and keep secure in a more challenging environment during the pandemic, as many work from home. Two years ago, David Dewalt of Momentum Cyber opened CyberSat by saying that satellite was one of the sectors he was most worried about and that a major incident involving a satellite, satellite network was only a matter of time. Lister says we already seen signal jamming, spoofing, and increased targeting of satellite telecommunications, according to a body of security research and security reporting. She adds, “Any sector that has not had a major cyber attack to date will have a bigger target on its back.”
Gourley agrees. “Major attacks are coming, it is just a matter of time. And till then, minor ones will continue and must also be mitigated,” he says.
Walisko believes there are a number of threat vectors for U.S. space assets and those threats are increasing in number and type. He adds, “It is possible to identify many of the threats by searching the mainstream and industry press. The creation of the U.S. Space Force is an acknowledgement of the threats. Also, the recent trend toward de-globalization is realigning the world order in a way that, if not encouraging these threats, does nothing to defuse them. It is better to prepare for threats that may present as many of us are doing rather than to hope they won’t happen.”
Over says we are certainly seeing a heightened degree of cyber attacks overall that have been made available to the attackers via the COVID era, but the key driver of risk is the contested nature of the domain itself. She believes this will continue to drive cyber offense and defense initiatives over the long term. She says, “This should help given that the management of supply chain risks is a security principle highlighted in the memorandum, but it will require firm requirements for supply chain integrity, and potentially additional requirements pushed down to vendors and their vendors, federal agencies, and commercial companies in the space.”
Childers says as cyber attacks becoming more advanced, as they have in recent years, attackers will look to less conventional ways to disrupt and steal information. An immeasurable amount of information flows through satellite networks, and this treasure trove of data makes them more valuable to an attacker. Childers has an interesting perspective on this, and talks about how hacking tools and techniques are constantly evolving, and how the space industry needs to modernize.
“Some of these space assets are decades old. It would be like using current day hacking techniques on something with the security profile of Windows 3.1,” he says. “I'm not sure there is a solid way to retrofit the security posture of these older assets as well. Defending them is a very difficult problem.” VS