Amidst the change in administration, there seems to be uncertainty as to United States space policy and structure. One thing that most experts say will stay the same in principle is Space Policy Directive 5 (known as SPD-5) issued by President Trump in September 2020.
Space Policy Directive 5
SPD-5 focuses on the cybersecurity of space systems. The major principles of SPD-5 are as follows:
- Space systems and software should be should be developed to continuously monitor, anticipate, and adapt to mitigate evolving malicious cyber activities that could manipulate, deny, degrade, disrupt, destroy, surveil, or eavesdrop on space system operations.
- Systems should develop plans to verify the integrity, confidentiality, and availability of critical functions and the missions, services, and data they enable and provide. Plans should incorporate the following to protect C4SIR:
- Effective encryption measures to remain secure
- Physical security of all components
- Protections against jamming and spoofing
- Protections of C4SIR to include ground systems, technology and information processing systems using best practices aligned with NIST Standards
- Management of Supply Chain Risks
- Use of best practices to create rules, regulations and guidance
- Collaboration between the private and public space sector to include cybersecurity information sharing and intelligence fusion
Cyberattacks on space systems
Cyberattacks on space systems can happen on three fronts. The platform or satellite itself can be vulnerable to corrupted hardware or software, altered or damaged in some way in flight, or by using outdated systems. Ground control stations may be subject to physical attacks, computer network exploitation, data corruption, supply chain attacks and faulty software on the station itself. Finally, user terminals such as GPS receivers must safeguard against jamming, eavesdropping, spoofing and hijacking.
Several challenges obstruct cybersecurity protections in the space industry. Committee on National Security Systems (made up of a who’s who of three letter agencies) Policy 12 deals with information security standards on satellites used by the government to include those in the commercial sector who supply them. Updated in 2018, the agency website summarizes the policy:
The primary objective of this policy is to help ensure the success of NSM that use space systems, by fully integrating cybersecurity into the planning, development, design, launch, sustained operation, and decommissioning of those space systems used to collect, generate, process, store, display, transmit, or receive National Security Information (NSI), as well as any supporting or related infrastructure.
CMMC and Space Contracts
In addition, most government satellite and other space-based contracts must now comply with the Cybersecurity Maturity Model Certification (CMMC) requirements, which mandate certain standards and practices relating to anything that touches the DoD Supply Chain.
While the DoD seems to be moving in the right direction, NASA and the purely commercial sector have had their struggles recently. An Inspector General’s report on NASA’s cybersecurity practices in 2019 called them out for weak security practices and not meeting all the requirements of the Federal Information Security Modernization Act of 2014, which requires federal agencies to develop, document and implement an agency-wide information security program.
CISA and Space
Finally, while most satellites have regulatory guidance and policy, many of the other space systems designed to launch and track do not. There has been a strong push from scholars and policy makers alike to make space systems the 17th critical sector of the Cybersecurity and Infrastructure Security Agency (CISA). This would add organization, leadership, a national community of stakeholders, and risk management doctrine to the industry. Private space entrepreneurs and businesses have been reluctant to share security and system information due to proprietary reasons. Whether that would be an obstacle to a CISA addition remains to be seen.
