White House Releases Cybersecurity Policy on Space Systems
The White House on Sept. 4 released Space Policy Directive-5 (SPD-5) regarding cybersecurity for space systems, as a senior administration official told reporters that cyber threats on U.S. space systems happen with “concerning regularity.”
“With regard to particular cyber threats, I can’t really talk about those at an unclassified level, but suffice it to say that they do occur, and they occur with concerning regularity such that this set of cybersecurity principles was important,” the official said.
Such attacks may result in debris-generating space collisions and may include spoofing sensor data; corrupting sensor systems; jamming or sending unauthorized commands for guidance and control; injecting malicious code; and denial-of-service attacks.
“One of the reasons why we did a special cybersecurity discussion of space systems is because they’re hard to get to,” the administration official said regarding SPD-5. “Satellite servicing is being developed so at some future point going out there to an existing satellite and providing a hardware upgrade will be possible where that’s hard to do right now. On the other hand, that doesn’t mean that we can’t do anything about current systems that are out there.”
Such available measures include securing ground-based tracking and communications and protecting satellite uplinks through the encryption of forward telemetry, the official said.
In terms of future cybersecurity hardware upgrades for on orbit satellites, the official said that “there are a number of technologies being developed for satellite servicing, rendezvous and proximity operations” and that “NASA has been a pioneer of some satellite servicing opportunities.”
In one such example, the Northrop Grumman Mission Extension Vehicle-1 (MEV-1) docked with the geostationary Intelsat IS-901 satellite on Feb. 25 to extend the latter satellite’s service life. MEV-2 launched on Aug. 15 and is to dock with the Intelsat IS-1002 early next year. The second Mission Extension Vehicle (MEV-2) launched Aug. 15, along with the Northrop Grumman-built Galaxy 30 satellite. MEV-2 will dock with the Intelsat IS-1002 satellite in early 2021.
Companies are also looking at “active [space] debris removal,” the official said. “On orbit robotic operations are just continuing to increase.”
In addition, while “deep hardware changes” for cybersecurity are not yet possible in space, NASA does have experience through the Mars Rover and International Space Station (ISS) programs in upgrading and fixing software from long distances, the official said.
SPD-5 appears to rely on industry to develop best cybersecurity practices for space systems, rather than establishing federal government standards and monitoring of that cybersecurity.
The U.S. Department of Homeland Security’s Critical Infrastructure Partnership Advisory Council (CIPAC) is to coordinate efforts among industry partners in 16 critical infrastructure sectors and federal agencies, including DHS’ Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of Defense (DoD), the U.S. Department of Commerce, and NASA to develop best practices for space system cybersecurity, another senior administration official said.
SPD-5 is to introduce space system cybersecurity as a focal point in some of the 16 critical infrastructure sectors that already have space industry participants, such as communications, the defense industrial base, critical manufacturing, and transportation sectors, the official said.
“Space system owners and operators should collaborate to promote the development of best practices, to the extent permitted by applicable law. They should also share threat, warning, and incident information within the space industry, using venues such as Information Sharing and Analysis Centers [ISACs] to the greatest extent possible, consistent with applicable law,” per SPD-5.
The policy directive states that “space systems and their supporting infrastructure, including software, should be developed and operated using risk-based, cybersecurity-informed engineering.”
“Space systems should be developed to continuously monitor, anticipate, and adapt to mitigate evolving malicious cyber activities that could manipulate, deny, degrade, disrupt, destroy, surveil, or eavesdrop on space system operations,” per SPD-5.
Space, typically taken for granted, has assumed a place closer to national center stage in recent years. Last year, the U.S. Space Force was established as the sixth military service, and in June, 2017, after a 20-year hiatus, the White House re-established the National Space Council, established in 1989 by former Pres. George H.W. Bush and disbanded in 1993. Chaired by the vice president and composed of cabinet members who receive counsel from a users advisory group, the council has met seven times since its re-establishment to formulate space policy.