The White House has published today a new directive detailing a list of recommendations and best practices for protecting space systems from cyber-threats and cyber-attacks.
The new rules, detailed in Space Policy Directive-5 (SPD-5), are meant to establish a cybersecurity baseline for all space-bound craft, systems, networks, and communications channels built and operated by US government agencies and commercial space entities.
US officials fear that US entities active in space might face cyber-attacks that may “deny, degrade, or disrupt space operations, or even destroy satellites.”
“Examples of malicious cyber activities harmful to space operations include spoofing sensor data; corrupting sensor systems; jamming or sending unauthorized commands for guidance and control; injecting malicious code; and conducting denial-of-service attacks,” said officials.
According to SPD-5, these threats could be mitigated through a set of best practices, already well-established, and applied in other industry sectors.
Update mechanisms, encryption, physical security
For starters, officials say that space systems must include “the ability to perform updates and respond to incidents remotely” and that these features must be integrated space vehicles during the design phase, before launch.
Space systems and supporting infrastructure must also be developed and operated by engineers with cyber-security training, the White House said.
“Effective and validated authentication or encryption” should also be used for protecting command, control, and telemetry functions from unauthorized entry.
The same command, control, and telemetry functions — used by ground operators to control spacecraft — should also come with protections against communications jamming and spoofing, US government officials said.
This implies using signal strength monitoring programs, secured transmitters and receivers, authentication, or “effective, validated, and tested encryption.”
But cybersecurity best practices shouldn’t be applied just for spacecraft and their communications channels. Securing the ground stations from where these communications are managed is just as important.
For example, ground stations should enforce the logical or physical segregation of IT networks, patch systems regularly, apply physical security access rules, enforce restrictions on the use of portable media inside their networks, use antivirus software, and train staff accordingly, including against insider threats.
Furthermore, threats to US space systems should also be analyzed down the supply chain as well. This includes tracking manufactured parts, requiring sourcing from trusted suppliers, and identifying counterfeit, fraudulent, and malicious equipment that may introduce unforeseen cybersecurity risks.
In case threats are detected, the operators of US space systems should also work to share threat, warning, and incident information with industry partners via Information Sharing and Analysis Centers (ISACs).
And since we’re talking about spacecraft, where size and weight matters, cybersecurity systems and measures should also be designed not to impair missions by affecting space vehicle size, weight, mission duration, or other technical mission requirements.
Speaking at a press conference on Friday, White House officials said the new SPD-5 directive and the recommendations they made should help US space entities set up basic protections against cyber-threats, which “happen all the time” and “not just from China but also non-state actors.”
Officials said these cyber-threats “occur with concerning regularity.”