July 10, 2023 By Doug Bonderud 4 min read

In 2013, Presidential Policy Directive (PPD) 21 established 16 critical infrastructure sectors responsible for providing essential services that underpin American society.

These services are not only vital to the country’s safety and prosperity but are inherently tied to public confidence. As a result, the PPD makes it clear that “proactive and coordinated efforts are necessary to strengthen and maintain secure, functioning and resilient critical infrastructure.” Some of the nation’s critical infrastructure sectors include commercial facilities, emergency services, food and agriculture, information technology and water and wastewater systems.

According to a new report from the Cyberspace Solarium Commission (CSC), however, the time has come to add a 17th sector: space systems.

What is the CSC?

The CSC was established in 2019 under the John S. McCain National Defense Authorization Act. Its purpose is to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyberattacks of significant consequences.”

On March 11, 2020, the CSC’s finished report was made public. It contained 82 recommendations across six pillars to help improve cybersecurity infrastructure. Under the FY2021 National Defense Authorization Act, 25 of these recommendations were coded into law. These included the strengthening of federal networks (recommendation 1.4), the establishment of an integrated cybersecurity center (5.3) and the creation of a strategy to secure email (4.5.2).

The CSC’s newest report, published in April 2023, recommends the addition of space systems as the 17th critical infrastructure sector.

Why is space next on the critical infrastructure list?

PPD-21 establishes the threshold for critical infrastructure: it must be so fundamental to the United States that “the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety or any combination of those matters.”

The CSC report makes the case for space infrastructure meeting this definition. In part, this is tied to economic impact: In 2019 alone, the space industry generated $194.4 billion. Security is also a key concern. If satellites, spacecraft or ground control centers are compromised, the result could be anything from stolen data to hijacked devices, in turn putting both physical and digital assets at risk.

Several issues compound this risk. First is the uneven application of security best practices across commercial space manufacturers — while some may obfuscate ground-to-space connections, others may rely on the insecure public internet or unprotected business networks. In addition, communications between spacecraft and ground control stations are transmitted using unencrypted, open networks that offer no protection against eavesdropping.

Finally, space technologies suffer from the same problem as other critical infrastructure sectors: legacy technologies. Some may be unable to update software or firmware, while others may lack data backups, making them vulnerable to attack.

Given the critical role of space systems and their potential security risk, the CSC report has been reviewed by the CISA, which produced its own report on the subject, and states that the CISA will “evaluate the establishment of the Space Sector as a critical infrastructure sector.”

Solving for sector risk

If space is designated as the 17th critical infrastructure sector, the next step is creating an effective, protective framework.

As noted by the CSC report, this starts with the designation of a Sector Risk Management Agency (SRMA). An SRMA is responsible for coordinating efforts with other federal agencies, carrying out incident management operations in line with current directives and providing support to help identify and mitigate potential vulnerabilities. While some experts argue that the space SMRA should be an agency already tasked with managing a critical sector, such as the Department of Homeland Security or the Department of Defense, the CSC report suggests an alternative: NASA.

According to the report, NASA not only has the sector-specific capabilities to help bolster space infrastructure security but also has a proven track record of effectively working with private sector companies to facilitate space missions. Taking on the role of SMRA would require time and effort from NASA, and so far, the agency hasn’t expressed interest in the role. In addition, the CSC recommends at least $15 million per year in supplemental funding to help NASA (or another agency) successfully handle SMRA responsibilities.

Key components of coordinated protection and prevention efforts

While space represents a shift in perspective around critical infrastructure, it shares common ground with other sectors when it comes to protection and prevention.

For example, the CSC report recommends the establishment of a space systems sector coordinating council made up of CEO-level representatives. This approach both fosters information sharing and facilitates the creation of sector-wide standards for security incident detection, reporting and response. This approach aligns with PPD-21, which highlighted the need for “the efficient exchange of information, including intelligence, between all levels of governments and critical infrastructure owners and operators.”

The CSC report also suggests the creation of a co-led risk management enterprise that includes both public and private partners. This joint expertise makes it possible to identify and develop space-specific best practices and create a dynamic risk modeling environment that allows companies and agencies to anticipate and respond to potential threats. This type of shared responsibility model is already present in sectors such as the defense industrial base, which uses government-approved private contractors to manage key aspects of critical infrastructure and ensure sector best practices are keeping pace with evolving security threats.

The final frontier?

Space is on track to become the 17th critical infrastructure sector, given both its economic and national security impacts in addition to the CSC report recommendation.

In and of itself, however, space isn’t the final frontier. While both public and private agencies have a responsibility to strengthen and secure this sector, it’s the interaction of space-based infrastructures with those of other sectors — such as communication, energy and the defense industrial base — that lay the groundwork for proactive and coordinated efforts in national defense.

More from Risk Management

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today