Light Dark
July 10, 2023 By Doug Bonderud 4 min read
Risk Management

In 2013, Presidential Policy Directive (PPD) 21 established 16 critical infrastructure sectors responsible for providing essential services that underpin American society.

These services are not only vital to the country’s safety and prosperity but are inherently tied to public confidence. As a result, the PPD makes it clear that “proactive and coordinated efforts are necessary to strengthen and maintain secure, functioning and resilient critical infrastructure.” Some of the nation’s critical infrastructure sectors include commercial facilities, emergency services, food and agriculture, information technology and water and wastewater systems.

According to a new report from the Cyberspace Solarium Commission (CSC), however, the time has come to add a 17th sector: space systems.

What is the CSC?

The CSC was established in 2019 under the John S. McCain National Defense Authorization Act. Its purpose is to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyberattacks of significant consequences.”

On March 11, 2020, the CSC’s finished report was made public. It contained 82 recommendations across six pillars to help improve cybersecurity infrastructure. Under the FY2021 National Defense Authorization Act, 25 of these recommendations were coded into law. These included the strengthening of federal networks (recommendation 1.4), the establishment of an integrated cybersecurity center (5.3) and the creation of a strategy to secure email (4.5.2).

The CSC’s newest report, published in April 2023, recommends the addition of space systems as the 17th critical infrastructure sector.

Why is space next on the critical infrastructure list?

PPD-21 establishes the threshold for critical infrastructure: it must be so fundamental to the United States that “the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety or any combination of those matters.”

The CSC report makes the case for space infrastructure meeting this definition. In part, this is tied to economic impact: In 2019 alone, the space industry generated $194.4 billion. Security is also a key concern. If satellites, spacecraft or ground control centers are compromised, the result could be anything from stolen data to hijacked devices, in turn putting both physical and digital assets at risk.

Several issues compound this risk. First is the uneven application of security best practices across commercial space manufacturers — while some may obfuscate ground-to-space connections, others may rely on the insecure public internet or unprotected business networks. In addition, communications between spacecraft and ground control stations are transmitted using unencrypted, open networks that offer no protection against eavesdropping.

Finally, space technologies suffer from the same problem as other critical infrastructure sectors: legacy technologies. Some may be unable to update software or firmware, while others may lack data backups, making them vulnerable to attack.

Given the critical role of space systems and their potential security risk, the CSC report has been reviewed by the CISA, which produced its own report on the subject, and states that the CISA will “evaluate the establishment of the Space Sector as a critical infrastructure sector.”

Solving for sector risk

If space is designated as the 17th critical infrastructure sector, the next step is creating an effective, protective framework.

As noted by the CSC report, this starts with the designation of a Sector Risk Management Agency (SRMA). An SRMA is responsible for coordinating efforts with other federal agencies, carrying out incident management operations in line with current directives and providing support to help identify and mitigate potential vulnerabilities. While some experts argue that the space SMRA should be an agency already tasked with managing a critical sector, such as the Department of Homeland Security or the Department of Defense, the CSC report suggests an alternative: NASA.

According to the report, NASA not only has the sector-specific capabilities to help bolster space infrastructure security but also has a proven track record of effectively working with private sector companies to facilitate space missions. Taking on the role of SMRA would require time and effort from NASA, and so far, the agency hasn’t expressed interest in the role. In addition, the CSC recommends at least $15 million per year in supplemental funding to help NASA (or another agency) successfully handle SMRA responsibilities.

Key components of coordinated protection and prevention efforts

While space represents a shift in perspective around critical infrastructure, it shares common ground with other sectors when it comes to protection and prevention.

For example, the CSC report recommends the establishment of a space systems sector coordinating council made up of CEO-level representatives. This approach both fosters information sharing and facilitates the creation of sector-wide standards for security incident detection, reporting and response. This approach aligns with PPD-21, which highlighted the need for “the efficient exchange of information, including intelligence, between all levels of governments and critical infrastructure owners and operators.”

The CSC report also suggests the creation of a co-led risk management enterprise that includes both public and private partners. This joint expertise makes it possible to identify and develop space-specific best practices and create a dynamic risk modeling environment that allows companies and agencies to anticipate and respond to potential threats. This type of shared responsibility model is already present in sectors such as the defense industrial base, which uses government-approved private contractors to manage key aspects of critical infrastructure and ensure sector best practices are keeping pace with evolving security threats.

The final frontier?

Space is on track to become the 17th critical infrastructure sector, given both its economic and national security impacts in addition to the CSC report recommendation.

In and of itself, however, space isn’t the final frontier. While both public and private agencies have a responsibility to strengthen and secure this sector, it’s the interaction of space-based infrastructures with those of other sectors — such as communication, energy and the defense industrial base — that lay the groundwork for proactive and coordinated efforts in national defense.

 |  |  |  |  |  |  | 
Doug Bonderud
Writer

More from Risk Management
April 24, 2024

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

April 17, 2024

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature