July 10, 2023 By Doug Bonderud 4 min read

In 2013, Presidential Policy Directive (PPD) 21 established 16 critical infrastructure sectors responsible for providing essential services that underpin American society.

These services are not only vital to the country’s safety and prosperity but are inherently tied to public confidence. As a result, the PPD makes it clear that “proactive and coordinated efforts are necessary to strengthen and maintain secure, functioning and resilient critical infrastructure.” Some of the nation’s critical infrastructure sectors include commercial facilities, emergency services, food and agriculture, information technology and water and wastewater systems.

According to a new report from the Cyberspace Solarium Commission (CSC), however, the time has come to add a 17th sector: space systems.

What is the CSC?

The CSC was established in 2019 under the John S. McCain National Defense Authorization Act. Its purpose is to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyberattacks of significant consequences.”

On March 11, 2020, the CSC’s finished report was made public. It contained 82 recommendations across six pillars to help improve cybersecurity infrastructure. Under the FY2021 National Defense Authorization Act, 25 of these recommendations were coded into law. These included the strengthening of federal networks (recommendation 1.4), the establishment of an integrated cybersecurity center (5.3) and the creation of a strategy to secure email (4.5.2).

The CSC’s newest report, published in April 2023, recommends the addition of space systems as the 17th critical infrastructure sector.

Why is space next on the critical infrastructure list?

PPD-21 establishes the threshold for critical infrastructure: it must be so fundamental to the United States that “the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety or any combination of those matters.”

The CSC report makes the case for space infrastructure meeting this definition. In part, this is tied to economic impact: In 2019 alone, the space industry generated $194.4 billion. Security is also a key concern. If satellites, spacecraft or ground control centers are compromised, the result could be anything from stolen data to hijacked devices, in turn putting both physical and digital assets at risk.

Several issues compound this risk. First is the uneven application of security best practices across commercial space manufacturers — while some may obfuscate ground-to-space connections, others may rely on the insecure public internet or unprotected business networks. In addition, communications between spacecraft and ground control stations are transmitted using unencrypted, open networks that offer no protection against eavesdropping.

Finally, space technologies suffer from the same problem as other critical infrastructure sectors: legacy technologies. Some may be unable to update software or firmware, while others may lack data backups, making them vulnerable to attack.

Given the critical role of space systems and their potential security risk, the CSC report has been reviewed by the CISA, which produced its own report on the subject, and states that the CISA will “evaluate the establishment of the Space Sector as a critical infrastructure sector.”

Solving for sector risk

If space is designated as the 17th critical infrastructure sector, the next step is creating an effective, protective framework.

As noted by the CSC report, this starts with the designation of a Sector Risk Management Agency (SRMA). An SRMA is responsible for coordinating efforts with other federal agencies, carrying out incident management operations in line with current directives and providing support to help identify and mitigate potential vulnerabilities. While some experts argue that the space SMRA should be an agency already tasked with managing a critical sector, such as the Department of Homeland Security or the Department of Defense, the CSC report suggests an alternative: NASA.

According to the report, NASA not only has the sector-specific capabilities to help bolster space infrastructure security but also has a proven track record of effectively working with private sector companies to facilitate space missions. Taking on the role of SMRA would require time and effort from NASA, and so far, the agency hasn’t expressed interest in the role. In addition, the CSC recommends at least $15 million per year in supplemental funding to help NASA (or another agency) successfully handle SMRA responsibilities.

Key components of coordinated protection and prevention efforts

While space represents a shift in perspective around critical infrastructure, it shares common ground with other sectors when it comes to protection and prevention.

For example, the CSC report recommends the establishment of a space systems sector coordinating council made up of CEO-level representatives. This approach both fosters information sharing and facilitates the creation of sector-wide standards for security incident detection, reporting and response. This approach aligns with PPD-21, which highlighted the need for “the efficient exchange of information, including intelligence, between all levels of governments and critical infrastructure owners and operators.”

The CSC report also suggests the creation of a co-led risk management enterprise that includes both public and private partners. This joint expertise makes it possible to identify and develop space-specific best practices and create a dynamic risk modeling environment that allows companies and agencies to anticipate and respond to potential threats. This type of shared responsibility model is already present in sectors such as the defense industrial base, which uses government-approved private contractors to manage key aspects of critical infrastructure and ensure sector best practices are keeping pace with evolving security threats.

The final frontier?

Space is on track to become the 17th critical infrastructure sector, given both its economic and national security impacts in addition to the CSC report recommendation.

In and of itself, however, space isn’t the final frontier. While both public and private agencies have a responsibility to strengthen and secure this sector, it’s the interaction of space-based infrastructures with those of other sectors — such as communication, energy and the defense industrial base — that lay the groundwork for proactive and coordinated efforts in national defense.

More from Risk Management

Working in the security clearance world: How security clearances impact jobs

2 min read - We recently published an article about the importance of security clearances for roles across various sectors, particularly those associated with national security and defense.But obtaining a clearance is only part of the journey. Maintaining and potentially expanding your clearance over time requires continued diligence and adherence to stringent guidelines.This brief explainer discusses the duration of security clearances, the recurring processes involved in maintaining them and possibilities for expansion, as well as the economic benefits of these credentialed positions.Duration of security…

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today