July 10, 2023 By Doug Bonderud 4 min read

In 2013, Presidential Policy Directive (PPD) 21 established 16 critical infrastructure sectors responsible for providing essential services that underpin American society.

These services are not only vital to the country’s safety and prosperity but are inherently tied to public confidence. As a result, the PPD makes it clear that “proactive and coordinated efforts are necessary to strengthen and maintain secure, functioning and resilient critical infrastructure.” Some of the nation’s critical infrastructure sectors include commercial facilities, emergency services, food and agriculture, information technology and water and wastewater systems.

According to a new report from the Cyberspace Solarium Commission (CSC), however, the time has come to add a 17th sector: space systems.

What is the CSC?

The CSC was established in 2019 under the John S. McCain National Defense Authorization Act. Its purpose is to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyberattacks of significant consequences.”

On March 11, 2020, the CSC’s finished report was made public. It contained 82 recommendations across six pillars to help improve cybersecurity infrastructure. Under the FY2021 National Defense Authorization Act, 25 of these recommendations were coded into law. These included the strengthening of federal networks (recommendation 1.4), the establishment of an integrated cybersecurity center (5.3) and the creation of a strategy to secure email (4.5.2).

The CSC’s newest report, published in April 2023, recommends the addition of space systems as the 17th critical infrastructure sector.

Why is space next on the critical infrastructure list?

PPD-21 establishes the threshold for critical infrastructure: it must be so fundamental to the United States that “the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety or any combination of those matters.”

The CSC report makes the case for space infrastructure meeting this definition. In part, this is tied to economic impact: In 2019 alone, the space industry generated $194.4 billion. Security is also a key concern. If satellites, spacecraft or ground control centers are compromised, the result could be anything from stolen data to hijacked devices, in turn putting both physical and digital assets at risk.

Several issues compound this risk. First is the uneven application of security best practices across commercial space manufacturers — while some may obfuscate ground-to-space connections, others may rely on the insecure public internet or unprotected business networks. In addition, communications between spacecraft and ground control stations are transmitted using unencrypted, open networks that offer no protection against eavesdropping.

Finally, space technologies suffer from the same problem as other critical infrastructure sectors: legacy technologies. Some may be unable to update software or firmware, while others may lack data backups, making them vulnerable to attack.

Given the critical role of space systems and their potential security risk, the CSC report has been reviewed by the CISA, which produced its own report on the subject, and states that the CISA will “evaluate the establishment of the Space Sector as a critical infrastructure sector.”

Solving for sector risk

If space is designated as the 17th critical infrastructure sector, the next step is creating an effective, protective framework.

As noted by the CSC report, this starts with the designation of a Sector Risk Management Agency (SRMA). An SRMA is responsible for coordinating efforts with other federal agencies, carrying out incident management operations in line with current directives and providing support to help identify and mitigate potential vulnerabilities. While some experts argue that the space SMRA should be an agency already tasked with managing a critical sector, such as the Department of Homeland Security or the Department of Defense, the CSC report suggests an alternative: NASA.

According to the report, NASA not only has the sector-specific capabilities to help bolster space infrastructure security but also has a proven track record of effectively working with private sector companies to facilitate space missions. Taking on the role of SMRA would require time and effort from NASA, and so far, the agency hasn’t expressed interest in the role. In addition, the CSC recommends at least $15 million per year in supplemental funding to help NASA (or another agency) successfully handle SMRA responsibilities.

Key components of coordinated protection and prevention efforts

While space represents a shift in perspective around critical infrastructure, it shares common ground with other sectors when it comes to protection and prevention.

For example, the CSC report recommends the establishment of a space systems sector coordinating council made up of CEO-level representatives. This approach both fosters information sharing and facilitates the creation of sector-wide standards for security incident detection, reporting and response. This approach aligns with PPD-21, which highlighted the need for “the efficient exchange of information, including intelligence, between all levels of governments and critical infrastructure owners and operators.”

The CSC report also suggests the creation of a co-led risk management enterprise that includes both public and private partners. This joint expertise makes it possible to identify and develop space-specific best practices and create a dynamic risk modeling environment that allows companies and agencies to anticipate and respond to potential threats. This type of shared responsibility model is already present in sectors such as the defense industrial base, which uses government-approved private contractors to manage key aspects of critical infrastructure and ensure sector best practices are keeping pace with evolving security threats.

The final frontier?

Space is on track to become the 17th critical infrastructure sector, given both its economic and national security impacts in addition to the CSC report recommendation.

In and of itself, however, space isn’t the final frontier. While both public and private agencies have a responsibility to strengthen and secure this sector, it’s the interaction of space-based infrastructures with those of other sectors — such as communication, energy and the defense industrial base — that lay the groundwork for proactive and coordinated efforts in national defense.

More from Risk Management

Back to basics: Better security in the AI era

4 min read - The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs…

Mapping attacks on generative AI to business impact

5 min read - In recent months, we’ve seen government and business leaders put an increased focus on securing AI models. If generative AI is the next big platform to transform the services and functions on which society as a whole depends, ensuring that technology is trusted and secure must be businesses’ top priority. While generative AI adoption is in its nascent stages, we must establish effective strategies to secure it from the onset. The IBM Institute for Business Value found that despite 64%…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today