Author: Chase Snyder, Sr. Cybersecurity Researcher, Xage Security
Presidential Policy Directive 21 (PPD-21) identifies 16 critical infrastructure sectors. The sectors are designated critical infrastructure because “their assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
The 16 critical infrastructure sectors are Chemical, Commercial Facilities, Communication, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials & Waste, Transportation, and Water & Wastewater Systems.
Pressure has been mounting to add Space Systems to the list. A bill brought before the U.S. Congress in 2021 sought to designate “space systems, services, and technology as a critical infrastructure sector. In the same year, the White House itself issued a United States Space Priorities Framework outlining the many benefits of space activities, and the ways in which space infrastructure supports countless products, services, and economic opportunities to the American people. In April 2023 the Cyberspace Solarium Commision (CSC) issued a report advocating that space be designated as critical infrastructure.
Receiving an official designation as critical infrastructure would help unlock resources and give greater structure and direction to the project of securing space-based and ground-based space resources against cyberattacks. But even without the designation, public and private organizations alike need to make big steps quickly toward securing their parts of the big picture that is space infrastructure.
Rising Cyber Risk in Space Impacts Every Industry
Two primary trends are increasing the attack surface and risk level of cyberattacks in space, which impacts numerous industries on the ground.
- Increasing dependence on space based systems: Countless industries and businesses depend on satellites for their communication needs to run their operations on the ground. From global logistics and supply chain monitoring and management with the Global Positioning System (GPS), to missile launch detection, satellites are a linchpin of critical systems worldwide.
- Increasing numbers of Low-Earth Orbit (LEO) space assets using off-the-shelf components: The number of objects in orbit tracked by U.S. Space Force (USSF) has doubled since 2019, from approximately 25,000 to an estimated 50,000, according to Army Gen. James Dickinson, head of U.S. Space Command. The increase is driven by private companies putting tons of new LEO satellites into orbit. Many of these use the same inexpensive and widely available chips, other hardware, and software used in computers on the ground. That means these systems are subject to the same vulnerabilities and security risks.
These risks are not hypothetical. In 2022, a cyberattack on a satellite-based internet provider had the seemingly unintended effect of knocking out remote management capabilities for over 5,000 power-generating windmills. The attack appeared to be an attempt to limit communications in Ukraine as part of the ongoing conflict with Russia, but it also impacted tens of thousands of satellite internet modems across the globe. If that kind of collateral damage can occur accidentally when a satellite internet company gets attacked, imagine the impact of a targeted attack on space-based infrastructure.
This is unlikely to turn out to have been a one-off occurrence. Recently released research uncovered that many satellites are made with no cybersecurity capabilities built in whatsoever. The study concluded that satellites are leaning heavily on the antiquated concept of “security by obscurity.”
Who Is Responsible for Cybersecurity in Space?
Designating space as its own critical infrastructure industry is not a straightforward undertaking. Space resources, such as satellites and ground stations that communicate with them, play a key role in supporting many of the other existing critical infrastructure sectors. The CISA web page about the Communications Sector specifically mentions satellites being part of the sector, but satellites also have clear relevance to the Defense Industrial Base sector, Transportation sector, and many others.
The current 16 critical infrastructure sectors designated by PPD-21 each have a Sector Risk Management Agency (SRMA) assigned to them. These are existing federal agencies that have been assigned the responsibility of evolving the cybersecurity posture of their specific sector. The Department of Homeland Security (DHS) is the SRMA for a half dozen of the sectors. The Department of Energy and the Department of the Treasury are also SRMAs.
But there’s no SRMA for space. Responsibility for cybersecurity in space is fragmented across public and private organizations. This lack of central coordination and responsibility will create challenges that compound as the volume and criticality of space assets increases.
This doesn’t mean there’s nothing happening in space cybersecurity. Private organizations are certainly investing in cybersecurity, and government agencies such as the U.S. Air Force, U.S. Space Force, and NASA are taking action. The annual National Defense Authorization Act that just passed the U.S. House of Representatives included over $13.5 billion for cybersecurity activities, including “disrupt[ing] the efforts of advanced and persistent cyber adversaries, accelerate the transition to zero trust cybersecurity architecture, and increase defense of US critical infrastructure and defense industrial base partners against malicious cyberattacks.” Assigning an SRMA specifically to guide the evolution of cybersecurity in space would provide much needed structure and open the door to allocation of more resources to secure these critical assets.
Xage Security is already collaborating with the U.S. Air Force, U.S. Space Force, and other organizations to help protect space and ground-based assets.
To learn more about how Xage can protect critical infrastructure assets, including LEO satellites with no built-in security, check out our checklist for meeting the CISA Cross-sector Cybersecurity Performance Goals (CPGs) for Critical Infrastructure.