Analysis Space Security How Does Space Policy Directive-5 Change Cybersecurity Principles for Space Systems? PublishedSeptember 14, 2020 By Makena Young Official White House Photo by Shealah Craighead On Friday, September 4, 2020, President Trump signed a fifth Space Policy Directive (SPD-5), which outlines cybersecurity principles for space systems. The guidelines are in place to increase cyber protections for critical U.S. space infrastructure, including global communications, navigation, and national security applications. What does Space Policy Directive-5 (SPD-5) say? SPD-5 applies existing cybersecurity strategy—currently in use in terrestrial systems—to evolving space systems, with an emphasis on protecting the security, economic prosperity, and scientific knowledge of the United States. The new policy applies to U.S. Government civil and national security space systems and private space systems. This directive places emphasis on the need to improve cyber protections when developing space systems, which are defined as a combination of a ground control network, a space vehicle, and a user or mission network that provide a space-based service. Each aspect of these systems should be developed to monitor, anticipate, and adapt to evolving malicious cyber activities. SPD-5 directs U.S. government agencies to work with space system owners and operators to develop and implement cybersecurity plans, including the ability to perform updates and respond to incidents remotely. At a minimum, the directive asks space operators to consider incorporating into their plans: “Safeguarding command, control, and telemetry links using effective and validated authentication or encryption measures;Physical protection measures designed to reduce the vulnerabilities of a space vehicle’s command, control, and telemetry receiver systems; Protection against communications jamming and spoofing; Protection of ground systems, operational technology, and information processing systems … including staff awareness and training inclusive of insider threat mitigation precautions; Adoption of appropriate cybersecurity hygiene practices, physical security for automated information systems, and intrusion detection methodologies; andManagement of supply chain risks through tracking manufactured products, sourcing from trusted suppliers, identifying malicious equipment, and assessing other available risk mitigation measures.” How does this directive affect current space authorities and regulations? Federal agencies are being asked to work with the commercial sector and other non-government space operators to further define best practices, establish norms, and promote improved cybersecurity behaviors. The implementation of the guidelines set forth will be through rules, regulations, and guidance aimed to enhance best practices and norms of behavior in the cybersecurity domain. The main commercial space regulatory bodies within the U.S. Government (NOAA, FAA, and FCC) could incorporate these cyber security principles into future rules and regulations, although no timeline or specific guidance is included for this. This directive encourages space system owners and operators to collaborate and share information with others in the space industry; including through the Information Sharing and Analysis Centers (ISACs), a set of non-profit organizations used for compiling information on cyber threats to critical infrastructure. The Space ISAC, run by the National Cybersecurity Center, was founded in 2019. Why are these guidelines necessary? The United States designated the cyber domain as the fifth warfighting domain in 2011. In the last decade, the cyber domain has become an increasing priority for the U.S. government and for space systems as cyber attacks have increased. Cyber attacks can affect space systems in multiple ways, ranging from physical damage to a satellite and the potential creation of orbital debris to the disruption or total loss of mission data. SPD-5 builds on components in the 2017 National Security Strategy, the 2018 Space Policy Directive-3, and the 2018 National Cyber Strategy. Each of these documents express the importance of the space domain and an increased U.S. effort to build resilient space assets, and SPD-5 consolidates and expands on past language. Following the 2018 creation of the Cybersecurity and Infrastructure Security Agency (CISA), issuance of the National Cyber Strategy, this directive is in line with a recent policy focus on establishing cybersecurity protocol. How will SPD-5 be implemented? SPD-5 expects all space system owners and operators to develop and enforce these guidelines on their own systems, asking U.S. government agencies to work with, but not enforce these guidelines on, commercial operators. The main goal of this directive is to formally establish cybersecurity norms and best practices for space systems. There is no stated plan or timeline for a U.S. government regulatory agency to enforce this guidance, but the directive states: “Implementation of these principles, through rules, regulations, and guidance, should enhance space system cybersecurity, including through the consideration and adoption, where appropriate, of cybersecurity best practices and norms of behavior.” How can system operators and owners protect against cyber attacks? There are many elements of a space system to protect from cyber threats, such as antennas, landlines that connect ground control stations to terrestrial networks, and user terminals that connect to operational satellites. SPD-5 includes examples of cyber activities with the potential to harm space operations, including: spoofing data, jamming command and control links, introducing malicious code to a data stream, and conducting denial-of-service (DoS) attacks which block legitimate users from being able to access appropriate data. Actions that can be taken to protect systems can consist of: limiting access to network systems, restricting user access to information, securing ratio frequency (RF) transmissions to and from satellites, and establishing contingency plans for cyber operations. It encourages operators to identify their most critical satellite functions and ensure those are secure first. Satellites need to communicate with terrestrial ground stations, and many civil and commercial systems process and distribute that data across various other networks, and all of these potential points of entry must be protected. To best insulate data entering a ground station, system operators can: reinforce encryption requirements, safeguard all data entry and exit points, and increase network security protocols beyond what is already in place.