The White House has released a new space policy directive on September 4 aimed at improving cybersecurity of space systems in the United States.
The directive, called Memorandum on Space Policy Directive-5—Cybersecurity Principles for Space Systems, intends to foster practices within government space operations and across the commercial space industry that protect space assets and their supporting infrastructure from cyber threats and ensure continuity of operations.
“Examples of malicious cyber activities harmful to space operations include spoofing sensor data; corrupting sensor systems; jamming or sending unauthorized commands for guidance and control; injecting malicious code; and conducting denial-of-service attacks. Consequences of such activities could include loss of mission data; decreased lifespan or capability of space systems or constellations; or the loss of positive control of space vehicles, potentially resulting in collisions that can impair systems or generate harmful orbital debris,” the directive, SPD-5, states.
The initiative is part of a broader national initiative that includes the National Cyber Strategy of September 2018, and also in line with National Security Strategy of December 2017, Space Policy Directive-3 (SPD-3) of June 18, 2018.
Space Policy Directive 5
Section 4 of the SPD-5 spells out the broad cybersecurity principles for space systems under which government agencies will work with the commercial space industry and other non-government space operators to further define best practices, establish cybersecurity-informed norms, and promote improved cybersecurity behaviors throughout the nation’s industrial base for space systems.
The directive states that space systems and their supporting infrastructure should be developed and operated using risk-based, cybersecurity-informed engineering so that they can “continuously monitor, anticipate, and adapt to mitigate evolving malicious cyber activities that could manipulate, deny, degrade, disrupt, destroy, surveil, or eavesdrop on space system operations”.
Owners and operators of all space systems are expected to develop and implement cybersecurity plans that ensure operators or automated control center systems retain or recover positive control of space vehicles. “These plans should also ensure the ability to verify the integrity, confidentiality, and availability of critical functions and the missions, services, and data they enable and provide,” it adds.
All space system owners and operators are directed to incorporate in their plans:
- Protection against unauthorized access to critical space vehicle functions
- Physical protection measures designed to reduce the vulnerabilities of a space vehicle’s command, control, and telemetry receiver systems
- Protection against communications jamming and spoofing, such as signal strength monitoring programs, secured transmitters and receivers, authentication, or effective, validated, and tested encryption measures designed to provide security against existing and anticipated threats during the entire mission lifetime.
- Protection of ground systems, operational technology, and information processing systems through the adoption of deliberate cybersecurity best practices, in line with practices aligned with the National Institute of Standards and Technology’s Cybersecurity Framework.
- Adopt appropriate cybersecurity hygiene practices, physical security for automated information systems, and intrusion detection methodologies for system elements such as information systems, antennas, terminals, receivers, routers, associated local and wide area networks, and power supplies.
- Management of supply chain risks that affect cybersecurity of space systems through tracking manufactured products; requiring sourcing from trusted suppliers; identifying counterfeit, fraudulent, and malicious equipment; and assessing other available risk mitigation measures.
The directive also calls on owners and operators of space systems to collaborate and promote the development of best practices, and also share threats, warnings, and incident information within the space industry.
“Implementation of these principles, through rules, regulations, and guidance, should enhance space system cybersecurity, including through the consideration and adoption, where appropriate, of cybersecurity best practices and norms of behavior,” the policy states.
SPD-5 is the 5th in line of space policy directives issued by the Trump administration.