The Pentagon recently issued new rules on cybersecurity measures that commercial satellite operators must employ if their products or services are used by U.S. intelligence agencies or military services.
The rules, from the Pentagon-led interagency Committee on National Security Systems contain important new provisions, Brandon Bailey from Aerospace Corp., a federally funded research and development nonprofit, told the annual CyberSat conference in Reston, Va., on Nov. 18.
The latest versions of CNSS’ policy guidance and security regulations for national security space systems require that satellites:
- Be equipped with real-time on-board intrusion detection and prevention systems
- Employ hardware root-of-trust to ensure secure reboot capability
- Implement security patch management for on-board and ground segment software.
“If you build services or capabilities that support national security missions, this policy and the requirements within these policies and instructions apply to you,” he told the audience of satellite industry executives and engineers.
CNSS first released its policy and instructions in 1985 and updated them in 2018 before this latest update. The regulations are incorporated into government procurement contracts for national security missions, Bailey said—though he acknowledged they are not always prioritized. “Are you being held accountable to that?” he asked the vendors, “Probably not. That’s one of the things we’ve seen over the years, these policies and these requirements … they get put in contract but they don’t necessarily get [well-enforced.]”
Despite this, the new rules look set to supercharge the growing marketplace for cybersecurity tools and systems designed specifically for the space sector. At the same time, the government is developing free open-source cyber tools for spacecraft, a move that some say might undermine the market.
As part of its mission to protect the nation’s critical infrastructure, the Department of Homeland Security is developing cyber resilience tools for satellites that provide vital resources including position, navigation, and timing services like GPS, as well as communication channels like mobile phone and broadband internet, said Ernest Wong, the technical lead for PNT & Space Systems at DHS’s Science and Technology Division.
Over the past year, said Wong at a Nov. 17 presentation, DHS realized there is a “detection gap” in the satellite industry, “specifically an on-board detection gap, because a lot of detection right now is based on telemetry.” Telemetry is the operational data about a satellite’s course, position, and speed (among other factors) that it transmits to its ground station. Although telemetry can include data about on-board computer systems, there are too many cyber attacks that “cannot be detected through telemetry-based threat detection,” said Wong.
To fill that gap, DHS is working with Aerospace Corp. to develop an on-board intrusion detection system, or IDS, specially designed to operate in the very different and specific environment of a spacecraft. They began by developing a list of indicators that satellite operators could look for on-board. These “Indicators of Behavior” are things that if they happen, might show the satellite is under cyber attack. “The idea here was to develop some of the foundational knowledge to identify what we should look for, when trying to detect threats,” Wong said.
Using these IOBs, Aerospace built a prototype system called SpaceCOP that Wong said is a successful proof of concept. He said DHS is looking for satellite operators that wanted to pilot and further test it. As it is being developed, the operators will be able to learn how to react to alerts and warnings from systems like SpaceCOP, both to mitigate attacks on board the spacecraft and to share the IOBs as a warning to other operators.
“Our primary goal here is to lower the cost of security so we can reduce the barriers to the adoption of cyber resilience based systems” on satellites, Wong said.
Once their work developing prototypes is finished, Wong explained, the results will be open-sourced, so as to make them freely available for the whole satellite industry.
Not everyone was thrilled at the idea of the government making and giving away the kind of cyber tools that many at the CyberSat conference make a living by selling.
“IDS is not the main driver of our business, so we’re not too concerned,” said one engineer who works for a company that sells cyber tools and services to the national security sector. But he was skeptical about how much value its users would get from SpaceCOP. “Everyone is free to do what they wish, but my view is, when the government gets involved, you end up with a $500 hammer.”
But others welcomed the DHS move, saying SpaceCOP and other free and open-source tools like it would create a technical foundation on which the private sector could build for-profit tools and value-added services.
“Far from limiting private-sector progress, government-developed tools establish a baseline that encourages higher performance and greater security. The commercial sector’s role is to innovate above that baseline,” said Ricardo Aguilar, co-founder and CEO of Proof Labs. His Albuquerque, N.M., startup is developing an AI-powered on-board IDS for the Space Force called the Cyber Resilience On-Orbit, or CROO, tool. Rather than wait until SpaceCOP is open-sourced, they’ve already licensed the technology for their government work, Aguilar explained.
Commercial satellite operators will “still require certified, high-assurance solutions that open-source code can’t meet” under the new CNSS regulations “which is where real commercial value and innovation [will] still matter,” he said. And the need for it “has never been greater.”
“They have years of research we can build on,” added Joseph Davis of BigBear.ai, which is also working on the CROO tool.
The update to CNSS policy guidance and rules was mandated by two executive orders. The first one, signed by President Biden on Jan 16 just days before the end of his administration, set the wheels in motion. President Trump kept the working going in a June 6 order, explained Bailey. It was completed in August. “That is lightning speed for the government,” he said.
