The National Institute of Standards and Technology release the Introduction to Cybersecurity for Commercial Satellite Operations

March 17, 2022 |

It is interesting to see the National Institute of Standards and Technology recently release an Introduction to Cybersecurity for Commercial Satellite Operations.  It is too interesting not to post on even if the chances of working on cyber security for satellites is probably a little bit removed from most practitioners experience.  Put another way, I am not expecting a call from Elon Musk to do some cyber security work on a Space X satellite.  That said, the principles are as applicable to more terrestrial equipment. 

The rationale for the paper is pithily described in the abstract stating:

Space is a newly emerging commercial critical infrastructure sector that is no longer the domain of only national government Space is an inherently risky environment in which to operate, so cybersecurity risks involving commercial space – including those affecting commercial satellite vehicles – need to be understood and managed alongside other types of risks to ensure safe and successful operations.

The NIST recommends using the cybersecurity Framework to develop a profile that involves:

Step 1: Establish Scope and Priorities.  While it is most effective to address cybersecurity in the earliest stages of building the components of the space architecture and embedding risk-reducing measures many commercial satellite operators have already deployed several generations of their vehicles.  A current cybersecurity profile should be created to describe what cybersecurity outcomes are being achieved.  That involves establishing a target profile to describe the outcomes needed to meet the cybersecurity risk management goals.  A gap analysis of the differences between the current profile and the target profile provides information that the organization can use to make decisions regarding cybersecurity.

Step 2: Orient.  Identifying related systems, assets, regulatory requirements and the overall risk approach. The organization then works to identify threats and vulnerabilities applicable to those systems and

Step 3: Create a Current Profile. This step allows the organisation to understand their current cybersecurity posture. An organisation assesses how it is currently implementing the CSF functions by creating a Current Profile – a list of subcategory activities that are currently being implemented.

Step 4: Conduct a Risk Assessment. This initial assessment could be guided by the organization’s overall risk management process or previous risk assessment activities.  The organization analyzes the operational environment, identifies emerging risks, and uses cyber threat information from internal and external sources to discern the likelihood of a cybersecurity event and the impact that the event could have on the organisation.

Step 5: Create a Target Profile. A Target Profile is created by selecting the subcategories that support the organisation’s desired cybersecurity outcomes.  Each organisation will have a unique risk posture, which will result in a unique set of subcategories.

Step 6: Determine, Analyze, and Prioritize Gaps. This involves comparing the Current Profile and the Target Profile to identify potential gaps.  When paired with a threat, a risk assessment can be conducted to determine an overall risk rating. This can lead to a prioritized action plan to address those gaps.

Step 7: Implement Action Plan. The organization determines which actions to take to address the gaps. The Framework is an iterative process that must be repeated at regular intervals, when the impact to the organization changes, or when the cyberthreat landscape changes.  There should be reviews of the security profile, gap reassessment, updated action plans, and completed action plans at least every two years.

To protect a satellite from communications spoofing, interception, corruption, tampering and denial of service the NSIT recommends:

  • identifying asset vulnerabilities and document those vulnerabilities as part of a cybersecurity program.
  • only allow authorized devices to communicate with the satellite, and employ the following requirements:
    • authenticate the claimed identity of any device attempting to communicate:
    • drop all communication attempts for which the access authorization of the other device cannot be confirmed.
    • check the integrity of communications and drop any communications where integrity appears to have been violated.
  • only allow authorized devices to access sensitive data within the satellite’s communications.
  • use encryption to protect the contents of communications
  • require that the recipient of encrypted communications be authenticated before they can decrypt the communications and access their contents.

In making the satellite  communications resilient to adverse conditions it is necessary to:

  1. use communication protocols that ensure delivery
  2. have a secondary or alternate communications channel available at all times, and automatically fail over to it when the primary communications channel is not functioning properly
  3. when communications are unavailable, store any unsent sensor data and send it after communications are restored.

Build protections into the satellite to thwart DDoS-related connection attempts.

Protect the vehicle if communications are compromised.  That means Implementing control response and recovery plans which are in place such as the ability to act in autonomous safe mode and to avoid collision in the case of a congested orbital slot.

Enhance the ability of the vehicle to ingest and share threat data and to react to that data.  That anticipates in future that spacecraft may autonomously activate or deactivate an on-orbit function as a means to mitigate a potential attack.

To protect the satellite and its data from unauthorized access, use, corruption, tampering and denial of service involves:

  • using secure device design and development practices for the satellite hardware, firmware, operating system, and applications.
  • isolate executing processes from each other.
  • validating all input, including commands and data

To prevent and deter attacks against the satellite an organisation needs to:

  • use a hardware root of trust to perform a secure boot, which will be the basis for conducting system integrity checks and other health checks/self-tests
  • providing update, upgrade, and uninstall capabilities for firmware and software.
  • be configured  to avoid known security weaknesses
  • prevent unauthorised software from executing application allow listings software
  • only allow authorized parties to access and alter sensor data stored on the satellite.
  • protect the integrity of all stored sensor data.

 As with all cybersecurity plans it is necessary to plan for the worst. That includes:

  • logging security-related events and and continuously review the logs.     
  • investigating suspicious events.
  • preventing an incident from continuing or expanding.

 To obtain the most current and accurate threat data to inform the residual risk analysis it is necessary to:

  •  join a local Information sharing and analysis center so that organisations will have a venue for sharing and receiving prioritized information regarding known risks as the threat and technology landscapes evolve.
  • define a protocol to consult various authorities to understand potential threats to space-based network operations.


Leave a Reply