To say the least, critical infrastructure cybersecurity has been on the U.S. government’s mind. And for good reason. A breach of these systems can and has caused major effects. Take the Colonial Pipeline, JBS Foods, and Kaseya cases as examples. But in their consideration, is there a significant space being missed? If you got the hint, we’re talking about Space! Should systems such as satellites be included in the government’s critical infrastructure cybersecurity initiatives?
Government Takes on Critical Infrastructure Cybersecurity
Before exploring that question further, let’s start by briefly reviewing some of the programs the government has launched in the past few years to address critical infrastructure cybersecurity.
In 2021, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) started the Joint Cyber Defense Collaborative (JCDC), which “brought together federal agencies, state and local governments, and private sector organizations to create cyber defense plans for resilience against malicious cyber activity targeting critical infrastructure,” as described by Sergiu Gatlan at Bleeping Computer. The agency then quickly followed that up with the release of the Ransomware Readiness Assessment (RRA), an add-on to its Cyber Security Evaluation Tool (CSET).
Jumping to this year, CISA introduced a new program known as the Ransomware Vulnerability Warning Pilot (RVWP). The purpose of RVWP is to assist critical infrastructure operators with identifying and patching cyber vulnerabilities often exploited by threat actors.
Also published so far in 2023 was the Biden administration’s National Cybersecurity Strategy. In an article for Harvard Business Review, Virginia Wright, Andrew Ohrt, and Andy Bochman explain that the strategy “calls for major changes in how the United States prioritizes the security of software systems used in critical infrastructure.” It urges that a security-by-design approach is taken. In other words, software vendors and engineers building systems are to be held responsible for implementing “cyber-informed” strategies. In turn, facilities are better equipped to reject services that may pose great cybersecurity risk, work together on running vulnerability tests, construct thorough response plans, etc.
Including Space Systems in Critical Infrastructure Cybersecurity
Now that we’ve laid out a bit of the action around critical infrastructure cybersecurity, let’s return to the question posed in the intro of this post. Should space systems be included in the government’s initiatives? A new report from CSC 2.0 (formerly the Cyberspace Solarium Commission) orbiting around this question argues yes.
While Lisbeth Perez points out at MeriTalk that Presidential Policy Directive-21 designates 16 critical infrastructure sectors, CSC 2.0 is pushing for space systems to be considered the 17th. The organization not only notes that space systems match the definition of what constitutes a critical infrastructure sector, but that many of the other sectors already covered under the critical infrastructure umbrella rely on space technology. Therefore, space systems should receive the same protection and attention, especially as the threat landscape surrounding them grows. The report highlights the fact that Russian hackers targeted satellite company Viasat at the beginning of the invasion of Ukraine. By investing in space systems as critical infrastructure, operators in the field would be afforded access to the resources provided by programs such as those outlined above, including an emphasis on public-private partnerships.
This isn’t the first time that space systems and satellite cybersecurity has been brought up. As Dark Reading reports, the U.S. Space Force established four squadrons in 2022 to focus on the security of the Satellite Control Network. Leaders of the branch have also requested the allocation of $700 million for further cybersecurity efforts.
We predict that this topic will continue to rise in prominence. And as a company committed to expanding our presence in critical infrastructure verticals, we are very interested in following its journey.
- “CISA now warns critical infrastructure of ransomware-vulnerable devices” – Sergiu Gatlan, Bleeping Computer
- “Engineering Cybersecurity into U.S. Critical Infrastructure” – Virginia Wright, Andrew Ohrt, & Andy Bochman, Harvard Business Review
- “Report: Space Systems Should Be Designated Critical Infrastructure” – Lisbeth Perez, MeriTalk
- “US Space Force Requests $700M for Cybersecurity Blast Off” – Dark Reading Staff, Dark Reading