by Samuel Lefcourt

This discusses Introduction to Cybersecurity for Commercial Satellite Operations by Matthew Scholl

Due to economic benefits, people are no longer viewing space as solely a means for exploration.  Companies in a variety of fields such as research and development, material sciences, communication and sensing are migrating to the space scene.  However, risks exist in space that normally don’t apply.  As such, companies should be aware of these dangers at the beginning in order to properly plan for them.  For instance, space is unlike our terrestrial plane in that it is extremely difficult to adjust physical elements once it enters the low orbit.  In this paper the National Institute of Standards and Technology (NIST) introduces cybersecurity frameworks, provides mitigation techniques, and elucidates the general space-cybersecurity topic to provide a means of successful defense to crewless commercial space vehicles.

By highlighting the ideal high-level architectural view for such space operations, people are made aware of the main components:  ground station, link, space vehicle, user segment, inter-vehicle cyber security, and intra-vehicle cybersecurity.  The ground stations are located on Earth are responsible for portions or all of the space operations which are sent to the space vehicle via the link.  When dealing with satellites, the space-vehicle is typically a combination of a BUS and payload.  The BUS is responsible for ensuring the vehicle flies by “[storing] power, [maintaining] structure, [possessing an] attitude control system, processing and command control, and telemetry.”  The vehicles defenses, inter-vehicle cyber security, are important alongside the way in which it communicates with other operational satellites, intra-vehicle cybersecurity.

Conventionally, normal hardware products go through a lifecycle with each step encountering something different.  The same holds for space hardware.  The NIST find that the following operations have varying risks:

1. Assembly
   1. Space materials are collected from a variety of sources; as such, the hardware supply chain is critical.
   1. Because it is extremely difficult, if not impossible, to modify hardware once in space, ensuring functionality on the ground is ideal.
2. Prelaunch
   1. Operators ensure connectivity to the space device through radio frequency links and umbilical cord.
3. Launch
   1. Transfer the space system to its operational environment (generally low Earth orbit).
   1. Includes launch device installations, fuel operations and storage, launch safety, and destruct systems.
4. On-orbit check out
   1. Satellite beacons and connects via link to the ground control.
5. Operations – Sensing, Information Processing, Data Acquisition, and Communication
   1. Operations specific to the business mission are conducted by the satellite and/or its payload.
6. Decommissioning
   1. Maintain orbital debris in normal operations
   1. Minimize orbital debris in accidental explosions
   1. Proper dispose of space structure
   1. Consider appropriate CIA (confidentiality, integrity, availability) and physical attacks to gain satellite

Following a framework will provide a uniform baseline in which these companies can experiment and produce feedback depending on industry.  Known as the Cybersecurity Framework, the NIST propose a sequential, five-functional system of recover, identify, protect, detect, and respond.  The starting point of this system depends on the field in which it is being used.  For each primary function, there exist categories and subcategories that illustrate techniques to achieve desired goal and informative references which have done so. 

Adapting this framework to space is the last section in this paper.  The steps suggested in their cybersecurity program are as follows:

1. Establish Scope and Priorities
   1. Communicate clear expectations to all parties involved.
   1. Easiest to address cybersecurity concerns from the onset.
   1. Embed risk-reducing measures into design and supply chain that meet organizational and business objectives
   1. For businesses already in space, focus on the steps below.
2. Orient
   1. “Identify related systems, assets, regulatory requirements, and its overall risk approach.”
   1. “[I]dentify threats and vulnerabilities applicable to those systems and assets.”
3. Create a Current Profile
   1. “[S]ubcategory [CSF] activities that are currently being implemented within the organization.”
4. Conduct a Risk Assessment
   1. Analyze the environment alongside emerging risks.
   1. Use cyber threat information to determine likelihood of cybersecurity event
   1. Discern resulting impact from potential events
5. Create a Target Profile
   1. “[S]elect the [CSF] subcategories that support the organization’s desired cybersecurity outcomes.”
6. Determine, Analyze, and Prioritize Gaps
   1. Create plan to address gaps between current and target profiles.
7. Implement an Action Plan
   1. Determine which actions should be completed from the plan to improve cybersecurity.

This paper acts as a guideline to not only those entering the space field, but also those who have already been participating.  It will significantly impact the industry by setting a standard that focuses on cybersecurity. Depending on the mission, many companies or researchers will neglect safety precautions which are then difficult to add later.  This has the potential to set a multi-industry standard focusing on creating environments that put cybersecurity in the regard sentence as a minimum viable product.