NASA is about to introduce new requirements for its contractors. These requirements will dramatically improve the cybersecurity of spacecraft and the US’ resilience to cyber threats. But what do these requirements mean for spacecraft manufacturers? What challenges will they face? And what will they need to do to comply? Keep reading to find out.
Understanding the Cyber Space Threat
While NASA has cybersecurity requirements for its spacecraft in operation, these requirements do not extend to the spacecraft acquisition and development lifecycle. Essentially, NASA contractors are not currently subject to the same cybersecurity requirements as NASA, potentially leaving spacecraft vulnerable to attack.
This gap becomes particularly alarming when we consider the current geopolitical landscape. Russia, for example, launched a significant attack on American communications company Viasat an hour before launching its ongoing invasion of Ukraine. More recently, Russian foreign ministry apparatchik Sergey Belousko issued a veiled warning to commercial space outfits – such as SpaceX - he accused of interfering in the Kremlin’s “internal affairs.”
Enter the Spacecraft Cybersecurity Act. Introduced by Congressman Maxwell Frost, the Act will ensure that NASA’s cybersecurity requirements flow down to contractors and the broader space ecosystem.
According to Frost’s website, the Act mandates that “within 270 days of enactment, NASA must complete a plan to update its spacecraft acquisition standards to include essential cybersecurity requirements.” Ultimately, this will ensure that NASA’s spacecraft are resilient to cyber threats wherever they originate.
Challenges in Securing Space Systems
Spacecraft manufacturers seeking to improve cybersecurity face three key challenges:
- Limited Accessibility: Unlike terrestrial technologies, many spacecraft and satellites are only accessible at certain times of the day. As such, it’s difficult to address cybersecurity concerns after deployment, and it is crucial to prioritize cybersecurity during the design phase.
- Weight Constraints: Spacecraft must be as light as possible, meaning manufacturers must prioritize lightweight cybersecurity measures, such as implementing encryption and removing redundant, vulnerable systems.
- Outdated Technologies: While manufacturers can issue software updates on more modern spacecraft, this won’t be possible with legacy systems. Retrofitting security where possible is essential, but, unfortunately, some spacecraft are a lost cause.
Understanding and accepting these challenges is crucial to meeting NASA’s incoming requirements. Although finding opportunities for retrofitting security is important, the focus really needs to be on future missions.
A Practical Approach to Spacecraft Cybersecurity
Despite these challenges, there are steps manufacturers can take to improve the cybersecurity of their spacecraft. By implementing the following measures, manufacturers can detail cybersecurity protections in their manufacturing pitches, stand out from competitors, and secure lucrative NASA contracts.
- Communication Security: Data encryption is vital for protecting communications between spacecraft and ground stations. What’s more, encryption is a lightweight and relatively inexpensive measure that will prove your commitment to cybersecurity.
- Software Vulnerability Management: Many space systems run on low-level programming languages like C or C++, which are prone to memory corruption vulnerabilities. Vulnerability Management solutions—like Digital Defense, BeSecure, and IP360—are invaluable for mitigating this issue.
- Ground Station Security: It’s far easier to improve the cybersecurity of ground stations than spacecraft, especially for older technologies. Prioritizing regular software updates and secure configurations at ground stations is crucial for minimizing risks to spacecraft.
- Futureproofing: Securing future missions and spacecraft relies on implementing secure-by-design principles. Reading CISA’s Secure-by-Design whitepaper is a great way to get to grips with this concept and start implementing it into your manufacturing process.
What Does This Mean for Commercial Manufacturers?
Commercial spacecraft is a burgeoning industry that plays an increasingly important role in the global economy and society. While the Spacecraft Cybersecurity Act doesn’t directly apply them, commercial manufacturers must pay attention to its requirements. The Act will have a knock-on impact, resulting in customers demanding a greater level of cybersecurity from manufacturers. Building trust with customers will be crucial as tourism and other commercial ventures continue to expand.
The Road Ahead: Adopting a Secure-First Mindset
The Spacecraft Cybersecurity Act is a landmark piece of legislation that will transform the way spacecraft manufacturers think about security. Adapting to the changes it brings about requires more than a box-ticking compliance exercise – it necessitates embracing a secure-first mindset that integrates cybersecurity into every aspect of the design, production, and operation lifecycle.
While commercial interests often prevent progress, collaboration across the space industry must play a role in tackling spacecraft cybersecurity challenges. As noted, securing spacecraft is no mean feat, so it’s important for organizations to work together.
Manufacturers should work closely with NASA, their peers, and other stakeholders to develop best practices, share threat intelligence, and coordinate responses to emerging cyber threats. Industry-wide adoption of frameworks like NIST’s Cybersecurity Framework can help standardize efforts and ensure a unified approach to protecting space assets.
Ultimately, the Spacecraft Cybersecurity Act is a call to action for the entire industry. It highlights the need to treat cybersecurity as an integral component of space exploration and innovation. By taking a forward-thinking approach, spacecraft manufacturers can not only comply with NASA’s requirements but also position themselves as leaders in a rapidly evolving space economy.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.
