Attacks and Vulnerabilities
Control device security
Critical infrastructure
Industrial Cyber Attacks
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
Secure Remote Access
Secure-by-Design
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

New CISA report addresses zero trust in space, boosting security for satellites and ground infrastructure

June 13, 2024
New CISA report addresses zero trust in space, boosting security for satellites and ground infrastructure

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently released a report highlighting the rapid integration of satellites, spacecraft, and their ground-based infrastructure into daily life, driven by substantial private investment in space. These space systems enable essential services, including healthcare, telecommunications, internet infrastructure, transportation, energy, and financial systems.

Titled, ‘Space Systems Security and Resilience Landscape: Zero Trust in the Space Environment,’ the document outlines that in January 2022, the Office of Management and Budget (OMB) released the Federal Strategy to Move the U.S. Government Towards a Zero Trust Architecture. Prior to this, the National Institute of Standards and Technology (NIST) developed guides to enhance cybersecurity across the space sector, including the foundational elements of Position, Navigation, and Timing (PNT), space, link, ground, and user segments. 

“The NIST Cybersecurity Framework (CSF) applies across space infrastructure as the CSF is a foundational element of modern cybersecurity across the U.S. government,” according to the report. “This strategy moves the U.S. government toward a ‘zero trust’ approach to cybersecurity and represents a step forward in executing Executive Order 14028 (EO 14028): Improving the Nation’s Cybersecurity. In concert, CISA released the Zero Trust Maturity Model which provides references for federal agencies transitioning toward a zero trust architecture. Both the framework and the maturity model are foundational elements of the U.S. government’s approach to implementing zero trust.” 

The report aims to analyze and define opportunities for applying zero-trust tenants across space infrastructure. This guide relies on framework components and seeks to analyze where and how they can be applied across the space infrastructure.

While the report primarily focuses on zero trust concepts, it is important to understand some basic cybersecurity principles first—Secure by Design (SBD), Secure by Default, and Cybersecurity Performance Goals (CPGs). These concepts encourage technology manufacturers to take ownership at the highest level in protecting their consumers and putting their safety first. There is also the concept of Secure by Default, where these products are considered secure right out of the box and need little to no end-user configuration or additional costs to control any access to their sensitive information.

The CPGs are organized to align with the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework functions to Identify, Protect, Detect, Respond, and Recover in the event of a cybersecurity event. These CPGs are considered voluntary, and are aimed to assist small- and medium-sized organizations bolster their cybersecurity efforts in a way tailored to have the most impact with limited resources. The principles of Secure by Design and Cybersecurity Performance Goals should be foundational for developers and manufacturers to consider as they build these technologies that impact space systems, or any systems, in any meaningful way.

The core components of any zero trust implementation are an organization’s data, understanding how its data facilitates an organization’s functions, and how access to this data is used to deliver its business or mission objectives. The organization labels and prioritizes data in functional contexts derived from business or mission objective requirements that necessitate access within established constraints. 

The paper discusses two primary approaches to implementing a zero trust architecture: adapting existing systems and incorporating it into new acquisitions. The transition to a zero trust architecture in an existing system poses numerous challenges, particularly in minimizing disruption to ongoing operations. Conversely, new acquisitions offer the advantage of integrating zero trust principles from the early stages of conceptual development, taking into account the data types, functions, and criticality. Regardless of the approach, both scenarios face the ongoing challenge of integrating and sustainably applying current technology to establish effective zero trust access controls.

CISA details that a mature and collaborative systems engineering approach will be key to a zero trust implementation. There are multiple system life cycle depictions, but they generally share the essence established by the generic life cycle described in ISO/IEC/IEEE 15288:2015. An existing architecture or acquisition would benefit from systems engineering to define the roadmap to zero trust access control. The zero trust architecture for an existing system will need to work with constraints such as the availability of onboard processing cycles and memory to implement the zero trust architecture functions. 

New acquisitions include these same constraints but also add to size, weight, and power limitations if considering additional hardware to implement a zero trust architecture. To manage the constraints, the first step in the zero trust concept would emphasize scoping the implementation to the mission or business critical threads to create an architecture that is scalable to the operational needs of the mission. The scalability requirements need the essential threads supported by existing architecture to transition to a zero trust implementation as resources become available in iterative phases.

Late last year, NASA (National Aeronautics and Space Administration) released the first iteration of its Space Security Best Practices Guide to bolster mission cybersecurity efforts for the public sector and private sector space activities, as space missions and technologies grow increasingly interconnected.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Webinar: A Sense of Urgency - Industrial Cybersecurity and Compliance Under the NIS2 Directive

Register: June 27, 2024 2pm CET

http://industrialcyber.co

Related

DHS Secretary Mayorkas unveils strategic guidance to bolster US critical infrastructure security and resilience
DHS Secretary Mayorkas unveils strategic guidance to bolster US critical infrastructure security and resilience
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
Broadcom's Symantec solutions achieve IRAP certification, meeting Australian government standards
Broadcom’s Symantec solutions achieve IRAP certification, meeting Australian government standards
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA's ICSNPP Parsers
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA’s ICSNPP Parsers
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
US CISA issues ICS cybersecurity advisories for Emerson, Mitsubishi Electric, Johnson Controls equipment
CISA warns of path traversal vulnerability in RAD Data’s SecFlow-2 hardware
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix