New NIST IR 8270 document addresses cybersecurity risk management for commercial satellite space

The National Institute of Standards and Technology (NIST) published Tuesday a final document that provides a general introduction to cybersecurity risk management for the commercial satellite industry as they seek to start managing cybersecurity risks in space. While the NIST IR 8270 document is not comprehensive in terms of addressing cybersecurity risks to commercial satellite infrastructure, it presents basic concepts, generates discussions, and provides sample references for additional information on pertinent cybersecurity risk management models.

Titled, ‘Introduction to Cybersecurity for Commercial Satellite Operations,’ the NIST IR 8270 document outlined that the Cybersecurity Policy for Space Systems Used to Support National Security Missions (CNSSP-12) governs the acquisition of national security space systems. Commercial satellites play a crucial role in operating networks that regulate pipelines, water systems, and electric utilities.

The NIST IR 8270 aims to introduce the Cybersecurity Framework (CSF) to commercial space businesses, by including a description of a specific method for applying the CSF to a small portion of commercial satellite operations, creating an example CSF set of desired security outcomes based on missions and anticipated threats, and describing an abstracted set of cybersecurity outcomes, requirements and suggested cybersecurity controls. The CSF is non-regulatory and its scope applies to commercial entities that operate space vehicles and payloads that are not owned, operated, controlled, or leased by the U.S. government.

It added that methods for the creation, maintenance, and implementation of a cybersecurity program for many commercial and international markets include products in national and international standard-setting organizations (SSOs) and the use of risk management guidance from NIST. The agency’s risk management guidance includes specific technical references, cybersecurity control catalogs, the Information Technology Risk Management Framework, and the CSF.

The agency asks the commercial satellite operations community to use this document as an informative reference to assist in managing cybersecurity risks and to consider how cybersecurity requirements might coexist within space vehicle system requirements. However, the example requirements listed could be used to create an initial baseline. The agency recommends that organizations use this document in coordination with NIST references and applicable SSO materials to create customized cybersecurity outcomes, requirements, and controls to support an organization’s particular business needs and address its individual threat models. 

Targeted at chief information officers (CIOs), chief technology officers (CTOs), and risk officers of organizations who are using or plan to use commercial satellite operations and are new to cybersecurity risk management for these operations, the NIST document identifies space to be an evolving commercial sector that is no longer the domain of only national government authorities. 

It added that commercial uses of space for research and development, material sciences, communication, and sensing are growing in size, scale, and importance for the future of the U.S. economy. “Space is an inherently risky environment in which to operate, so cybersecurity risks involving commercial space need to be understood and managed alongside other types of risks to ensure safe and successful operations.”

Application of high-level processes from the CSF may help satellite operators with the creation and maintenance of a cybersecurity program, according to the NIST IR 8270. “While the overall process is applicable to all parts of commercial space architectures and phases of operation, this document also provides a notional example of applying the CSF to generating cybersecurity requirements for the satellite during sensing, information processing, data acquisition, and communications to illustrate how these steps are used and to derive example cybersecurity outcomes, requirements, and controls for this specific use.”

The NIST IR 8270 document outlined that the framework profile can be used to communicate cybersecurity requirements to suppliers and manage how risk is mitigated, managed, transferred, or accepted when outsourcing one or more aspects of space operations. “Commercial space operations can be hybrid modes with few organizations owning or controlling all parts. Therefore, communicating clear expectations, capabilities, and requirements across the different owners of the space operations scope is critical to understanding and managing cybersecurity risks,” it added. 

Notably, the risk to an organization is impacted by changes in that organization’s reliance on the assets, an adversary’s capability, and an adversary’s intent. Effective risk management requires the steps presented in this section to be visited and revisited on a regular basis. 

To protect the satellite and its data from communications spoofing, interception, corruption, tampering, and denial of service, NIST IR 8270 document puts forward that the first task is to identify asset vulnerabilities and document those vulnerabilities as part of a cybersecurity program within the organization. This includes communicating with suppliers to understand their cybersecurity program; allowing authorized devices to communicate with the satellite; and permitting authorized devices to access sensitive data within the satellite’s communications. 

It also suggests making the satellite’s communications resilient to adverse conditions; building protections into the satellite to thwart Distributed Denial of Service (DDoS)-related connection attempts; protecting the vehicle if communications are compromised; and enhancing the ability of the vehicle to ingest and share threat data and to react to those data.

To protect the satellite and its data from unauthorized access, use, corruption, tampering, and denial of service, the NIST IR 8270 suggests using secure device design and development practices for the satellite hardware, firmware, operating system, and applications; preventing and deterring attacks against the satellite; and only admitting authorized parties to access and alter sensor data stored on the satellite.

To detect, respond to, and recover from attacks and incidents involving the satellite, its data, and its communications, the NIST IR 8270 document recommends logging security-related events and continuously reviewing the logs; investigating suspicious events; preventing an incident from continuing or expanding; and recovering from incidents by restoring data and software. 

To obtain the most current and accurate threat data to inform the residual risk analysis, the NIST document proposes that the organization joins a local Information Sharing and Analysis Center (ISAC) so that company representatives will have a venue for sharing and receiving prioritized information regarding known risks as the threat and technology landscapes evolve. 

Additionally, it puts forward that the organization defines a protocol to consult various authorities at the National Air and Space Administration (NASA), NOAA, Federal Aviation Administration (FAA), the Department of Homeland Security (DHS), and/or the Department of Defense (DoD) to better understand potential threats to space-based network operations.

In April, the U.S. Cyberspace Solarium Commission (CSC) 2.0 assessed that America’s adversaries recognize the importance of space systems to U.S. national security and economic prosperity and have tested capabilities to destroy them. The threat from Russia and China is growing, with both those authoritarian powers having placed American and partner space systems in their crosshairs, as demonstrated by their testing of anti-satellite (ASAT) capabilities.

“Receiving an official designation as critical infrastructure would help unlock resources and give greater structure and direction to the project of securing space-based and ground-based space resources against cyberattacks,” Chase Snyder, senior cybersecurity researcher at Xage Security, wrote in a post earlier this week. “But even without the designation, public and private organizations alike need to make big steps quickly toward securing their parts of the big picture that is space infrastructure,” he added.

On the legislative front, a bipartisan legislative bill that would require the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to help protect owners and operators of commercial satellites against disruptive cyberattacks has advanced in May in the U.S. Senate. The bill was advanced by the Senate Homeland Security and Governmental Affairs Committee and now moves to the full Senate for consideration.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.