NIST works on applying cybersecurity framework for satellite command and control, seeks feedback

The National Institute of Standards and Technology (NIST) released a draft document that applies the NIST Cybersecurity Framework to the ground segment of space operations with an emphasis on assuring satellite command and control. The agency recognizes the importance of the infrastructure that provides positioning, timing, and navigation (PNT) information to the scientific knowledge, economy, and security of the U.S. This infrastructure consists of three parts: the space segment, the ground segment, and the users of PNT.

NIST requests comments on a draft of a profile for the ground segment, and the comment period on this initial public draft is open through Jun. 20, 2022. The move comes as a result of recognizing and supporting space resilience through numerous space policies, executive orders, and the National Cyber Strategy. The space cyber-ecosystem is an inherently risky, high-cost, and often inaccessible environment made up of distinct, though interdependent segments.

The NIST draft document comes a month after U.S. security agencies called for strengthening the cybersecurity of national and international satellite communication (SATCOM) networks, following concerns of possible threats to these networks. The agencies reveal that successful intrusions could create risk in SATCOM network providers’ customer environments.

The document titled NIST IR 8401, ‘Satellite Ground Segment: Applying the Cybersecurity Framework to Assure Satellite Command and Control,’ applies the NIST CSF to the ground segment of space operations. It defines the ground segment, outlines its responsibilities, and presents a mapping of relevant information references. The profile defined in the report also provides a flexible framework for managing risk and addresses the goals of Space Policy Directive 5 (SPD-5) for securing space.

The Cybersecurity Framework consists of three main components – the Framework Core which provides a catalog of desired cybersecurity activities and outcomes using a common language, the Framework Implementation Tiers provide context for how an organization views cybersecurity risk management, and the Framework Profiles are customized to the outcomes of the Core to align with an organization’s requirements. 

The Satellite Ground Segment Cybersecurity Profile is designed to be used as part of a risk management program to help organizations manage cybersecurity risks to systems, networks, and assets that comprise the ground segment of satellite operations, according to the NIST document. The profile provides guidance for classifying systems, processes, and components of satellite command, control, and payload systems in order to determine cybersecurity risk posture and address residual risk in the management and control of the space segment. 

It also defines desired cybersecurity state for the systems, processes, and components of satellite command, control, and payload systems, and establishes defined and repeatable risk management approaches to elevate an actual cybersecurity state to a desired cybersecurity state, the document added. 

By adopting the profile, organizations will be able to identify their systems and processes that enable command and control of space vehicle buses and payloads and determine performance requirements, detect known and anticipated threats to the satellite ground segment and supporting infrastructure, and protect the systems that the ground segment relies upon through policy, training, resilience, and access control, the NIST document said. 

The profile also helps to detect a loss of ground segments’ confidentiality, integrity, or availability, respond to confidentiality breaches of Telemetry, Tracking, and Command (TT&C), and manipulation or loss of satellite commands or telemetry in an effective and resilient manner. It also helps to recover from anomalies in a timely, effective, and resilient manner. 

The profile also supports the stakeholder’s ability to make risk-informed decisions about the cybersecurity of the ground segment and its corresponding impact on the space segment’s bus and payload. In addition, it also selects risk-based approaches that minimize the potential effects of the disruption or manipulation of the satellite bus and payload commanding and telemetry and considers planning and action regarding the secure management and recovery of the space segment. 

The NIST document said that the profile is a flexible tool that an organization can use as part of its risk management effort, with an intention to augment rather than replace these efforts. The profile will also aid in the prioritization of cybersecurity activities based on business objectives and identify areas where standards, practices, and other guidance could help manage risks. NIST also encourages the development of organization-specific profiles by applying the profile to a particular mission or cyber-ecosystem.

The profile also provides a flexible approach for stakeholders to manage risks when interfacing with the satellite bus or payload regardless of the source of the risk, including natural events, malicious actions, and human activities that have unintended consequences. It also provides a starting point from which organizations can customize their risk management approach. 

The profile is intended to be used in conjunction with existing risk management processes to provide additional risk management considerations. Examples of cybersecurity risk management processes include International Organization for Standardization (ISO) 31000:2018, ISO/International Electrotechnical Commission (IEC) 27005, and NIST Special Publication (SP) 800-39 [NIST-SP800-39].

NIST is also developing a framework to better manage risks to individuals, organizations, and society associated with artificial intelligence (AI). The NIST Artificial Intelligence Risk Management Framework (AI RMF or Framework) is intended for voluntary use and to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.

The framework is being developed through a consensus-driven, open, transparent, and collaborative process that will include workshops and other opportunities to provide input. It is intended to build on, align with, and support AI risk management efforts by others. An initial draft of the AI RMF is available for comment through Apr. 29, 2022.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.