A new industry group set up to share intelligence about cyber threats to space-based assets like satellite communications will be lobbying the Trump administration to designate commercial space systems as critical national infrastructure.
“We will be lobbying as an industry to be recognized as critical infrastructure,” Frank Backes, senior vice president of Kratos Federal Space, told Air Force Magazine. The last time something was added to that list was after the 2016 election, when state and local government voting systems were designated.
Kratos is one of the founding members of the Space Information Sharing and Analysis Center, the newest among 22 ISACs developed to allow industrial competitors to cooperate in defending their business sectors from cyber and related threats.
The move comes amid growing concern that foreign adversaries could exploit weak cybersecurity in US space-based assets to blind the nation’s military or cripple its economy.
Other founding members of the Space-ISAC include the federally funded MITRE Corp., European-based satellite communications giant SES, and technology consultancy Booz Allen Hamilton.
Backes said he anticipates 14 founding members will be in place by the time the Space-ISAC gets up and running early next year, including launch providers and businesses that design and build satellites, as well as antenna network operators and systems engineering and integration companies. Academic centers like the Space Dynamics Laboratory at Utah State University could also be founding members. Air Force Space Command, the Department of Homeland Security, and the White House are backing the new ISAC.
“This Administration strongly supports the formation of private-sector driven information sharing and analysis centers,” said White House National Security Council Spokesman Garrett Marquis in an emailed statement. He said the center will “help gather, analyze, and disseminate critical cyber threat information related to space among the federal, commercial and international community.”
The plan to establish the Space-ISAC was first reported by Air Force Magazine last year.
Backes said industry took the initiative to form the Space-ISAC when executives recognized their companies were being targeted by hackers.
The hackers’ goal appeared to be “to understand the methods and the procedures being used to develop space systems so that vulnerabilities can be found, analyzed and … exploited,” said Backes, who will be one of 14 members of the Space ISAC’s controlling board of directors. “If you understand the architecture of a space-based asset… you can start analyzing it for vulnerabilities and many of these hacks were about gathering that kind of information.”
Backes said whoever was behind the attacks, “The kind of people who would be exploiting space systems of this type most likely would be much more sophisticated than your average hackers and the reasons for doing it might be nation-state sponsored.”
One of the new ISAC’s goals, Backes said, will be to “Protect that [space] technology while it’s being designed and built so that when the [assets] get on orbit, they are more protected.”
Space-based capabilities like communications or GPS and other Positioning, Navigation and Timing, or PNT, technologies have become essential to the functioning of the US economy. And the US military also relies on satellite infrastructure—increasingly provided commercially rather than by dedicated military equipment—for the global command and control capabilities that have made it such a fearsome fighting force.
“Space is woven into the fabric of our society and economy,” as well as being vital to the national defense, said retired USAF Lt. Gen. Chris Bodgan, now a senior vice president at Booz Allen Hamilton, one of the four announced founders.
“Space has become a warfighting domain … congested, contested, and very complex,” said Bogdan.
The computer software in the satellites themselves, in ground stations, launch vehicles, and related equipment, is all vulnerable to hackers.
Research last year by white hat hackers at security research firm IOActive found that many of the satellite terminal devices used by ships, commercial aviation, and even the military were “made with poor software engineering and security practices [like] hard-coded credentials,” administrative backdoors, and insecure protocols, according to John Sheehy, the firm’s vice president for sales and strategy.
Other segments of the industry have proven vulnerable too. “The cost to attack a space-based asset through a cyberattack is orders of magnitude smaller than through a kinetic attack,” Sheehy noted.
“A well functioning ISAC where participants are really sharing information is of great value to all the members and to everyone who relies on their products,” said Sheehy.
Backes said the new Space-ISAC would welcome input from white hat hackers. “If those researchers are willing to share that information we would absolutely want to be a mechanism for sharing that out to the community,” he said.
Sheehy suggested there will likely be a learning curve for the space industry, as more security researchers turned their attention to hacking satellites. For example, at next year’s DefCon—one of the largest annual hacker gatherings —the Air Force has said it will organize a “hack a satellite” contest, where researchers and hackers will compete to find vulnerabilities in an actual satellite.
Based on experience, Sheehy said, this process could be painful. “In general, what we find is, the first disclosure in a particular industry tends to be very adversarial,” Sheehy explained. “It takes them a while to digest the culture and understand what the security researchers are doing … [and] come to see the value.”
For a sector like space that tends to be “more insular, more closed and have more secrecy requirements,” Sheehy added, it could be “a little bit more difficult to interact with them.”
Backes said secrecy requirements will present “a very big challenge” for the Space-ISAC, as many satellite systems are highly classified, yet at the same time, the industry is increasingly commercial and now has a global supply chain.
“International participation will be agreed in cooperation with the US government,” he stressed. “We will let them take the lead.”
Backes added that at some point in the future, the center’s leaders hoped to develop “information sharing agreements with foreign government agencies,” like for example the British or Japanese Defense Ministries, “as they establish their space infrastructure.”
And Backes said that DHS had already “created processes and procedures about how to isolate [cyber] vulnerability information so that it can be shared in an unclassified setting”—and that the Space-ISAC could leverage those.
If vulnerabilities of classified systems are “broken down into individual components, some of them [will be] unclassified,” he said, adding that DHS had developed processes to do this for other ISACs, especially the one for the information technology sector.
DHS is “doing this today for the IT-ISAC and we intended to piggyback on that approach for the Space-ISAC,” he said.
The Space-ISAC will be based at the National Cybersecurity Center, a non-profit in Colorado Springs, Colo.—the headquarters of AFSPC and the forthcoming US Space Command.
The NCC will operate an unclassified online portal for ISAC members, Backes said, and NCC analysts will vet threat information submitted by members or government partners before pushing it out through the portal.
Booz Allen’s Bogdan, the retired Air Force general, said excluding classified information will exclude a lot of what space industries need to keep their IT networks and other systems safe.
“We’ll probably start off just sharing unclassified information,” Bogdan said, “but eventually it’s something we’ll have to tackle.”
“There are tentative plans at some point in time to have a classified portal, separate equipment, separate operationally and in physical location from the unclassified portal,” added Bogdan’s deputy at BAH, John Ward.
Another challenge is the extraordinary variety of stakeholders. “The intended ISAC membership is going to include a wide variety of companies doing a wide variety of things,” said Ward.
“If you ask each one of them what constitutes space infrastructure, you get completely different answers,” he said. Launch providers will say one thing, satellite manufacturers another. “If you ask each of them what the threats they face are, they might all say cyber. But they will also say, interrupting my supply of [launch fuel] … or my supply of radiation hardened transistors is a threat; … space weather is a threat,” said Ward. “There are completely different threats” in different sectors.
“The cyber threat gets the most attention,” Bogdan sayus. “[It] kind of dominates the discussion and we will surely start with sharing information to tackle that. But there are a lot of other things that can threaten our space-based capabilities besides [cyber.]”
Bogdan noted that BAH has experience in setting up ISACs, having worked on the Auto-ISAC and the oil and natural gas ISAC, but that space might prove to be the hardest. “It’s too important for our nation not to do it,” he said.
Backes said the ISAC is currently conducting a series of workshops with founding members and others to determine what its priorities should be.
“We’re convening the community so they can decide and they can prioritize … We’ll focus on those elements of space infrastructure that are the most vulnerable and where we can have the most impact in the early stages,” said Backes.
Early consensus around antenna networks and space-to-ground communications suggest those two elements will be early areas of focus.
Based on inputs from the workshops, the center would have an implementation plan by the turn of the year, and aimed to stand up their portal by February 2020, he said.
Currently, despite its vital role for the US economy and military power projection, the space industry is not formally considered one of the 16 sectors of critical national infrastructure in the US, Backes observed, although it has that status in the eyes of US allies like the British.
Backes said the industry is lobbying to get that changed. “We are working with the administration, the National Security Council and the National Space Council [at the White House,]” he said.
Yet there’s no guarantee they’ll achieve that status. Bogdan says there are two sides to the debate. “Designating [space] as critical infrastructure like that comes with a lot of pluses and minuses,” he said. “The government is going to have to think that through.”