Protection of satellites and ground systems against cyber-attack is necessary to ensure safe operations in the space
sector. Protection will be required for both the command segments of and workloads served by a rapidly proliferating
constellation of new, largely commercial satellites, numbering possibly in the tens of thousands. Effective and
commercially viable cyber protection strategies are required that can be updated regularly to meet changing threats.
Cyber protection strategies have been developed in other (non-space) sectors using collaborative processes, which has
resulted in more secure systems. This brief presentation describes some of the cyber protection work in other sectors,
the collaborative processes used to develop viable cyber protection solutions, the solutions themselves that have been
identified and are being used, and the lessons-learned from their use, resulting in a set of ‘best-practices’ in these
sectors. The processes used in these domains to develop these strategies can be applied to the space domain, with
similar expected results and best practices for space systems.
Keywords: cyber protection, space systems resilience
1. Introduction
Ensuring our national and economic security is
urgent, especially as LEO space is exploited in new ways
[1, 2]. In addition, our national interests require that we
protect our nation’s business and critical infrastructures.
Private companies are orbiting payloads for research,
communication, and manufacturing purposes that
enhance economic competitiveness and security. The
commercialization of LEO is creating an information
technology eco-system that serves many infrastructures
(communication, transportation, education); these new
infrastructures will feature far more connected devices
(IPv6), high-speed interconnectivity (5G wireless) and
AI-mediated management of myriad resources.
As these infrastructures are introduced, their
cybersecurity and resiliency will be of paramount
importance. To the extent that this new information
technology eco-system is supported by LEO, the US
Government and commercial industry needs to ensure
cybersecurity for the emerging LEO commercial
participants. Industry needs effective and affordable
approaches, while the U.S. government must maintain
effective oversight, licensing, and regulation of these
companies and set international standards for all
players. Like other industries, the need to balance
effective cybersecurity with other factors will assume
increasing importance. For example, exquisite – but
costly - measures for cyber protection could be required
to allow companies to launch, but these measures might
come at the expense of space commerce. What is an
effective approach to ensure cybersecurity that respects
the economics of small satellites and LEO?
The author’s affiliation with The MITRE Corporation is provided for identification purposes only, and is not
intended to convey or imply MITRE''s concurrence with, or support for, the positions, opinions or viewpoints
expressed by the author.
As an example of a pending decision to mandate
greater protections in satellites, the following excerpt
from the US Federal Communications Commission
Notice of Proposed Rulemaking frames the discussion
around the encryption of command and control
messaging to satellites, “as a practical matter, most
satellites do operate with secure encrypted
communications links, and all operators have an interest
in securing against unauthorized actors interfering with
their mission. Certain low-cost satellite missions—some
CubeSats or other small satellites, particularly those
operated for academic purposes—may not use
encryption for telemetry, tracking, and command
communication links. The developers in these cases may
have concluded that the costs or time associated with
implementing encryption of telemetry, tracking, and
command communications outweigh the potential risks.
Some have observed that a satellite outfitted with
onboard propulsion capabilities could pose some risk to
the operations of other spacecraft if a malevolent actor
were able to take control of and command the satellite
and that encryption should therefore be required… We
seek comment on whether to include any provisions in
our rules concerning encryption for telemetry, tracking,
and command communications for satellites with
propulsion capabilities, and propose to add a
requirement to our operational rules.” [3] It should be
added that the workloads supported by these satellites
may or may not have security, either.
To meet current and emerging cybersecurity and
resilience obligations without stifling innovation, a set of
