As our reliance on space systems for communications, transportation, remote sensing, GPS and travel continues to grow, space systems are now emerging as a commercial critical infrastructure sector. As any cybersecurity expert will recognise, so have the risks, fuelling the urgency to prioritise cybersecurity around Space assets.
For this edition of Interview with a Specialist we have been fortunate enough to gain some key insight from Samuel Visner, MITRE Tech Fellow and Vice Chair, Board of Directors, Space Information Sharing and Analysis Center. Sam is a global thought leader in matters of national security and cybersecurity with a distinguished career across industry, academia, and government.
Sam’s career has focused on developing and deploying technology-based capabilities delivered in support of national security mission requirements. As a Senior Vice President at SAIC and ICF International, a Vice President at CSC, and Chief of Signals Intelligence Programs at the National Security Agency (NSA), Sam has managed complex organisations and national security mission and systems development responsibility.
I’ve always been interested in the Space sector, but never really involved in it in any substantive way until I started working with MITRE.
MITRE is a not-for-profit corporation that manages several of the America’s federally funded research and development centres. MITRE works solely in the public interest, which is important to me.
My interest was cybersecurity and resilience at large. However, one of my colleagues raised that the space sector is undergoing a transformation, and this is something that should have our attention. We started attending conferences, and we were drawn in.
As part of the security arena, we were worried about threats in the financial services and the automotive and maritime sectors, but this was new. This was exciting.
Fast forward, and now I’m Vice Chair of the Board of Directors of the Space Information Sharing and Analysis Center.
So, I came into this obliquely through my interest in cybersecurity and national security, but not because I had any particular background or experience in the Space sector. I continue to regard myself as a relative newcomer to the industry, but I’m learning fast and deeply involved.
The commercialisation of space is a big security challenge. There’s a huge proliferation of these platforms. We used to have a few dozen, maybe a few hundred satellites up there. Now we are looking at tens of thousands of satellites connected to cloud services, which will be connected to billions of IoT devices and supporting all our country’s national critical functions and other critical infrastructures.
So, we will have thousands of satellites with commoditised parts designed as part of the cost schedule, performance, profitability calculation associated with each satellite’s business case. That is not to say that security isn’t considered when designing, but if you have more requirements in one area, you will have to pay for them in another area.
More security might mean more weight. Well, more weight means more costs, and more cost may mean fewer customers… you see where this is going.
Space and space assets have a huge threat surface, coupled with the commercialisation of space commodities – creating an interesting dilemma.
We have space and ground operations designed with a range of competing requirements. And those requirements cannot be met with unlimited resources. All commercial ventures need to have a value proposition that has to be expressed within a business case that makes financial sense, which is no different here. There is always a chance that security is not a front-seat passenger.
There has been an interesting development following the commercialisation of satellites.
National security requirements are now depending to some extent on commercial systems. If you look at what’s happening in Ukraine, one of the problems that I think the Russians have had is that they felt that they could manoeuvre their armoured units around without the Ukrainians seeing. Well, not so much.
For example, Planet Labs has some 200 satellites in orbit imagery of satellites and three different orbital inclinations, with other resolutions depending on what you require. Maxar also have very, very impressive orbital imagery capabilities. We need to be concerned about how we plan to secure this technology. And the answer as to how we secure it is: incrementally, with requirements, recommendations, standards, and controls. This way we can encourage the private sector to adopt them.
The NIST cybersecurity framework, which is being adopted for space, is designed to be a relatively low-impact way to adopt standards and security controls. As for encouraging the adoption of the framework, incentives are a good idea. If you provide regulatory requirements, companies may go offshore or find it simply too expensive. You might stifle the industry.
NASA has done some fantastic work in this area, but this may be too heavyweight for some commercial firms to adopt fully. However, they are fundamentally the most successful and experienced, diversified space launch and space Operations organisation in history, so many companies can learn from them.
Secondly, a version of the NIST cybersecurity framework for Space systems from the NIST National Cybersecurity Centre of Excellence is designed to provide the industry with practical examples that can be employed practically.
There are many arguments for this. Some feel that Space systems encompass several listed critical and business infrastructure risks.
For example, Communications is listed as a critical infrastructure. Since space assets are heavily reliant on communication systems, it could be argued that there is no need to list it as a separate critical national infrastructure. Transportation systems serve as another example. This approach would leave the security and resilience of space systems to every other infrastructure that depend on some way on space. No national coordination of sector risk management responsibility would evolve in such a situation.
In any case, space systems’ communications function is different because when we look at SpaceX: 12,000 satellites connected to Microsoft Azure globally, connected to billions of IoT devices; this is a new kind of hyper-scale infrastructure.
So, do we believe that the communication sector as it exists in the United States is prepared to deal with the security and resilience of all that? There are discussions around this question currently… I can’t say too much on this.
Star Trek has more scientific pseudo-noise, maybe because they have had more years to do it. I do warm to Star Trek’s idea of a transporter, as some aspect of that may be true through quantum entanglement and quantum trance disposition. Politically, I would say, closer to Star Trek than Star Wars. I don’t think we achieved the scale of a Galactic Republic; frankly, this is truly sad, and many people I know will lament hearing this; I do not believe in the Force!