Officials Consider Zero Trust Challenges for Satellite Cybersecurity

Federal leaders are thinking about ways to confront growing threats to cybersecurity of critical infrastructure in Earth’s orbit, officials said at the 2024 Satellite Conference in Washington, D.C., last week.

Ronald Keen, senior advisor of space at the Cybersecurity and Infrastructure Security Agency’s National Risk Management Center (NRMC), said that “every single critical infrastructure sector that we have here in the homeland has direct and indirect dependencies on space-based assets.”

With satellites in space, ground stations on Earth and the actual distance that information travels in between, vulnerabilities exist on an attack surface that can sometimes cover over a third of the planet.

“The space community is maturing at a rate and growing at a rate where we need to really start thinking across the board how we implement for the entire system controls,” said Erin Miller, executive director of the Space Information Sharing and Analysis Center, about the Space Force’s Infrastructure Asset Pre-Approval Program (IA-Pre). The program lays out approximately 400 cybersecurity controls for commercial providers working with government.

“Some of the things that I’ve heard from industry members that are part of the space tech stack is that there are some challenges around how to implement it still — there’s a learning curve associated with it,” she added.

Keen noted that in a zero-trust architecture where everything needs to be validated, space-specific issues like latency can add wrinkles into conventional problems.

“Some of the things we found that they’re not insurmountable, but they are definitely challenges to zero-trust architecture,” Keen said. “One is cross-linking. The other thing is the intra-satellite communication, the handshaking at ground stations. Satellites, unless they’re geo-synced, don’t stay in one place at one time in the process of being handed off. So how does that handle if you’re doing zero trust architecture on handoffs between ground stations?”

As the space industry moves away from siloed applications toward mega constellations operating in low orbit, Keen said, the nation will encounter new complexities, threats and vulnerabilities. He noted that satellite infrastructure is still siloed and will need better collaboration between the private and public sectors to ascertain where the most pressing vulnerabilities are.

Miller said that true cybersecurity can only be achieved as part of a collective, as companies and single government agencies cannot defend themselves against the power and resources of adversarial nation-states’ cyberattacks.

“Despite that being the case these companies are willing to own it and their C-suite takes on the responsibility for security, it’s still a highly complex and dynamic environment. We have to treat it as ‘an attack against one is an attack against all’ and we have to be continuously sharing the best practices for how to manage the threat,” Miller said.