How the space industry can ensure a secure state for critical infrastructure

Space has long been considered the final frontier. While its ever-expanding nature suggests we may never fully conquer space, the advancements in this area are exciting and hold significant opportunities for humankind.

A rapidly growing proliferation of forays into space-related exploration and science mean that space technology is now at risk of cyber attacks. Like the universe, the edge of the network is constantly expanding.

With each new connected device or application, the edge expands just a little bit more, increasing the potential attack surface that can be exploited by cyber criminals.

For organisations that manage critical infrastructure (CI) and assets, this is of particular concern, especially for those assets that continue to move beyond the bounds of Earth.

The Australian government now recognises space technology as critical infrastructure, per new legislation introduced last year in the form of the Security Legislation Amendment (Critical Infrastructure) Act 2021 as well as the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, which has recently been tabled in parliament.

In addition to codifying space technology as CI, the new legislation has led to changed requirements around serious cyber security incidents for all CI operators.

This has transformed the landscape for many businesses, and it’s essential for space organisations to understand how to address the new requirements effectively to protect their CI assets.

Before an organisation can take steps to address the changing requirements, it’s important to understand the requirements themselves. Two of the primary obligations of the updated legislation are:

1. Register of critical infrastructure assets: organisations that are responsible for CI assets must provide ownership and operational information to the Register of Critical Infrastructure Assets. This includes providing information when an asset is registered for the first time, and whenever any information is invalid, incorrect, or outdated.
2. Mandatory cyber incident reporting: organisations that are responsible for CI assets are required to report critical and other cyber security incidents to the Australian Cyber Security Centre’s (ACSC) online cyber incident reporting portal. Reports must be made within 12 hours of becoming aware that an incident has occurred or is occurring, and has had, or is having, a significant impact on the availability an asset. If an incident has had, is having, or is likely to have a relevant impact on an asset, reports must be made within 72 hours after becoming aware of an incident.

The impact on space

Understanding their role in protecting CI is crucial for space organisations, as is understanding the potential cyber security risks associated with their operations.

While it may seem obvious to some that any network-connect device risks being exposed to vulnerabilities and cyber attacks, the link is not always so clear, especially for CI that sits outside of traditional bounds.

Simplifying the environment can make this easier to identify and address potential risks.

For example, critical space infrastructure (CSI) can be broken down into five distinct types or categories: remote sensing, communications, meteorological, Global Navigation Satellite Systems (GNSS), and administrative and legislative frameworks.

VIEW ALL

While some of these may have — for lack of a better term — simple or innocuous purposes, such as monitoring climate, many CSI assets are responsible for communications that could have devastating impacts if interrupted, making them particularly high-profile targets.

And, as space is arguably an incredibly hostile environment, and its command encourages fierce competition back on earth, CSI is an increasingly vulnerable space.

The changes to the Australian government’s legislation have highlighted the important role that space plays in terms of CI assets, as well as the need for accurate and timely communication regarding any potential incidents.

As such, it’s crucial that space organisations are properly prepared to protect their assets, including developing a comprehensive cyber security strategy and rolling out essential technologies.

In the first instance, organisations need to understand the difference in securing CI assets compared to securing IT networks.

The unique nature of the operational technology (OT) that underpins CI assets means that traditional IT security methods and approaches won’t work for OT in a CI environment.

To mitigate these challenges, organisations need to identify and address any friction points between operational (OT) objectives and IT objectives and map an approach that will achieve mutually beneficial outcomes.

Space organisations will need to assess both the current and desired future state of the business and its assets before outlining how it plans to achieve its objectives.

This should include three key considerations:

1. Operational efficiency: what critical components are degrading or damaged as well as what needs to be done to mitigate potential operational downtime or onsite safety risk exposure for staff.
2. Security:what steps need to be taken to achieve reduced performance overheads, or upgraded host lifecycle management, without impacting on maximum tolerable downtime (MTD) or mean time to recovery (MTTR) through real-time threat intelligence and sophisticated campaign monitoring.
3. Safety:how can new technologies be integrated into the stack, and what types, to ensure continued safety of the people they serve?

Organisations that are responsible for CSI also need to better understand the threats that they will be exposed to in order to develop an effective cyber security strategy.

This should include three key considerations:

1. Operational efficiency: what critical components are degrading or damaged as well as what needs to be done to mitigate potential operational downtime or onsite safety risk exposure for staff.
2. Security: what steps need to be taken to achieve reduced performance overheads, or upgraded host lifecycle management, without impacting on maximum tolerable downtime (MTD) or mean time to recovery (MTTR) through real-time threat intelligence and sophisticated campaign monitoring.
3. Safety: how can new technologies be integrated into the stack, and what types, to ensure continued safety of the people they serve?

Organisations that are responsible for CSI also need to better understand the threats that they will be exposed to in order to develop an effective cyber security strategy.

This can be achieved in part by assessing three key components of malicious threats:

1. Threat actor: the person or organisation behind an attack. Space organisations can assess threat actors by considering the threat actor’s intent versus their capability to conduct an attack.
2. Threat vector: the point of entry or vulnerability exploited by the threat actor.
3. Attack: the exploit the threat actor uses to achieve its objectives and the resulting impact.

When it comes to protecting CI assets and OT from devastating cyber security incidents, space organisations also need to consider three key pillars around which to build a security framework:

1. Visibility: it’s essential to understand what assets needs to be protected to comply with any type of legislation or framework. Visibility lets the organisation see what solutions need to be mapped and considered in any potential roadmap. Using the Purdue Model — formerly the Purdue Enterprise Reference Architecture (PERA) — will let organisations more easily break down and define CI assets across the network.
2. Control of assets: maintaining control over available assets to keep them protected and defended against threats is also critical. Leveraging shared knowledge bases, such as the MITRE ATT&CK Framework for industrial control systems (ICS), can give space organisations critical knowledge to help maintain control of CI assets, even if they don’t have the specific knowledge required to manage or defend against new and emerging threats.
3. Prioritise non-invasive approaches: space organisations also need to understand what defensive approaches work best for different assets.

The use of non-invasive approaches like deception technology can be especially beneficial as it lets attackers think they're in the network without actually being there.

Space organisations must also consider the risks that their wider network pose to their environment. For example, adopting the MITRE System of Trust (SoT) framework can help organisations to better protect their environments from vulnerabilities across their network that can be exploited by threat actors.

Leveraging the MITRE SoT framework empowers space organisations to assess the three main trust aspects of supply chain security — suppliers, supplies, and services — and build a basis of trust within their network.

Space organisations can then use the MITRE SoT framework to identify and address 14 top level decisional risk areas that are associated with trust. This can help space organisations that manage CIS to further strengthen their cyber resilience.

As Australian space organisations continue to explore the boundaries of what’s possible beyond Earth’s atmosphere, remaining cyber secure and highly resilient should be top of mind. Securing space-related infrastructure requires an entirely different approach and set of tools compared with securing corporate IT networks.

Organisations in the space industry must partner with cyber security experts to ensure their security posture remains resilient so they can get on with unlocking the final frontier.

Michael Murphy is the head of operational technology and critical infrastructure, Australia at Fortinet.