US Space Cybersecurity Directive

The Trump Administration just published “Space Policy Directive – 5“: “Cybersecurity Principles for Space Systems.” It’s pretty general:

Principles. (a) Space systems and their supporting infrastructure, including software, should be developed and operated using risk-based, cybersecurity-informed engineering. Space systems should be developed to continuously monitor, anticipate,and adapt to mitigate evolving malicious cyber activities that could manipulate, deny, degrade, disrupt,destroy, surveil, or eavesdrop on space system operations. Space system configurations should be resourced and actively managed to achieve and maintain an effective and resilient cyber survivability posture throughout the space system lifecycle.

(b) Space system owners and operators should develop and implement cybersecurity plans for their space systems that incorporate capabilities to ensure operators or automated control center systems can retain or recover positive control of space vehicles. These plans should also ensure the ability to verify the integrity, confidentiality,and availability of critical functions and the missions, services,and data they enable and provide.

These unclassified directives are typically so general that it’s hard to tell whether they actually matter.

News article.

Posted on September 9, 2020 at 6:37 AM12 Comments

Comments

jcb September 9, 2020 8:18 AM

unclassified directives … so general that it’s hard to tell whether they actually matter.

They have to justify a budget to Congress.

yet another Bruce September 9, 2020 8:22 AM

The new platform looks almost the same, which is not a bad thing. Glad to see RSS still works. Thanks.

Mr. H September 9, 2020 8:33 AM

People are hungry, many. Down here. On Earth. Some due to their stupid choices, but the others are the ones we should help first. In USA (unless you’re a wealthy off-the 1%) people bankrupt when they get sick due to medical bills(even WITH “insurance”). From there on-life is a living hell for them – until the day they die. Most never recover financially. But hey, M.I.C. has to get their cut first-always.

jcb September 9, 2020 11:54 AM

@Mr. H

bankrupt when they get sick due to medical bills(even WITH “insurance”). From there on-life is a living hell for them – until the day they die. Most never recover financially. But hey, M.I.C. has to get their cut first-always.

I think more relevant to a security forum, many of us have had our identities stolen through all that fraudulent medical billing. We have to say no to the drug dealers, butchers, human slaughterhouses, and all the medieval practices of medicine, including those of mental health, which they inflict on us. For that we will need more items of the type generally supplied by the M.I.C. The doctors are getting too smart for us.

Clive Robinson September 9, 2020 12:41 PM

@ Bruce, ALL,

These unclassified directives are typically so general that it’s hard to tell whether they actually matter.

But even in all that “waffle” they still miss some quite important things…

As an easy to spot example take a look at section 2(c) “Positive Control” it sounds all well and good untill you know they have left out an important control class off of the list,

“and for the intended time period”

I know some will think,

but isn’t that covered by “at the intended time”

The answer is no, and the reason involves jamming and failing into some kind of “fail safe” condition.

Positive Control is not about individual commands it’s about over all actions that consist of one or more usually many individual commands.

To see the difference think about the over all action “make a cup of tea” it consists of a series of actual individual commands such as “pick up kettle”, “put kettle on stove”, “turn on heat” etc. But importantly there are “action verifiers” that is after “pick up kettle” you should have a “test” of “Is there sufficcient water in the kettle?”. Thus an “action” is like a small program that has to be sent upto the vehicle via some kind of EM link that an attacker can jam at any point.

But ensuring the entire over all action gets sent to the vehical is insufficient for the notion of fail safe operating. In space when it comes to any kind of work such as moving something whilst there is inertia there is not in human terms any meaningful friction. Thus you have to perform both of the “equal and opposite actions”. To do both requires that you know that things will be not just available but usable in advance of starting any over all action. Thus not only do you have to check the ammount of propellent, you also have to check it is usable all before you start any action.

But whilst it’s easy for a human to correct for errors when making a cup of tea, think instead of a battery powered robot doing it. Most satellites for reasons of safety do not carry Radio Thermoeletric Generators (RTGs) any longer and they tend to use solar pannels that charge batteries that are little different to those you used to buy in your local Radio Shack / Tandy / Maplines 20years ago (such is the joy of space qualified parts). Thus you have a couple of issues just the same as you do with RTGs which is they have half lifes. So with Solar the panel will only give half the output power to the bus and the bateries will only hold half the power they did 200 charge cycles etc that they did before. But… Due to the way they work measuring what the actual available power is, is difficult (crudely think of the decreasing capacity as being the same as having a resistance in series that goes up in value with usage within the device but you can not measure across just the resistance).

The problem is that unless you have multiple buses you have to run everything of the one power bus. So if as an attacker I can see you starting a power hungry action I can cause other things to draw power. If the power drops to much on the power bus then you get a brown out which cascades and could cause you to start an action but not be able to complete it.

Thus if you are “station keeping” and need to increase your orbit hight (via an efficient Hohmann transfer orbit) I could let you do the first orbit change (periapsis burn) but not the second (apoapsis burn), or I could cause eirher burn to be too short or too long and the vehicle would be at the very least an undesirable eliptic orbit. Endangering mission usability, solar power collection, or worse still other orbital vehicals.

You can see what effect this would have by looking at,

https://en.wikipedia.org/wiki/Hohmann_transfer_orbit

Thus ensuring actions happen “at the right time for the right duration all the way through to compleation” or “not at all” is the basis of space vehicle “fail safe” operation. Thus designing the system such that it does so can be quite complex. It’s hard enough to do this when not considering jamming of control / telemetry channels, it becomes very fundemental to the entire design when you do and “Needs to be built in from day zero”.

Which means most satellites that are up currently could be vulnerable, and some that will get launched in the next three to seven years likewise may well be vulnerable because they are too far along the design process. So with 25year mission times vulnerable vehicles will probably still be in use in 2050 or later.

Northern Realist September 9, 2020 12:45 PM

These directives demonstrate the people behind them struggle to have even an acute grasp of the bloody obvious…

Clive Robinson September 9, 2020 2:45 PM

@ jcb,

They have to justify a budget to Congress.

And you forgot the all important,

Wallpaper what they talk out of 😉

Website_surfer September 9, 2020 3:25 PM

I hope they update the directive before engineering systems to those specification. They didnt account for a new cutting-edge secret space weapon from Russia. Which is a new and highly sophisticated way of neutralizing adversarial space based tactical systems. Imagine a enemy satellite that has the ability to “ram into” an enemy satellite thereby defeating it. I try and think of a similar earth based situation for reference, to counter said counter-measure. Or CCM for those in the know. Imagine driving a care down a one-way street, and another car is coming right for you in a “ramming” manuever. What could you do? Probably nothing its game over at that point. That is unless… an air-bag were in the car. After a little brain storming and analysis, I thought hmmm. Maybe we can install airbags in satellites. I know…genius. I already went ahead and filed that patent. Apologies to any would-be airbag idea thief.

vas pup September 9, 2020 3:53 PM

Court Approves Warrantless Surveillance Rules While Scolding FBI
https://www.nytimes.com/2020/09/05/us/politics/court-approves-warrantless-surveillance-rules-while-scolding-fbi.html

“Privacy rights advocates have long raised alarms about that program centering on the fact that it enables the government to sometimes read private messages of Americans that are gathered without a warrant. In 2018, when Congress reauthorized Section 702, it added a requirement that the Foreign Intelligence Surveillance Court approve rules every year limiting how analysts may query the data.

In the newly disclosed ruling, James E. Boasberg, the chief judge of the FISA Court, signed off on the new annual set of rules, but not before scolding the F.B.I. over many instances in which its analysts had violated a previous set of them, including requirements that searches of the repository have a foreign intelligence or criminal purpose.”

Read the whole article!

Bruce Jackson September 15, 2020 8:11 PM

If this is to be a directive, the verbs are wrong. “Should” indicates guidance. “Shall” or “will” are the correct verbs for a directive.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.