Cyber Security in the Space Sector: Cyber Regulation in a Rapidly Evolving Space Economy

To address the fast-paced evolution of the space sector—commercial, civilian, and military—there is a growing imperative for all business leaders to consider the impact of space activities on their industry and organization. The pervasiveness of space-originating data and services in our economy and everyday lives underscores this imperative. Additionally, the potential for conflict in the space domain is on the rise. One of the most prevalent threats is cyber-attacks. In our series on cross-sector implications, we look at cyber security considerations in this evolving sector.

In this chapter of the cyber security considerations series for the space sector, we address the regulatory implications for cyber resiliency in the space sector.

Cyber Resiliency Without Regulation

A high-profile cyber-attack on Viasat coinciding with the initiation of Russia’s February 2022 invasion of Ukraine brought cybersecurity for space activities top of mind for regulators in Washington, again.

On March 1, 2023, the White House released the National Cybersecurity Strategy which addressed the vulnerability of critical infrastructure, including space-based assets and the myriad of essential services they support. ?

Next-generation interconnectivity is collapsing the boundary between the digital and physical worlds, and exposing come of our most essential systems to disruption…Our essential infrastructure… is increasingly shedding old analog control systems and rapidly bringing online digital operational technology (OT). Advanced wireless technologies, IoT, and space-based assets—including those enabling positioning, navigation, and timing for civilian and military uses, environmental and weather monitoring, and everyday internet-based activities from banking to telemedicine—will accelerate this trend, moving many of our essential systems online and making cyberattacks inherently more destructive and impactful to our daily lives.

This position is consistent with previous administrations, including actions such as the issuance of Space Policy Directive 5, “Cybersecurity Principles for Space Systems,” in 2020, and the 2015 Executive Order that opened the sharing of real-time threat information beyond the Defense Industrial Base and mandated NIST with the development of a Cybersecurity Framework, among other things.

While guidelines are becoming a consistent product of US leadership, regulation in the form of federal legislation (e.g., HIPAA) is extremely rare. In the legislative vacuum, the industry has stepped up as a participant in shaping norms that make the space domain safer for all.

Space-based assets and the space ecosystem are critical to Military and Defense activities, and to the functioning of our Earth and space economies. The interests of industry and government are interlinked.

The same challenges that exist in the US exist globally. Germany, for example, also acted in the aftermath of the Viasat breach. The country established a set of guidelines for satellite operators and set a precedent for a common language that countries across Europe, and the rest of the world, in discussing standards and risk. (Germany Offers Model for Space-Industry Cyber Standards, WSJ,?August 17, 2022)

Activities in space continue to increase through growing investment, accelerating launch cadence, and reduction in payload cost. The pace of regulation, on the other hand, is consistently slow. There are several ways in which government and industry are responding to the need for ensuring a safe operating environment that is largely voluntary. We outline some of those efforts, their drivers, and their benefits below. ?

1. Voluntary guidelines: As a stopgap before regulatory action occurs, industry consortiums like the Satellite Industry Association (SIA) have created their own guidelines and standards of operation which are encouraged to be upheld by member organizations. These shared standards have benefits beyond individual organizations. Shared language and standards increase trust between customers and service providers, reduce uncertainty for investors, and create a benchmark for international groups developing cross-border guidelines in a non-sovereign domain.
2. Organizational governance and reporting: A critical tool in the assessment and reporting of voluntary guidelines are the government frameworks that organizations can measure themselves against. Notably, the NIST Cybersecurity Framework and DoD’s CMMC 2.0 Framework offer opportunities for comment and input, and are both in the process of updates to reflect the changes in the technology and threat landscape. Notably, the NIST Cybersecurity Framework and DoD’s CMMC 2.0 Framework offer opportunities for comment and input, and are both in the process of updates to reflect the changes in the technology and threat landscape. Both approaches are critical steps in setting standards and providing organizations with a roadmap to cyber resiliency. Trust and expectation setting between organizations, and between industry and government, is one of the key objectives the guidelines seek to achieve. CMMC helps determine what is an acceptable risk, and what is a deal breaker for DoD service providers. While the framework is intended for the defense industrial base, space companies can benefit from adopting the CMMC 2.0 standards, as the DoD’s requirements represent the most stringent security standards. Read more about CMMC 2.0 impacts on the defense industrial base: CMMC 2.0 (kpmg.us)
3. Public-private partnership: The communication and collaboration between industry and government are fundamental to a successful regulatory pathway. The SIA, for example, works closely with policymakers and departments like NIST to develop standards that make the ecosystem safer for all. The shared interest in creating a threat-free environment is a strong motivator and driver for the success of public-private partnerships in the cybersecurity realm. The same is true for the space sector more broadly, where the US government strategy now includes symbiotic investment in space infrastructure developed by industry through actions like the Commercial Space Launch Competitiveness Act signed in 2015. While fostering a nascent economy, these efforts also clarify the role of the government as a customer with defined requirements. Space companies can benefit from developing systems and ways of working with the government, including compliance and project management practices that can translate to cyberculture.
4. International considerations: Regulatory action in one country will directly impact the international stakeholders who do business with domestic businesses and governments. The more there can be cross-border norms and standards, the less complex those relationships will be. Additionally, as time goes by and the industry changes, the 1967 Outer Space Treaty becomes more outdated. While guidelines like the Artemis Accords have been drafted to modernize international collaboration in space, the debate continues as to whether international regulation is necessary or even possible. Again, voluntary norms and standards fill that vacuum and accelerate discussion, agreement, and adoption. International dynamics, while competitive, also have a shared interest in a threat-free environment. When stakeholders clearly communicate their intentions and objectives in the space domain, they all have greater assurance of consistency of risk appetite. Operating in the space ecosystem, with so many unknowns, is safer when you know the standards being applied by your industry and international peers. Conversely, a lack of participation in the development of international norms creates a risk in and of itself.

The Wilson Center’s October 2020 assessment speaks to the enormity of the task for regulators. On a national level, international level, and industry level, norms and guidelines continue to be the most effective path to a secure operating environment for national security, and for space companies and the infrastructure they enable.

In space, the stakes are exceptionally high due to the unique considerations across national security and international peacekeeping, critical infrastructure support, and the physical vulnerability of space assets. For this reason, developments in cybersecurity regulation related to space will have the highest standards, while also creating an environment for innovation and entrepreneurship, and a huge amount of economic opportunity through the creation of new markets. This ability to establish an agreed-upon level of acceptable risk creates stability and an environment for partnership and collaboration, both of which are essential in space ventures. This approach will benefit other sectors, all of which are contending with cybersecurity challenges that extend beyond the four walls of the organization, or the borders of the nation.

As noted above, all organizations can benefit from following the development of space cybersecurity standards. How you think about it, however, might look different:

Considerations for space companies:

• How might your organization play a role in making the whole space ecosystem more resilient?
• What efforts does your organization currently make to extend cybersecurity beyond the walls of your organization?
• What is your organization’s current strategy to stay informed of emergent risks and comply with regulations and guidelines?

Considerations for companies seeking to develop a space strategy:

• How might your operations become more cyber resilient by acting like a space company?
• How might a shared risk model impact the appetite for innovation in your industry?
• How can your company remain cyber resilient given the changing architecture of IT?

To learn more about how your organization can cultivate a cybersecurity culture, contact KPMG for an in-person or virtual experience.

Contact us:

Danielle Mazur, Manager, Ignition Cyber Lead

Lekshmy Sankar, Director, Cyber Security Services

Lee Anderson, Manager, Chicago Innovation Lab Lead