Space Organizations Partner To Boost Cybersecurity « Breaking Defense
WASHINGTON: Two prominent aerospace industry groups are cooperating on cyber information sharing, awareness, education, and industry outreach to improve the security of space operations.
The agreement between the American Institute of Aeronautics and Astronautics and the Space Information Sharing and Analysis Center comes at a time when recent cyber incidents in other industries have highlighted a deficit of info sharing. The apparent lack of info sharing has recently been raised numerous times by Congress and others, as well as addressed in the recent cyber security executive order.
This agreement is worth noting because the space industry is moving ahead proactively instead of waiting to be compelled to act by the government through law or regulation. It could serve as a model of what’s possible for the government and other industries as they focus on cybersecurity awareness, education, and communication.
“One of the things we’re thinking of in terms of advancing the art and science of aerospace cybersecurity is that information sharing happens at much more fundamental levels,” Steve Lee, AIAA’s senior manager for cybersecurity and new product development, told Breaking Defense in an interview. “We’re often talking past each other,” he said, noting the importance of things like a shared vocabulary when talking about cybersecurity.
The collaboration opens the door for Space ISAC, a public-private sector group, to provide cybersecurity information and resources directly applicable to the aerospace industry. AIAA will contribute expert sector-specific knowledge, as well as industry, educational, and publishing reach.
Space ISAC is the newest of some 24 national ISACs set up since the 1990s to help US federal agencies work with industry sectors such as aviation and defense to thwart and recover from cyber attacks by sharing information on vulnerabilities, mitigation measures, and response options. As Breaking D readers may remember, the Space ISAC is a key priority for the National Security Council.
AIAA is the world’s largest aerospace technical society. In addition to this partnership, AIAA runs other space-focused cybersecurity programs, such as a capture-the-flag event at this week’s RSA conference — the cyber industry’s largest — and Aerospace Village at DEFCON, one of the longest-running professional conferences for cyber pros. AIAA also has a similar agreement with Aviation ISAC.
AIAA’s and Space ISAC’s memberships include space and aerospace defense contractors, as well as companies in the budding private space industry. Space ISAC also includes the National Security Council, Air Force Space Command, the Missile Defense Agency, and NASA, among others.
“Space ISAC is in the cyber trenches. It only makes sense for us to have our legacy in science and research linked together with the practitioners,” Lee said.
Space ISAC Executive Director Erin Miller said in a press release the two groups working together “is a wonderful complement. We are formalizing our partnership now and anticipate the impact will be seen through efforts in workforce development, education, space sector cybersecurity awareness, and more.”
Breaking Defense reached out to Space ISAC for comment, but did not hear back before publication.
Many people may think cybersecurity relates only to terrestrial computers, servers, and networks, but the space industry faces unique threat vectors, such as satellite hacking. There are some shared threats, vulnerabilities, and risks, and the space industry can learn from cyber incidents in other industries, Lee noted.
“We’re watching all” these cyber incidents, Lee said. “We don’t have a parochial view, thinking that because it happened over there [in that industry], it can’t happen here [in the space industry]. When we’re thinking about cyber, we’re not just thinking about space assets. We’re obviously living in a connected way.”
Lee said that two of his primary concerns for space industry cybersecurity are similar to those other industries face.
“I think the single biggest sorts of concerns and issues with space cyber is the interface between enterprise IT and [operational technologies] to control launches and systems,” Lee said. As Breaking D readers know, the NSA recently advised all industries to review their OT security. The Colonial Pipeline and Florida Oldsmar Water Treatment Plant cyber incidents highlight OT security concerns in other industries.
“The other thing is supply chain,” Lee said, referring to the SolarWinds incident. “What are the chips, gadgets, and code that are inside our systems? It’s a growing concern.” And the space supply chain risks are getting more complex as the industry grows. “It’s like we’re a victim our own success,” Lee said. “When things were smaller, it was easier to keep the bad guys out.”
Lee noted that people in the space industry focus on design and development, with cybersecurity often occurring only as an afterthought — which isn’t too different from many industries. He wants to see that change. “Right from conceptualization, the same way we think of safety, we should think about cybersecurity as well,” he said. “We’d never design and build anything mature without robust conversation between the people who build wings and engines and the people who design the bus.”
This isn’t the first time the two organizations have collaborated. In 2020, Space ISAC and AIAA partnered on a cyber-focused tabletop exercise at AIAA’s ASCEND conference, which brought together 3,000 aerospace professionals from around the globe. The plan is to build upon past efforts and expand them into the future.
“This is a long game,” Lee said. “It’s going to take time for this take hold.”
Gloss