29 May 2021

Space Organizations Partner To Boost Cybersecurity


WASHINGTON: Two prominent aerospace industry groups are cooperating on cyber information sharing, awareness, education, and outreach to improve the security of space operations.

The agreement between the American Institute of Aeronautics and Astronautics and the Space Information Sharing and Analysis Center comes at a time when recent cyber incidents in other industries have highlighted a deficit of info sharing. The apparent lack of info sharing has recently been raised numerous times by Congress and others, as well as addressed for defense contractors and federal entities in the recent cyber executive order.

This agreement is noteworthy because the space industry is proactively moving ahead on cyber info sharing instead of waiting to be compelled to act by the government through law or regulation. There is broad consensus across the cybersecurity industry, key federal agencies (e.g., CISA), and Congress on the need for and benefits of improved cyber info sharing, but such initiatives can stall on sticking points of how, precisely, to do so. This partnership could serve as a model of what’s possible for other industries on cybersecurity info sharing, awareness, education, and communication.

“One of the things we’re thinking of in terms of advancing the art and science of aerospace is that cybersecurity information sharing happens at much more fundamental levels,” Steve Lee, AIAA’s senior manager for cybersecurity and new product development, told Breaking Defense in an interview. “We’re often talking past each other,” he said, noting the importance of things like a shared vocabulary when communicating about cybersecurity.

The collaboration expands both organization’s efforts. Space ISAC will provide cyber-specific information and resources directly applicable to the aerospace industry. AIAA will contribute expert sector-specific knowledge, as well as industry, educational, and publishing reach.

Space ISAC, started in 2019, is one of the newest of 25 national ISACs set up since the 1990s to help industry sectors to thwart and recover from cyberattacks by sharing information on vulnerabilities, mitigation measures, and response options. As Breaking D readers may remember, the Space ISAC was a key priority for the last administration’s National Security Council.

AIAA is the world’s largest aerospace technical society. In addition to this partnership, AIAA runs other space-focused cybersecurity initiatives, such as a capture-the-flag event at this week’s RSA conference — the cyber industry’s largest — and Aerospace Village at DEFCON, one of the longest-running industry conferences for cyber pros. AIAA also has a similar agreement with Aviation ISAC.

AIAA’s and Space ISAC’s members include aerospace defense contractors, as well as companies in the budding private space sector.

“Space ISAC is in the cyber trenches. It only makes sense for us to have our legacy in science and research linked together with the practitioners,” Lee said.

Space ISAC Executive Director Erin Miller said in a press release the two groups working together “is a wonderful complement. We are formalizing our partnership now and anticipate the impact will be seen through efforts in workforce development, education, space sector cybersecurity awareness, and more.”

Breaking Defense reached out to Space ISAC for additional comment, but did not hear back before publication.

Many people may think of cybersecurity only in relation to terrestrial computers, servers, and networks, but the space industry faces unique threat vectors, such as satellite hacking. There are also some shared threats, vulnerabilities, and risks, and the space industry can learn from cyber incidents in other industries, Lee noted.

“We’re watching all” these cyber incidents, Lee said. “We don’t have a parochial view, thinking that because it happened over there [in that industry], it can’t happen here [in the space industry]. When we’re thinking about cyber, we’re not just thinking about space assets. We’re obviously living in a connected way.”

Two of Lee’s primary concerns about space industry cybersecurity are similar to those other industries face.

“I think the single biggest sorts of concerns and issues with space cybersecurity is the interface between enterprise IT and [operational technologies] to control launches and systems,” Lee said. As Breaking D readers know, the NSA recently advised all industries to review their OT security. The Colonial Pipeline and Florida Oldsmar Water Treatment Plant cyber incidents highlight OT security concerns in other industries.

“The other thing is supply chain,” Lee said. “What are the chips, gadgets, and code that are inside our systems? It’s a growing concern.” And the space supply chain risks are getting more complex as the industry grows. “It’s like we’re a victim of our own success,” Lee said. “When things were smaller, it was easier to keep the bad guys out.”

Lee noted that people in the space industry often focus on design and development, with cybersecurity usually occurring only as an afterthought — which isn’t too different from many industries. He wants to see that change. “Right from conceptualization, the same way we think of safety, we should think about cybersecurity as well,” he said. “We’d never design and build anything mature without robust conversation between the people who build wings and engines and the people who design the bus.”

The two organizations have collaborated in the past. In 2020, Space ISAC and AIAA partnered on a cyber-focused tabletop exercise at AIAA’s ASCEND conference, which brought together 3,000 aerospace professionals from around the globe. The plan is to build upon past efforts and expand them into the future.

“This is a long game,” Lee said. “It’s going to take time for this to take hold.”

No comments: