Data Protection, but in Space with Space Policy Directive 5

In recent months, we have received more questions than ever before about disadvantaged or low bandwidth environments and the associated risks to data coming out of these environments.  The challenges, as well as some of the possible ways forward, are clearly demonstrated by the Space Policy Directive that was released earlier this month.

What is Space Policy Directive 5?

On September 4th, 2020, Space Policy Directive 5, Cybersecurity Principles for Space Systems was released.  The policy identifies space as critical infrastructure and therefore, it should be treated with the same risk management approach and cybersecurity as other critical infrastructure sectors. The cybersecurity of critical infrastructure has been a priority for decades as demonstrated by efforts like the NIST Cybersecurity Framework in 2013, yet remains a challenge despite hard work and positive momentum due to legacy equipment, difficult operating environments, and the unique skillsets required. Securing operations in space adds additional complexity.  

The policy explains that “Space systems enable key functions such as global communications; positioning, navigation, and timing; scientific observation; exploration; weather monitoring; and multiple vital national security applications. Therefore, it is essential to protect space systems from cyber incidents in order to prevent disruptions to their ability to provide reliable and efficient contributions to the operations of the Nation’s critical infrastructure.”

The risks to space operations are highlighted in the policy and include “spoofing sensor data” with outcomes such as “loss of mission data”.  Of course, there are also risks to the satellites and vehicles, but with this hardware being reliant on software and networks just like any other mission environment, it is important to note that risks to the data itself and the need for data protection is included.  

Cybersecurity Best Practices for Space

In the Principles section of Space Policy Directive 5, specific guidance outlines focus areas that echo other critical infrastructure cybersecurity best practices—such as secure engineering practices, actively managed configurations, and cybersecurity planning and risk assessments. 

Additionally, several Principles highlight the need for data protection and encryption: 

• “Safeguarding command, control, and telemetry links using effective and validated authentication or encryption measures…”
• “Protection against communications jamming and spoofing, such as signal strength monitoring programs, secured transmitters and receivers, authentication, or effective, validated, and tested encryption measures… “
• “Protection of ground systems, operational technology, and information processing systems through the adoption of deliberate cybersecurity best practices. This adoption should include practices aligned with the National Institute of Standards and Technology’s Cybersecurity Framework…”

Although this foundational policy aligns space with other critical infrastructure sectors, it leaves open the question of how this may be applied in the unique challenges in space. 

Prepare to Launch (Securely)

Despite the policy being aligned with other critical infrastructure guidance (and therefore not come as a shock to space mission owners), there are policy, program, and technology improvements needed to make this policy guidance a reality. Specifically, the policy needs to align the requirements to the operating reality that includes very challenging bandwidth constraints, and mission technology where security was likely not built-in and is extremely expensive to replace. 

As with other critical infrastructure, Virtru is positioned to support the space industry and the goals of the policy through tailored capabilities.  With a focus on bandwidth and protecting data from unattended devices (are most devices in space unattended? The truth is out there), the Virtru team has been working on a low Size, Weight, and Power (SWaP) solution to enable data collection where it is needed based on the open, ODNI approved Trusted Data Format (TDF). 

Known as the NanoTDF, this version of the TDF protects data with just 48 bytes of overhead. This FIPS-compliant configuration includes AES-GCM 256 and ECC 256-bit public key encryption for max payloads of up to 2 megabytes. When integrated into a device that will be operating in space, the NanoTDF combined with Virtru key management and policy management will allow mission owners to not just follow the intent of the policy, but enable technical trust in the data they are using.  

While space does have unique characteristics and challenges, some of the goals outlined in the policy with regard to how an organization can work effectively and securely with partners to enable trust, is something that every organization can build into their security program. Some of the policy’s more process-oriented recommendations are not new or different, but they exist to make the future of space more secure. Fortunately, many organizations will have existing expertise and programs that already support the policy goals and, hopefully, this policy provides additional justification and prioritization for those efforts. 

With the introduction of the Space Force and the release of this Directive, it is clear that every organization involved must consider the security and mission impacts of what they are building or how they are supporting the space industry. As these initiatives and programs mature it is imperative that security is at the forefront and that solutions align with existing best practices while supporting operations in the unique space environment.

Interested in learning how Virtru can support your mission? Contact us to learn more or talk about space!