Pioneering Space Cybersecurity — How Aerospace Corporation’s Guidance Aligns with New Executive Order

The Aerospace Corporation
Aerospace TechBlog
Published in
8 min readJan 17, 2025

Authors: Brandon Bailey and Paul de Naray; January 2025

As the national security cybersecurity threat landscape continues to evolve, particularly in the space domain, the federal government has adjusted required cybersecurity capabilities to safeguard national assets. The newly published Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity directs the CNSS to update space system cybersecurity practices for hardware-based security measures like secure booting, robust methods of intrusion detection and command authentication, and more responsive system protection through security patching. These recommendations are encouraging as they track the analysis and research at the forefront of space national security system (NSS) cybersecurity. We have previously examined and captured these concepts over the past five years through work that includes: initial calls to action for space NSS risk and possible countermeasures in the 2019 Defending Spacecraft in the Cyber Domain; defining threat-based risk mitigation to space NSS and how defense-in-depth concepts assist protection in the 2021 TOR-2021–01333 Rev A; and most recently integrating and formalizing these concepts under CNSS guidance recommendations for cybersecurity control baseline tailoring, enriched control selection rationale, and sample requirements to guide formal acquisition efforts in the 2023 TOR-2023–02161 Rev A.

All these publications have been cleared for public release to encourage adoption across space NSSs, commercial providers of space NSS capability, and the wider federal government and international space enterprise. Furthermore, The Aerospace Corporation has provided the SPARTA framework as a publicly available website that serves as a common knowledge base to assist and guide system security engineering efforts. We find that The Aerospace Corporation’s work has contributed significantly as groundwork for many of the principles now recognized as essential by the latest Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity. To further aid understanding and adoption of capabilities outlined in the executive order, we provide an overview of these concepts through SPARTA-based knowledge.

Intrusion Detection

SVs operate in isolated environments where they may be targeted by sophisticated adversaries. An onboard SV intrusion detection and prevention system (IDPS) enables the early detection of malicious activities in real-time, so the SV can take immediate action to prevent further damage. While the EO does not specify “prevention” measures, we interpret that this is implied in the direction as there is little value to perform detection without response and prevention based on the detection. Considering typical gaps in communication between ground control and an SV due to ground station coverage, an SV must have autonomous capabilities to respond to threats. These capabilities can be critical for maintaining mission continuity and safety during continuous SV operation.

The Executive Order’s direction for cyber intrusion detection and prevention aligns with Aerospace’s advocacy for implementing these capabilities into spacecraft and ground stations. Aerospace has examined the deployment of IDPS mechanisms across both ground systems and space vehicles. The 2019 paper, Defending Spacecraft in the Cyber Domain, explains:

“The backbone of a cyber-resilient spacecraft should be a robust intrusion detection system. The IDS should consist of continuous monitoring of telemetry, command sequences, command receiver status, shared bus traffic, and flight software configuration and operating states. From a telemetry monitoring perspective, several parameters exist that have the highest likelihood of indicating a cyberattack against a spacecraft and should be actively monitored on the ground and looking into the future onboard the spacecraft with the IDS. The IDS should implement both signatures and machine-learning based anomaly detection techniques.”

This was later emphasized in TOR-2021–01333 Rev A via the threats SV-DCO-1, SV-MA-5, and SV-AV-6 where recommended cyber requirements were published stating “the SV shall have intrusion detection, intrusion prevention, and auditing/logging capability on-board the SV that can alert and downlink onboard cyber information to the mission ground station.” This requirement was further decomposed into lower-level requirements within the document and has since been incorporated into SPARTA under the countermeasure On-board Intrusion Detection & Prevention. These specific cybersecurity controls associated with this countermeasure is further captured in TOR-2023–02161 Rev A through the notional maximum and minimum control baselines. This work demonstrates robust rationale and guidance to incorporate intrusion detection and prevention into space NSS acquisitions.

Moving beyond guidance, Aerospace has also recently demonstrated SV onboard intrusion detection with the SpaceCOP (previously named Starshield) prototype that was operated within the on-orbit SLINGSHOT-1 CubeSat. This capability investigated machine learning model development for command anomaly prediction, telemetry anomaly prediction, vehicle bus traffic pattern prediction, and system state anomaly detection. The capabilities and results are described further report OTR 2024–00598, which has been approved for public release.

Use of Hardware Roots of Trust for Secure Booting

Aerospace has examined methodologies for securing space systems against evolving threats that could target SV boot memory and initialization sequences. Root of trust was first discussed in the 2019 paper Defending Spacecraft in the Cyber Domain as being necessary for future SV architecture.

“It is important for the computing module to be able to access a set of functions and commands that it trusts; that is, that it knows to be true. This concept is referred to as root of trust (RoT) and should be included in the spacecraft design. The RoT serves as a separate compute engine controlling the trusted computing platform cryptographic processor. The RoT computing module should be implemented on radiation-tolerant burn-in (nonprogrammable) equipment. With RoT, a device can always be trusted to operate as expected. RoT functions, such as verifying the device’s own code and configuration, must be implemented in secure hardware By checking the security of each stage of power-up, RoT devices form the first link in a chain of trust that protects the spacecraft.”

The Aerospace Corporation has further matured hardware root of trust and secure boot mechanisms through the definition of threat SV-AV-3, which then drove definition of secure initialization sequences in the SPARTA framework with the Compromise Boot Memory countermeasure that ensures only verified and trusted software is executed during the boot process. The SPARTA framework further outlines a series of countermeasures designed to provide a comprehensive defense against such attacks. These countermeasures include:

· Software Digital Signature: Requiring that all software used during the boot process is signed with digital signatures, ensuring authenticity and integrity before execution.

· Secure boot: Establishing secure boot protocols that rely on hardware roots of trust, preventing compromised or unauthorized software from executing during system initialization.

· Tamper Protection: Incorporating physical and software-based measures to detect and prevent unauthorized access or manipulation of boot memory components.

SPARTA extends beyond root of trust by recommending other countermeasures to ensure provenance is maintained for spacecraft software.

· Software Source Control: Ensuring that all software sources are monitored, managed, and verified to maintain the integrity of boot sequences.

· Configuration Management: Maintaining strict version control and configuration protocols to track changes and verify that only approved software versions are used in critical boot processes.

Development and Deployment of Security Patches

When considering Space NSS architectures in comparison to traditional enterprise IT solutions, these systems will likely face unique challenges for effective patch management. SVs operate in an isolated environment where human physical access almost never occurs, and this drives the development of remote and resilient patching strategies. If there is an issue with software patching, then physical intervention for recovery will not be possible; such as external drive boot recovery. Additionally, mission operations demand near-constant uptime for critical space capabilities and this means that patch deployment must be carefully coordinated to avoid unnecessary mission disruption. Furthermore, many currently operational systems utilize less-current technology that may not be readily patched without significant engineering work. As a final challenge, SV patching includes the factors of limited size, weight, and power (SWaP) available on these remote platforms. Without deliberate efforts to consider SWaP for security patching, there will be limits in the amount of capability available to leverage for redundant and resilient patching concepts.

To address these unique challenges there will need to be specific efforts applied for implementing tailored SV patch management processes. Aerospace TOR-2021–01333 Rev A, underscored the importance of developing secure and resilient processes for patching space systems vulnerabilities without compromising mission operations. Specifically, threat SV-SP-9 highlighted the inherent risks associated with software updates and stressed that the patch management architecture must be designed from the outset to minimize these risks. This threat is addressed in SPARTA through associated countermeasures and sample requirements at varying specificity to guide the acquisition of capability for on-orbit software updates.

Aerospace’s guidance emphasizes that the update process itself can become a potential attack vector if not properly engineered. SPARTA expands on this by detailing countermeasures that ensure robust configuration management, rigorous testing protocols, and secure transmission methods are in place before updating software occurs. This proactive approach includes a focus on validating patches through dynamic and static testing, ensuring compatibility with existing mission-critical software, and monitoring for any anomalies post-deployment. The framework also highlights the significance of addressing known vulnerabilities, as the method of exploiting unpatched systems is a well-established adversarial approach. SPARTA’s guidelines help prevent known vulnerabilities from becoming points of compromise by ensuring software patching, including operating systems, is managed appropriately. A further consideration for secure patching will be the combination of these capabilities with root of trust capability. A root of trust enables secure recovery of SV software in cases of malicious and unintended effects. An effective security patching capability should consider resilience aspects provided by root of trust to enable remote recovery.

By integrating these principles, Aerospace guidance not only calls for secure patching mechanisms but also frames a comprehensive approach to maintain spacecraft integrity, ensure operational continuity, and mitigate the evolving threat landscape targeting software vulnerabilities. The Executive Order’s push for development, testing, and deployment of security patches reflects Aerospace’s longstanding focus on resilient patching strategies that are vital to maintaining secure spacecraft operations.

Conclusions

The Aerospace Corporation’s proactive research demonstrates a forward-thinking approach to securing space NSS. As the federal government and international bodies increasingly endorse key cybersecurity measures, Aerospace has performed foundational analysis of these concepts through years of research and publication for NSS customers interests. Aerospace has consistently pushed to examine and define guidance supporting the emerging priorities of policymakers and standards organizations worldwide. SPARTA’s alignment with these evolving standards highlights Aerospace’s long-term commitment to developing resilient security architectures that protect mission-critical operations from evolving adversarial tactics.

Ultimately, Aerospace’s contributions through publications, frameworks, and guidance highlight a comprehensive strategy for securing space missions. By integrating threat-informed policies, practical countermeasures, and robust testing methodologies, Aerospace proactively provides knowledge to protect and secure the space domain from cyber and counterspace threats, ensuring mission success and the resilience of space infrastructure.

--

--

Aerospace TechBlog
Aerospace TechBlog

Published in Aerospace TechBlog

The official technical blog of The Aerospace Corporation. Visit us at aerospace.org.

No responses yet