Light Dark
July 10, 2023 By Doug Bonderud 4 min read
Risk Management

In 2013, Presidential Policy Directive (PPD) 21 established 16 critical infrastructure sectors responsible for providing essential services that underpin American society.

These services are not only vital to the country’s safety and prosperity but are inherently tied to public confidence. As a result, the PPD makes it clear that “proactive and coordinated efforts are necessary to strengthen and maintain secure, functioning and resilient critical infrastructure.” Some of the nation’s critical infrastructure sectors include commercial facilities, emergency services, food and agriculture, information technology and water and wastewater systems.

According to a new report from the Cyberspace Solarium Commission (CSC), however, the time has come to add a 17th sector: space systems.

What is the CSC?

The CSC was established in 2019 under the John S. McCain National Defense Authorization Act. Its purpose is to “develop a consensus on a strategic approach to defending the United States in cyberspace against cyberattacks of significant consequences.”

On March 11, 2020, the CSC’s finished report was made public. It contained 82 recommendations across six pillars to help improve cybersecurity infrastructure. Under the FY2021 National Defense Authorization Act, 25 of these recommendations were coded into law. These included the strengthening of federal networks (recommendation 1.4), the establishment of an integrated cybersecurity center (5.3) and the creation of a strategy to secure email (4.5.2).

The CSC’s newest report, published in April 2023, recommends the addition of space systems as the 17th critical infrastructure sector.

Why is space next on the critical infrastructure list?

PPD-21 establishes the threshold for critical infrastructure: it must be so fundamental to the United States that “the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety or any combination of those matters.”

The CSC report makes the case for space infrastructure meeting this definition. In part, this is tied to economic impact: In 2019 alone, the space industry generated $194.4 billion. Security is also a key concern. If satellites, spacecraft or ground control centers are compromised, the result could be anything from stolen data to hijacked devices, in turn putting both physical and digital assets at risk.

Several issues compound this risk. First is the uneven application of security best practices across commercial space manufacturers — while some may obfuscate ground-to-space connections, others may rely on the insecure public internet or unprotected business networks. In addition, communications between spacecraft and ground control stations are transmitted using unencrypted, open networks that offer no protection against eavesdropping.

Finally, space technologies suffer from the same problem as other critical infrastructure sectors: legacy technologies. Some may be unable to update software or firmware, while others may lack data backups, making them vulnerable to attack.

Given the critical role of space systems and their potential security risk, the CSC report has been reviewed by the CISA, which produced its own report on the subject, and states that the CISA will “evaluate the establishment of the Space Sector as a critical infrastructure sector.”

Solving for sector risk

If space is designated as the 17th critical infrastructure sector, the next step is creating an effective, protective framework.

As noted by the CSC report, this starts with the designation of a Sector Risk Management Agency (SRMA). An SRMA is responsible for coordinating efforts with other federal agencies, carrying out incident management operations in line with current directives and providing support to help identify and mitigate potential vulnerabilities. While some experts argue that the space SMRA should be an agency already tasked with managing a critical sector, such as the Department of Homeland Security or the Department of Defense, the CSC report suggests an alternative: NASA.

According to the report, NASA not only has the sector-specific capabilities to help bolster space infrastructure security but also has a proven track record of effectively working with private sector companies to facilitate space missions. Taking on the role of SMRA would require time and effort from NASA, and so far, the agency hasn’t expressed interest in the role. In addition, the CSC recommends at least $15 million per year in supplemental funding to help NASA (or another agency) successfully handle SMRA responsibilities.

Key components of coordinated protection and prevention efforts

While space represents a shift in perspective around critical infrastructure, it shares common ground with other sectors when it comes to protection and prevention.

For example, the CSC report recommends the establishment of a space systems sector coordinating council made up of CEO-level representatives. This approach both fosters information sharing and facilitates the creation of sector-wide standards for security incident detection, reporting and response. This approach aligns with PPD-21, which highlighted the need for “the efficient exchange of information, including intelligence, between all levels of governments and critical infrastructure owners and operators.”

The CSC report also suggests the creation of a co-led risk management enterprise that includes both public and private partners. This joint expertise makes it possible to identify and develop space-specific best practices and create a dynamic risk modeling environment that allows companies and agencies to anticipate and respond to potential threats. This type of shared responsibility model is already present in sectors such as the defense industrial base, which uses government-approved private contractors to manage key aspects of critical infrastructure and ensure sector best practices are keeping pace with evolving security threats.

The final frontier?

Space is on track to become the 17th critical infrastructure sector, given both its economic and national security impacts in addition to the CSC report recommendation.

In and of itself, however, space isn’t the final frontier. While both public and private agencies have a responsibility to strengthen and secure this sector, it’s the interaction of space-based infrastructures with those of other sectors — such as communication, energy and the defense industrial base — that lay the groundwork for proactive and coordinated efforts in national defense.

 |  |  |  |  |  |  | 
Doug Bonderud
Writer

More from Risk Management
January 28, 2025

4 trends in software supply chain security

4 min read - Some of the biggest and most infamous cyberattacks of the past decade were caused by a security breakdown in the software supply chain. SolarWinds was probably the most well-known, but it was not alone. Incidents against companies like Equifax and tools like MOVEit also wreaked havoc for organizations and customers whose sensitive information was compromised.Expect to see more software supply chain attacks moving forward. According to ReversingLabs' The State of Software Supply Chain Security 2024 study, attacks against the software…

January 24, 2025

How cyberattacks on grocery stores could threaten food security

4 min read - Grocery store shoppers at many chains recently ran into an unwelcome surprise: empty shelves and delayed prescriptions. In early November, Ahold Delhaize USA was the victim of a cyberattack that significantly disrupted operations at more than 2,000 stores, including Hannaford, Food Lion and Stop and Shop. Specific details of the nature of the attack have not yet been publicly released.Because the attack affected many digital systems, some stores were not able to accept credit/debit cards, while others had to shut…

January 23, 2025

Taking the fight to the enemy: Cyber persistence strategy gains momentum

4 min read - The nature of cyber warfare has evolved rapidly over the last decade, forcing the world’s governments and industries to reimagine their cybersecurity strategies. While deterrence and reactive defenses once dominated the conversation, the emergence of cyber persistence — actively hunting down threats before they materialize — has become the new frontier. This shift, spearheaded by the United States and rapidly adopted by its allies, highlights the realization that defense alone is no longer enough to secure cyberspace.The momentum behind this…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature