Lessons In Risk Management From NASA’s Space Security: Best Practices Guide
Securing technology is hard. It’s another challenge entirely when that technology operates off our planet. Space systems — a combination of ground systems, space vehicles, and networks designed to perform space-based tasks — are comprised of complex, interconnected technologies that require their own discipline of resilient engineering. And it depends on risk management.
For years, space security largely fell under the military’s purview, but as the commercial space economy grows and scientific space missions become more complex, the need for standards and best practices for civilian and private organizations is at an all-time high. The US National Aeronautics and Space Administration (NASA) has published its Space Security: Best Practices Guide, and it is a significant milestone that benefits not only NASA’s space missions but also international partners, private industries, and academia working in the expanding fields of space exploration and development. While this guide will undoubtedly innovate space security practices, four features stand out that organizations in any industry and of any size can use in creating their own risk-informed practices. It:
- Prioritizes effective risk management over rote compliance. Space systems are not immune to cyber risk and face a unique set of threats and vulnerabilities. The guide establishes a working risk management framework by outlining secure principles that space missions should design for while also providing references to threat actor capabilities, security controls, and performance parameters that the reader can use in a risk assessment to determine system design requirements. Similarly, your risk management framework (in any risk domain — not just space) should establish risk management principles and resources to enable risk analysis rather than a laundry list of compliance requirements.
- Aligns with industry security frameworks to promote a standard approach. In the past, space system security controls and threats were often documented as unique operational standards for select space technologies. Instead, NASA’s guide focuses on the end-to-end capabilities of a space mission and identifies relevant security controls from NIST SP 800-53 directly. Going a step further, the guide also leverages the MITRE ATT&CK framework to identify relevant threat actor tactics, which helps operators evaluate and prioritize mitigating security controls. Root your risk management approaches in industry standards and resources.
- Is an open resource for public and private organizations. For those of us who have worked in the aerospace and defense sectors, we know that there are few space security resources we can access or share without the right level of security clearance. Instead, by focusing on general space security principles that scale to mission projects of any size and making this guide publicly available, it becomes a valuable resource for all without being encumbered by technical or classified discussions about threats and vulnerabilities. Risk management is a methodology and not one to gate-keep. Make your risk management policies, standards, and resources easily and readily available to your ecosystem.
- Incorporates space mission resilience principles with cybersecurity. The guide introduces two distinct categories of space security principles: space mission and ground segment. These principles reflect research and lessons learned from the National Institute of Standards and Technology, the Department of Defense, the Aerospace Corporation, and internal NASA missions. The guide also adds key performance parameters (prevent, mitigate, and recover) to help operators design systems for mission survivability and resilience. Your risk management framework, similarly, should explicitly and measurably align with your business and operating strategy. Clearly identify stakeholders and incorporate a continuous improvement cycle to capture lessons learned.
The space environment is increasingly congested, contested, and competitive — meaning more equipment in orbit, more advanced threat capability to disrupt or destroy space-based services, and more economic demand for space access. While not all businesses deal with the space environment, they can still relate to the operational complexity and risk inherent to their industry. Whether you’re a member of the space community or any other industry, schedule a guidance session or inquiry call with me to learn how you can incorporate the Space Security: Best Practices Guide into your security program or leverage its approach to enhance your enterprise risk program.