PAPERJULY2018CYBERSECURITYPROJECTJobOneforSpaceForce:SpaceAssetCybersecurityGregoryFalcoCyberSecurityProjectBelferCenterforScienceandInternationalAffairsHarvardKennedySchool79JFKStreetCambridge,MA02138:AsetofNanoRacksCubeSatsisdeployedfromtheInternationalSpaceStation,February25,2014.(NASA/iss038e056389)Copyright2018,PresidentandFellowsofHarvardCollegePrintedintheUnitedStatesofAmericaCYBERSECURITYPROJECTPAPERJULY2018JobOneforSpaceForce:SpaceAssetCybersecurityGregoryFalcoiiJobOneforSpaceForce:SpaceAssetCybersecurityAbouttheAuthorGregoryFalcoisaResearchFellowwiththeBelferCenter’sCyberSecurityProjectatHarvardKennedySchool.HereceivedhisPhDinCybersecu-rityfromMIT’sComputerScienceandArtificialIntelligenceLaboratory(CSAIL)andearnedhismaster’sdegreefromColumbiaUniversityandundergraduatedegreefromCornellUniversity.HeisanexpertinIndus-trialInternetofThings(IIoT)cyber-physicalsystemsecurity.HisresearchfocusesonanalyzingcyberrisktocriticalinfrastructureusingAIplan-ning,datascienceandqualitativemethods.Muchofhisworkhasfocusedonthesecurityofsmartcities’industrialcontrolsystemsusedincriticalinfrastructureincludingelectricgrids,waternetworksandtransportationsystems.HehaspioneeredthefieldofDefensiveSocialEngineering—atoolboxofnon-technicaldefensesthatemployssocialengineeringmethodsagainsthackers.GregisanAdjunctProfessoratColumbiaUniversitywhereheteachesclassesonmachinelearning,bigdataandsmartcities.HeisalsotheCo-founderandCEOofNeuroMesh,anIoTmanagedsecurityandend-pointprotectioncompanythatispilotingitstechnologywithmajorutilitiestosecuretheroutingandsmartmeteringinfrastructureoftheSmartGrid.Previously,GreghasworkedasasecurityresearcherforNASA’sJetPro-pulsionLaboratoryoncuttingedgeAI-basedriskassessmentformissioncriticalIoTandwasanexecutiveatAccenturewherehefoundedtheSmartCityStrategyDivision.HewillbeginhispostdoctoralstudiesatStanfordUniversityintheFallwherehewillteachcoursesonCyberRisk.iiiBelferCenterforScienceandInternationalAffairs|HarvardKennedySchoolTableofContentsExecutiveSummary...........................................................................1Whyarespacesystemsanattractivetarget?...............................4Whatattackshaveoccuredonthesesystems?.............................7Whyarespaceassetssovulnerabletoday?.................................10Whatisbeingdonetodaytosecurethesesystems?...................15Recommendations..........................................................................19Whatcanspaceassetorganizationsdo?......................................................19Whatcanpolicymakersdo?...........................................................................22WhatcantheDepartmentofHomelandSecuritydo?................................23Conclusion.......................................................................................26Acknowledgements.............................................................................................27CoverImageAsetofNanoRacksCubeSatsisdeployedfromtheInternationalSpaceStation,February25,2014.(NASA/iss038e056389)1BelferCenterforScienceandInternationalAffairs|HarvardKennedySchoolExecutiveSummaryWhenwethinkaboutcriticalinfrastructure,thefirstassetsthatcometomindincludetheelectricgrid,waternetworksandtransportationsystems.Furtherunpackingthedefinitionofcriticalinfrastructure,weconsiderindustriessuchasagriculture,defenseorthefinancialsector.However,werarelythinkaboutwheretheunderlyingsystemsthatenabletechnologyfunctionalityacrossthesesectorsphysicallyreside,whodevelopedthetechnology,andwhocanaccessandmanagethattechnology.MuchoftheUnitedStates’criticalinfrastructurereliesonspacesys-tems.Idefinespacesystemsasassetsthateitherexistinsuborbitalorouterspaceorgroundcontrolsystems—includinglaunchfacilitiesfortheseassets.Spaceassetorganizationsareorganizationsthatbuild,operate,maintainorownspacesystems.Someexamplesofcriticalinfrastructure’srelianceonspacesystemsareagribusiness’relianceonweatherandclimatesatellites,theU.S.military’srelianceonintel-ligencesatellites,andvarioustransportationindustries’relianceonglobalpositioningsystem(GPS)satellites.Severalcriticalinfrastruc-turesectorsalsorelyonspacesystemsforglobalcommunications.Wealsorelyonspacesystemsforscientificdiscovery,whichoftenrequireshighlyspecializedandadvancedequipment.Suchequipmentoriginallydesignedforscientificdiscoveryislaterusedincriticalinfrastructuresectorsuponfurthertestingandcommercializationoftheintellectualproperty.DespiteeffortstoimprovethecybersecurityofcriticalinfrastructureintheU.S.,therehasbeenlittlefocusoncybersecurityforspacesys-tems.Whilesecuritystandardsforcriticalinfrastructureareoftentechnicallysufficienttodetermanyattacks,theyremainachallengetoimplementduetotimeandresourceconstraints.1Spacesystems,how-ever,aremorecomplexthancri