End-to-End Security Management of Space Systems using COSMOS2

Terrestrial critical infrastructures have long relied on satellite systems to operate effectively, including for communications, positioning, navigation, timing, and Earth observation. With the onset of the second space race, many new applications and services are rapidly being deployed, often including novel technologies and little security planning or testing due to time and budget pressures. 

There is a growing body of research that seeks to understand the security implications of New Space and provide novel solutions and mitigation strategies to secure space systems in the contemporary threat landscape, particularly since the Russian invasion of Ukraine, which involved several targeted and strategic attacks against international space infrastructure.

This article provides an overview of the outcomes of a multi-year research project resulting in the novel COSMOS2 (Contemporary Ontology for the Security Management of Space Systems) framework, developed through iterative feedback from space security experts across 10 countries. The framework includes a definition for space systems security and a tabular taxonomy encompassing the protection of five segments (Ground, Space, Communications, Human, and Governance) against four threat categories (Non-Malicious, Cyber, Electromagnetic, and Kinetic), as depicted in Figure 1.

Figure 1 - COSMOS2 Taxonomy Table

Background

Many countries have recently updated their policies and legislative frameworks to recognise space systems as critical infrastructure and invest in their national space security capability. Some examples of this include Australia’s amendment to the Security of Critical Infrastructure (SOCI) Act to designate Space Technology as critical infrastructure and mandate a minimum level of security governance, the European Union's recognition of space as a vital asset, and the United States’ Space Policy Directive 5 that outlines cyber security principles for space systems. 

Additionally, both the US and China have established independent space forces, including the United States Space Force and the People’s Liberation Army Strategic Support Force. Many other countries also incorporate space security into their existing military or governmental structures, such as the French Air and Space Force, Iranian Islamic Revolutionary Guard Corps Aerospace Force, the Indian Defence Space Agency, Russian Aerospace Forces, and the Australian Defence Space Command.

Despite the increase in incidents and national programs to improve the security of space systems, the space system security discipline and domain are still rarely understood by policy makers and space system operators alike. Without this foundational understanding, efforts to enhance the security of space systems may be disjointed, improperly prioritised, or lack a comprehensive approach that is effective in defending these critical systems from adversarial interference.

COSMOS² Overview

After a year’s worth of iterative expert feedback and a focus group to confirm and consolidate findings, the COSMOS2 framework was deemed appropriate for use across all types of space systems and segments. It was then tested on several operational space systems for verification, including a launch facility, ground station network, and the satellite vehicle itself. The results demonstrated the versatility and viability of the tool for assessing high-level end-to-end security measures, as well as identifying gaps in the overall space system security program.

Before delving into the details of the framework, it is first important to establish a common understanding of the scope of an end-to-end space system and to define the objective of a space system security program. 

The formal definition for space system security was determined to be “assurance of the services, control, and confidentiality of a space system throughout its lifecycle, including all ground, communications, and space components, as well as the people, data, processes, and supply chains that enable it.” 

In short, this definition posits that the core functions of a space system that requires security assurance includes the services, control, and confidentiality of the system, including all its components that are necessary to deliver these three capabilities. Without services, a space system offers no benefit to society or to its owners and operators. A loss of control often leads to permanent loss of the spacecraft and can cause significant environmental impacts in space, including the potential for a cascading failure (i.e., the Kessler Effect). Confidentiality is important in some space systems, particularly when there is a government use-case or a commercially sensitive payload that needs protection.

There are five segments to consider when assessing an end-to-end space system, with each segment commonly crossing multiple organisational and national boundaries to deliver the final capability:

1. Governance segment
2. Human segment
3. Ground segment
4. Space segment
5. Communications segment

Figure 2 Space System Segmental Interrelationships

The relationship between each segment can be modelled as per Figure 2. To summarise, the Governance segment refers to any components or activities that relate to managing and improving the system, such as research, procurement, legal, compliance, business processes, and public relations. The Human segment captures any human interaction or control of the system, such as personnel, users, astronauts/cosmonauts, safety, human factors, and security culture. The Ground segment is commonly understood to include components such as teleports, user terminals, traffic management, launch facilities, simulators, manufacturing facilities, and mission control. The Space segment includes any components launched into orbit or beyond, such as the satellite or rover vehicle, onboard power systems, propulsion, space-based weaponry, and life support. The final segment that needs to be considered as part of a COSMOS2 assessment is the Communications segment (also known as C3, or Communications, Control, and Computing), which includes cybernetic components of the system such as control signals, sensors, data, radio links, software, and onboard processing.

Each segment detailed above is represented by the columns in the COSMOS2 taxonomy table at Figure 1. The rows of the taxonomy table refer to the broad threat categories that face space systems, including non-malicious, cyber, electromagnetic, and kinetic adverse events. Some examples of these threats are provided in Table 1 below:

Table 1 – Space system threats and adverse events

Implementation and Case Study

The taxonomy table at Figure 1 provides a visual methodology for understanding, evaluating, and communicating concepts related to the security of space systems. The framework is intended to be applicable, at a foundational level, to any given space system and to account for any given security threat. COSMOS2 can be used to underpin space system security standards, strategies, programs, risk assessments, and research efforts, as well as for industry practitioners to comprehensively assess their security posture and identify any high-level weaknesses in their security programme.

This is achieved through a cell-by-cell analysis of the system in question, stepping through each type of threat against each segment and identifying high level security strengths and weaknesses for each. An example is provided below for an operational launchpad mission control system with colour coding to highlight the general security posture of each segment against each threat category (note that the colour-coding has been applied as an ad-hoc visual aid and should mimic the risk appetite of the system owner or operator when implemented pragmatically):

Table 2 - Example COSMOS2 assessment for a Launchpad Mission Control system

The assessment at Table 2 serves as a light-touch example of the COSMOS2 tool in use. The level of detail in a formal security assessment can be as high or low-level as desired and should be aligned to the organisational risk management framework. Some systems require much more stringent security than others, depending on the threat level of its operating environment, the criticality of its services, and the costs associated with compromise. 

The information required to complete a COSMOS2 assessment should be readily available in security, risk, or compliance documentation and can therefore be completed as a desktop review without on-site interference. As with any desktop assessment, there are limitations to its use; most notably when considering the practical differences between security documentation versus implementation. Any assessment using this framework should be considered in tandem with other security reports and activities to ensure a robust and reliable approach to space system security management.

Conclusion

The past 60 years has seen space transform from an arena for politics to a critical infrastructure on which all of society heavily depends. In light of the newfound global appetite for space development and the rapidly expanding threat environment, a need for a common understanding of space systems security has emerged. 

This article summarises the novel COSMOS2 framework, developed through iterative feedback from space security experts around the world and published in early 2023. The COSMOS2 framework includes a definition for space systems security and a tabular taxonomy encompassing the protection of five segments (Ground, Space, Communications, Human, and Governance) against four threat categories (Non-Malicious, Cyber, Electromagnetic, and Kinetic). The taxonomy table provides a visual methodology for understanding, evaluating, and communicating concepts related to the security of space systems. 

The COSMOS2 framework can be used to underpin space system security standards, strategies, programs, risk assessments, and research efforts, as well as for security professionals to comprehensively assess their security posture and identify any high-level weaknesses in their security programme.