Professor Matthew Warren,
Centre for Cyber Security Research and Innovation,
RMIT University.
Space and Critical Infrastructure in Australia
Australia’s critical infrastructure underpins our economy, security, and daily operations, encompassing essential sectors such as energy, transport, communications, and healthcare. Space technology is increasingly crucial for securing and optimising space infrastructure. Because of the importance in Australia of satellite based monitoring, communication, and navigation systems, the space sector has been defined as a critical infrastructure sector in Australia.
Space infrastructure is a complex web of interconnected physical and technological systems, including satellites, ground stations, launch vehicles, spaceports, spacecraft, space based sensors, communication and tracking networks, and resource utilisation capabilities. In Australia, this essential infrastructure underpins vital operations such as communication, navigation, weather monitoring, environmental surveillance, defence, and scientific research. The complexity of space infrastructure in terms of the interconnected technologies in space and ground offers major challenges from an operational and security perspective.
Australia’s Space Cyber Security Needs a Unified Plan
As the global space industry expands (its value is projected to rise from US$360 billion today to over $1.8 trillion by 2035), so does the threat of cyber security attacks. Satellites and ground systems are now critical infrastructure, making their security a national priority. While other nations are developing specific frameworks, Australia is relying on a collection of existing, general purpose laws. This poses unique challenges.
In order to protect Australia’s critical systems, the following approaches must be improved upon:
- The ASD Essential Eight: These are excellent, foundational security controls, but they are not specialised cyber controls for space. They offer basic cyber security protections for space related systems but are not specific to the unique aspects of space cyber security, including the complex nature of space based operations.
- The Australian legal frameworks such as Cyber Security Act 2024, Telecommunications Act, Cybercrime Legislation Act, and Radiocommunications Act all provide guidelines in relation to cyber security and critical infrastructure but does not specifically address space and its unique aspects of it.
As the Australian space economy grows and becomes more vital to daily life, a unified, Australian government led cyber security standard is essential. We need a clear, specific strategy to ensure our space assets are secure by design, not by chance. But what can we learn from our international partners?
Are International and Global Security Standards the answer
International standards bodies like the IEEE (Institute of Electrical and Electronics Engineers) and ISO (International Standards Organisation) are developing space related security standards.
- The IEEE, through its P3536 (Space System Cyber Security Design Standard) Working Group are developing a highly specific technical standard for space based systems. This standard aims to define cyber security controls for space systems, including modules for the ground system, space vehicle, link segment, and the integration layer. The working groups plans to release its security standards by the end of 2025, so it is too early to determine its impact or adoption by industry,
- The ISO offers a broader security standard in terms of ISO/IEC 27001. This globally recognised standard for information security management systems (ISMS) provides a framework for organisations to manage and mitigate security risks. The German (Bundesamt für Sicherheit in der Informationstechnik (BSI) in English Federal Office for Information Security) have used the ISO/IEC 27001security standard to develop its own dedicated German security standards, which have not been adopted by the European Union or other European.
The U.S. Approach
The United States has adopted a multi-pronged strategy, driven by a number of different US entities. The different approaches are:
- The National Institute of Standards and Technology (NIST) developed the Cyber Security Framework (CSF) 2.0, a comprehensive guide for managing cyber risks. The CSF is designed to be highly adaptable, allowing for the creation of specific profiles for different industry sectors. For the space sector, NIST has developed detailed guidance like NIST IR 8401, which applies the CSF directly to securing satellite ground segments;
- The Cyber Security and Infrastructure Security Agency part of the United States Department of Homeland Security has also developed Space Cyber Security Advice. The “Recommendations to Space System Operators for Improving Cyber Security” document describes the application of CSF 2.0 in a space context;
- NASA has developed its own technical standards (NASA-STD-1006: Space System Protection Standard) with a focus on the integrity and security of its command systems.
What does Australia do from a standards perspective?
Australia has a number of choices to make regarding the development of space cyber security standards. The choices are:
1, Simply Adopt Global Standards
The easiest option is to adopt existing international cyber security approaches, such as the ISO/IEC 27001 and the forthcoming IEEE WG P3536 cyber security standards. The issue is that the ISO/IEC 27001 has been developed from a generic information security perspective. Germany is the only country to have adopted ISO/IEC 27001 in a space cyber security context. The forthcoming IEEE WG P3536 cyber security standards have not been released yet, and as such, it is unproven and only time will show how the standard is accepted by industry and governments.
2. Align our Standards with Our Allies
Another option is to tailor our standards or adopt the standards of our allies to be interoperable with key allies, particularly the United States. This would mean basing our security standards on proven standards developed by organisations such as NIST, CISA and NASA. A key advantage of this approach is that it opens the US as a new potential market for the Australian space industry, as it would mean Australian space systems would be interoperable.
3. Australian Sovereign Space Cyber Security Development
This is the most ambitious and potentially most effective long term solution. By developing our own cyber security standards, we can create a framework that is perfectly tailored to our specific needs, including our unique geographic context, sovereign capabilities, and national security priorities. These potential new Australian Cyber Security Standards could align with Australian Security approaches such as the Information Security Manual, Essential Eight and also allow the opportunity to be harmonised against international security standards and standards of our key allies such as the USA.
The Australian sovereign space Cyber Space Security development approach raises some key concerns. This approach is the most expensive, resource intensive and time consuming. It would require significant investment in expertise, governance, and extensive Australian R&D capabilities. There is a risk that a purely Australian national standard could create barriers to international collaboration if not designed with interoperability in mind. Australia would also need to ensure its standards are robust enough to be respected and adopted by international partners.
Conclusion
Australia faces a challenge: we want to forge our own cyber security path while staying connected to the world. In the short term, should we use the standards of our allies and in the longer term, develop our own, purpose built cyber security standards. Australia needs to ensure that our space assets are secure, that we have strong security alliances, and that Australia is a confident and influential player in the new space age.
RMIT University recently completed a research report on Space Cyber Security. The research was sponsored by the Australian Government Department of Defence’s Strategic Policy Grants Program. The report investigated Australia’s preparedness to respond to space cyber security vulnerabilities and enhance its resilience. The report’s key findings and recommendations is available here.
