In the coming months, the U.S. Space Force’s Space Systems Command (SSC) is to begin testing cybersecurity qualification of commercial satellite communication offerings (COMSATCOM) under the service’s Infrastructure Asset Pre-Approval Program (IA-Pre), SSC said last week.
“Our office will begin accepting IA-Pre applications for a limited number of assets to perform assessments,” Jared Reece, a program analyst in CSCO’s solutions branch, said in a May 26 statement. “IA-Pre’s roll-out signifies reaching another vital milestone for COMSATCOM mission assurance, and to counter near-peer adversaries’ cyberattacks that can negatively impact commercial satellites, which the U.S. military increasingly relies on for communications.”
While CSCO plans to give cybersecurity feedback over the summer to that small number of companies on their COMSATCOM products, CSCO will begin the cybersecurity assessments in earnest this September. By September, 2025, CSCO wants to transition fully to IA-Pre.
The IA-Pre cybersecurity initiative “replaces a self-assessment process where commercial companies wanting to do business with DoD had previously submitted their required system information via a questionnaire,” SSC said. “The CSCO will then use this questionnaire for evaluation during the acquisition process. IA-Pre will supplant the CSCO Information Assurance Questionnaire (CIAQ) with newer requirements. It will ensure effective safeguards are applied and validated; and weaknesses are mitigated to reduce the cybersecurity risks which could impact DoD missions who use CSCO for services.”
IA-Pre may accelerate the acquisition process.
“If you’re a pre-approved [Space Force] supplier, you don’t require any additional evaluations when you’re making new submissions,” said Michael Wier, technical marketing engineer for cybersecurity at California-based Ingram Micro. “Your security posture score rides with each new submission. This means you have a much easier path to getting your submissions accepted than does a supplier who does not have that score.”
“A pre-authorized supplier has a much easier path to a contract,” he said. “That’s going to be really key, if you want to stay in this COMSATCOM business, and you’re a supplier, to get this done so you have a fast track in there. Those that still have to do project-by-project authorizations are probably going to be quite slow.”
The Pentagon Chief Information Officer and the National Security Agency (NSA) were to launch IA-Pre in January this year (Defense Daily, Oct. 8, 2021).
IA-Pre is to use third-party auditors certified by the Space Force Security Controls Assessor for the evaluation and cybersecurity scoring of satellites and end-to-end architectures.
“As industry progresses through the IA-Pre Program, the U.S. Space Force Authorizing Official (AO) will review their cybersecurity assessment results for approval,” SSC said on May 26. “CSCO will then place the industry partner and the assessed assets into an approved platform list. The industry partner will no longer require a cybersecurity evaluation prior to award of a contract for covered assets.”
CSCO said that it expects the first AO approvals next January and that “proposals for contracts will continue to be accepted using the CIAQ until that approach sunsets on/about September 2023.”
“At that time a rapid IA-Pre transition program will be put in its place for industry partners who have yet to achieve IA-Pre approval,” per CSCO. “Industry partners are encouraged to begin contacting CSCO for more information and to coordinate the next steps for transitioning to IA-Pre.”
Cybersecurity for commercial satellites and their ground systems looks to be of significant importance for the U.S. military in the coming years, as the Pentagon relies more on commercial systems.
On Feb. 24, Russian hackers using AcidRain malware disabled modems for Viasat Inc.‘s [VSAT] KA-SAT satellite. Those cyberattacks affected thousands of Viasat customers in Europe and North Africa, Viasat said.
“The cyberattack took place one hour before Russia’s unprovoked and unjustified invasion of Ukraine on 24 February 2022 thus facilitating the military aggression,” the European Union (EU) said on May 10. “This cyberattack had a significant impact causing indiscriminate communication outages and disruptions across several public authorities, businesses and users in Ukraine, as well as affecting several EU member states.”
“This unacceptable cyberattack is yet another example of Russia’s continued pattern of irresponsible behaviour in cyberspace, which also formed an integral part of its illegal and unjustified invasion of Ukraine,” the EU said. “Cyberattacks targeting Ukraine, including against critical infrastructure, could spill over into other countries and cause systemic effects putting the security of Europe’s citizens at risk.”
Viasat said in March that, due to the Feb. 24 cyberattacks, “tens of thousands of modems that were previously online and active dropped off the network, and these modems were not observed attempting to re-enter the network.”
“The attack impacted a majority of the previously active modems within Ukraine, and a substantial number of additional modems in other parts of Europe,” the company said.
Before Russia’s invasion, Viasat “provided fixed broadband services through a wholesale distributor to a very small number of subscribers in Russia through our KA-SAT satellite,” per the company’s 10-K released on May 31. “In response to the invasion, we terminated these services. We have no active fixed broadband customers in Russia, are not supplying new products or services to customers located in Russia and have no planned infrastructure projects in the country. Although we continue to provide fixed broadband services to users in Ukraine through our KA-SAT satellite, these services are provided by third party wholesale distributors, and we have limited exposure to revenue generation in Ukraine.”