The NRO’s Jeremy Mucha addresses the CyberSat conference on Tuesday.

RESTON, VIRGINIA — The National Reconnaissance Office (NRO) is moving to a zero trust/defense in depth cyber protection schemata for the agency’s satellites, an NRO official said on Tuesday.

“Whereas in the past the government was really the main tenant of air and space, that equation has flipped,” Jeremy Mucha, the NRO’s technical director of national communication systems, told the CyberSat conference in Reston, Virginia, on Tuesday. “For us–the government–we’re still grappling with that, to be perfectly honest, and how we manage and secure our systems. This has really caused us to evolve and think about everything as an IT system.”

Included in that, for example, are NRO desktops and data centers, the agency’s cloud hosting, and on-orbit transport.

“We’re approaching a convergence of that terrestrial and space-based transport,” Mucha said. “It used to be that encrypting your mission link, encrypting your band link was pretty hot stuff. Those days are long gone. Viewing our space assets as IT systems means we’re adopting the zero-trust, defense in depth mantra. Perimeter defense is gonna fail because you have to assume that somebody will get through the perimeters, if they keep banging on the doors. That leads to a defense in depth.”

There has been some movement on the latter. For example, RTX said last year that it had formed a strategic partnership with SpiderOak, a provider of cybersecurity solutions for space systems, to develop and field new zero-trust systems for satellite communications in proliferated Low-Earth Orbit (pLEO).

Both the Space Force’s Space Development Agency and the NRO have been moving out on pLEO constellations.

Last month, a SpaceX Falcon 9 launched NROL-167 — the NRO’s fourth pLEO mission in what the agency said will be “the U.S. government’s largest satellite constellation in history.”

By the end of the year, the NRO plans to have put more than 100 satellites into orbit since June 2023, NRO Director Chris Scolese said in August.

On the satellite cyber security front, Mucha said on Tuesday that “there’s a lack of supply chain traceability, in some cases, and so we’ve really gotta start treating our space architecture and production the same as we do our ground architectures and production where we have full traceability and bake in those cyber security tenets up front in manufacturing and production and not try to bolt them on later.”

The NRO is part of a space cyber security working group that focuses on the White House’s 2020 Space Policy Directive-5 and the 2012 Committee on National Security Systems Policy-12 document, which requires satellite operators to have command and telemetry security systems approved by the National Security Agency.

The zero trust satellite cyber security effort leverages the Aerospace Corp.‘s Space Attack Research and Concept Analysis (SPARTA) matrix, started in 2022, and the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) data base, begun in 2013, of more than 200 cyber attacker tactics, techniques and procedures.

A “marriage” of the ATT&CK and SPARTA tools “is shedding all kinds of new light on threats to our space IT systems and mitigation techniques to prevent the adversary owning our satellites,” Mucha said on Tuesday.

This story was first published by Defense Daily