Threat Mitigation Considerations

The space system designer, given a portfolio of credible threats, is tasked with developing threat mitigations capable to delivering the required resilience in a contested environment. The designer does not have free rein, with cost, schedule, and performance constraints which must be met in addition to the resilience requirement(s). Thus the desire to consider the widest range of mitigation alternatives to assure the most effective and efficient means of meeting all of these requirements. On the surface many of the mitigations may seem obvious, and in the past certain other design constraints severely limited the mitigation alternatives. However, as technology and cost efficiency have improved over the decades, the range of available mitigations has only widened. As a result it becomes more important to consider how to best select the optimal set of mitigations to meet the overall requirements set.

There are two categories of mitigation relevant to the designer: local and global mitigation approaches. The local mitigation is more common and provides mitigation generally against one type or class of threat. For example, a circuit design technique that mitigates the System-Generated Electromagnetic Pulse (SGEMP) generated by a nearby nuclear event. These local mitigations generally address one or more specific targets within the system that are matched to the threat(s). The global mitigation is one that is achieved through the system’s architecture or configuration and often delivers architectural robustness. An example is the use of highly distributed space architectures, such as so-called proliferated LEOs, that minimize the system performance impact of losing one or more satellites. In this case system robustness is provided by the global design approach.

A further consequence of this duality of approaches is that threat mitigations can also be divided into those that are largely physics-based as opposed to those that are effects-based. In the former the design of the mitigation is strongly influenced by the knowledge and characteristics of the specific threat (e.g., nuclear blast). In the second case, such as a distributed architecture, the approach is more effects-based in that the system delivers its robustness (and resilience) independent of the specific threat that rendered one or more satellites unusable. It does not matter, at least immediately, whether the satellite was disabled by a cyber threat or an anti-satellite projectile. The effect upon the system is the same. It is important to gather information about the threat to further protect the system, but the direct effect is the loss of a node.

Effects-based mitigations are often employed in systems that employ many nodes, such as terrestrial communications networks, including the Internet. To be sure, the Internet features a number of local mitigations, particularly against cyber threats, such as firewalls, but much of its resilience is due to node proliferation and path redundancy. Routing algorithms quickly and efficiently route traffic around dysfunctional nodes. Originally developed for digital telephony to mitigate reliability issues, these types of mitigations also work very well to provide resilience, as again the loss of a node is a loss regardless of whether it failed or was disabled by an external threat. As a result, many effects-based approaches can be applied to increase resilience against a wider range of threats. This is an important consideration from a design point of view, as each mitigation has a cost. Employing multiple mitigations for multiple threats can add up, when other approaches may counter multiple threats for a potentially lower total cost.

All of these mitigation alternatives are worth exploring as a system designer prior to committing time and money to one or more specific approaches.