Space race needs better cybersecurity
Things are heating up in space in more ways than one. Recently, Russia conducted an anti-satellite (ASAT) test and launched a missile at one of its old spy satellites. The explosion hurtled debris through space, forcing the crew of the International Space Station to take shelter in a spacecraft for protection. ASAT tests are a growing threat to satellites, but they’re not the only threat. Gen. David Thompson of U.S. Space Force told The Washington Post that Russia and China are launching attacks on U.S. satellites every day — using digital attacks, lasers, and radio frequency jamming.
The rise in satellites, rockets and shuttles is creating an expanded attack surface. Just like transportation, energy, and other vital industries, space systems need protection. And while we probably won’t see civilians launching into space anytime soon, Blue Origin and Virgin Galactic are making such travel more feasible by the day. A proposed bill in the U.S. House of Representatives — the Space Infrastructure Act — would designate space as a critical infrastructure sector. It would be a good first step.
Given how much equipment is in space and how dependent we are on it, it makes sense to classify it as critical infrastructure. There are more than 6,500 satellites in orbit; a record 1,283 launched in 2020 alone. They are integral to cellular communications, Global Positioning System (GPS) navigation, monitoring weather and climate, managing Internet of Things systems for agriculture, and keeping energy and other critical infrastructure running. And this infrastructure is disconcertingly fragile.
Outages have widespread, cascading, and potentially catastrophic consequences. One disabled satellite can affect vast networks on earth, leaving regions without cellular and other services. This makes them attractive targets for malicious attackers. The risk is so great that the director of the Defense Department’s Space Development Agency has cited cyber attacks against satellites as a greater threat than missiles.
The threat is not theoretical
Attacks have been going on for many years and have recently ramped up. In 2018, hackers infected U.S. computers that control satellites. Iranian hacking groups tried to trick satellite companies into installing malware in 2019. And one report concluded that Russia has been hacking the global navigation satellite system (GNSS) and sending spoofed navigation data to thousands of ships, throwing them off course. While there haven’t been any public reports of direct hacks on satellites, vulnerabilities in ground stations have been exploited to try to alter satellite flight paths, among other aims.
There are a number of ways satellites can be attacked. Hackers could compromise ground control systems to take control of space equipment remotely or inject malware into communications between terrestrial computers and satellites. They can spoof, or snoop on communications for espionage purposes, or disrupt signals. Imagine a weather data outage during a hurricane or data glitches that lead to power blackouts or supply chain delays. The economic costs would be vast. A cyber attack on the Global Positioning System alone could cost the U.S. $1 billion a day, according to Brian Scott, director of critical infrastructure cybersecurity for the National Security Council.
Federal initiatives are a good starting point
Lawmakers in Washington, D.C., are taking notice of this fast-growing threat. The 2020 National Defense Authorization Act established a new military branch — Space Force. Meanwhile, President Biden is reviewing the first comprehensive cybersecurity policy for space systems, dubbed Space Policy Directive 5. It requires capabilities to prevent jamming and spoofing of communications and unauthorized access of equipment in orbit.
The Space Infrastructure Act, proposed by U.S. Reps. Ted Lieu (D-Calif.) and Ken Calvert (R-Calif.) this summer, is another key measure that would put space on par with other industries by classifying it as a critical infrastructure domain. This move would enable more private and public collaboration on cybersecurity for space assets.
One critical infrastructure sector that has dealt with similar cybersecurity concerns is transportation. Transportation operators that have invested in IT security measures have taken first steps, but efforts are on the rise to bolster proactive risk management that demonstrate a more complete understanding of infrastructure security. Under DHS Secretary Alejandro Mayorkas, the TSA has introduced regulations that urge operators to appoint a cybersecurity coordinator, report incidents to CISA within 24 hours, complete vulnerability assessments within information technology (IT) and operational technology (OT) systems, and develop an incident response plan based on security issues discovered.
Another critical infrastructure that has work to do is the U.S. military. The Government Accountability Office released reports in 2018 and 2021 chiding the DOD for the poor to non-existent cybersecurity protection on its most critical fleet assets, ranging from fighter jets to tanks to aircraft carriers. These systems were never designed with cybersecurity requirements. As these systems have become more networked and interconnected, the DOD has an enormous, latent problem on its hands that it’s only beginning to grapple with.
Other steps to take
These initiatives addressing cybersecurity in space are important, but more is needed to get ahead of the cybersecurity problems while the market is still relatively nascent.
- Fix the technology gaps. Satellite systems were not designed with security in mind. They have weak encryption and use legacy systems that are not easily patched or updated. And some of the navigation protocols are broken — I’ve built systems that spoof some of those protocols and discovered that it’s pretty trivial to do so with a few thousand dollars of investment. Traditional IT security solutions don’t protect the OT layers that satellites rely on. These security lapses make satellites vulnerable to hacking.
- Learn from IT security. Securing space assets is achievable, especially if we lean on the decades of hard lessons in securing IT networks. These include basics such as setting best practices like understanding your assets and observing what’s happening there to help detect attacks. Vendors should harden the code running on space systems and use the principle of least privilege for accessing the systems. These same lessons have been applied to transportation OT systems successfully. It shouldn’t take as long to get there with space systems.
- Agree on standards. This includes establishing reasonable security measures and sharing threat information, as well as developing a common cybersecurity architecture. The U.S. is in the early stages of devising cybersecurity rules for other critical infrastructure — like freight and passenger rail systems — and should get started with space now too.
- Realign incentives. Vendors and customers need more motivation to adopt risk mitigation approaches. When critical infrastructure goes out of service, millions of people can be affected. The total economic loss from these outages is orders of magnitude higher than the expenses incurred by the infrastructure operator. For example, Colonial Pipeline paid a $6.5 million ransom to get their gas pipelines flowing again, but that pales in comparison to the net effect of millions of people on the eastern seaboard who couldn’t pump gas. After the attack, we saw efforts from the U.S. government to apply regulations regarding breach reporting for pipeline systems, and we’re seeing similar efforts in the transportation sector. Federal regulations and the risk of bottom-line impact compel most companies to improve cybersecurity practices — which would benefit space technology as well.
With SpaceX, Amazon, and others launching new satellites weekly and commercial space travel on the horizon, the stakes will only get higher if we don’t work to secure these systems.
Satellites aren’t just communication equipment; they are infrastructure we rely on to keep our hospitals open, streets lit, internet on, food delivered and emergency systems working. It’s time to make security for these systems a national priority before a disaster strikes.