Our reliance on space, and especially satellites, for communications, security, intelligence, and commerce has exponentially grown with digital transformation. Unfortunately, so have the risks, as a result, the need to prioritize cybersecurity around space assets is urgent.
Last May, the Cybersecurity and Infrastructure Security Agency (CISA) announced the formation of a Space Systems Critical Infrastructure Working Group. The group is composed of government and industry members that operates under the Critical Infrastructure Partnership Advisory Council (CIPAC) framework, bringing together space system critical infrastructure stakeholders.
According to CISA, “the working group will serve as an important mechanism to improve the security and resilience of commercial space systems. It will identify and offer solutions to areas that need improvement in both the government and private sectors and will develop recommendations to effectively manage risk to space based assets and critical functions.” See CISA Launches a Space Systems Critical Infrastructure Working Group | CISA
I was honored to address the group on the topic of Zero Trust and Satellite Communications several weeks back and was extremely impressed with their focus and recognition of the importance of cyber-securing the space frontier that directly impacts all critical infrastructure including agriculture, health, financial, and transportation.
The role of the working group is especially important as networks are changing from terrestrial (land) based communications to the cloud, taking advantage of satellites to move data over large, international distances. And there are now more satellites circling in low earth orbits in 2022 as launch costs have significantly lowered, opening the frontier of space up to major private sector launch initiatives with companies such as SpaceX, Blue Orgin, and many others. According to the Union of Concerned Scientists, at the start of 2022, there were 4,852 satellites in orbit.
THE GROWING THREAT TO SATELLITE ARCHITECTURE AND GROUND -BASED SYSTEMS
The threat to space to ground communications and sensors is very real and ominous, and the creation of the working group is an important first step in meeting threats. As NISTIR draft 8270 eloquently points out, “Space is an emerging commercial critical infrastructure sector that is no longer the domain of only national government authorities. Space is an inherently risky environment in which to operate, so cybersecurity risks involving commercial space – including those affecting commercial satellite vehicles – need to be understood and managed alongside other types of risks to ensure safe and successful operations.” See NISTIR 8270 (Draft), Intro to Cybersecurity for Commercial Satellite Operations | CSRC
Cyber expert Josh Lospinoso succinctly describes why the threat is not theoretical in a recent informative article in The Hill. He notes that “Attacks have been going on for many years and have recently ramped up. In 2018, hackers infected U.S. computers that control satellites. Iranian hacking groups tried to trick satellite companies into installing malware in 2019. And one report concluded that Russia has been hacking the global navigation satellite system (GNSS) and sending spoofed navigation data to thousands of ships, throwing them off course. While there have not been any public reports of direct hacks on satellites, vulnerabilities in ground stations have been exploited to try to alter satellite flight paths, among other aims.” See Space race needs better cybersecurity | TheHill
China also has a capability to act offensively in space, digitally and kinetically. As far back as 2014, the network of the National Oceanic and Atmospheric Administration (NOAA), was hacked by China. This event disrupted weather information and impacted stakeholders worldwide. There were approximately 14 other satellite attacks before the NOAA attack. Eight years later, China is now perceived as even more of a threat. A recent GAO report titled “Challenges Facing DoD in Strategic Competition with China” co-authored by Cathleen Berrick, GAO’s managing director of defense capabilities and management, listed recommendations for DoD [CB1] to revamp its satellite-based communications architecture and ground-based systems for the command and control of satellites. These are “actions that may better position DoD to address the challenges with China, but DOD has not yet implemented.” And she says that “space is very important because DoD, of course, relies on its space based capabilities for communications, for navigation and targeting, and for intelligence collection.” See GAO: DoD has to step up efforts in space, cyber and artificial intelligence to compete with China – SpaceNews
Washington Post Cybersecurity expert Joseph Marks provides context to the cyber threats. He says that the IT that run most space systems are complex, but the back-end systems are increasingly linked (sometimes intentionally) with commercial front-end systems that hackers are expert at cracking into. He warns that such hacks could be launched by criminal gangs that demand a ransom to unlock them or by adversary nations looking to damage the U.S. economy. Or that in a worst case scenario, hackers could disrupt the command and control of satellites themselves, forcing them to crash into each other with ripple effects across industry sectors. See Space could be the next frontier for cyber threats (msn.com)
The threat to space assets is both kinetic and non-kinetic. There is an array of capabilities adversaries may use to interfere or disable satellites and ground based systems. Satellite operations via Earth-bound entry points can offer cyber attackers with an many vectors for hacking. A weaknesses of satellite systems is the use of long-range telemetry for communication with ground stations. The uplinks & downlinks are often transmitted through open protocols that can be accessed by cyber attackers.
Dr. Malcom Davis, senior analyst at the Australian Strategic Policy Institute, summarizes these threats: “One trend is towards the development of ground-based and space-based (co-orbital) ‘soft kill’ (or non-kinetic) ‘counter space’ capabilities. Satellites could be targeted through electronic warfare (jamming and spoofing), microwave weapons, laser dazzling and, perhaps most worryingly, cyberattacks. The prospect of cyberattacks on satellites dramatically expands the scope and risk of counter space threats for several reasons. Countries like China and Russia, and even Iran and North Korea, are experienced in waging cyber warfare, and directing such attacks against satellites is something they could do now, and at relatively low cost.” See The cyber threat to satellites | The Strategist (aspistrategist.org.au)
PROTECTING SPACE ASSETS AS CRITICAL INFRASTRUCTURE
The recognition of the risks to space-based assets is not new but protecting them has not been prioritized. Bob Gourley, founder of Ooda.com and former government intelligence official captures the longevity of the issue, he said that “Since the October 1957 launch of Sputnik humans have been putting satellites into space, giving the world 60 years to engineer out problems with operating in this harsh domain. Now a new challenge has arose, one that the community has not addressed yet. This is the threat of cyber-attack. Both the on orbit and ground components of space systems have yet to fully address this threat.” The Growing Risk of a Major Satellite Cyber Attack – Via Satellite (satellitetoday.com)
Over two years ago a report by the Aerospace Corporation summed up why cybersecurity for space is an imperative: “Space systems comprise many government and commercial components where cybersecurity and space operations are inextricably linked. The vulnerability of satellites and other space assets to cyberattack is often overlooked in wider discussions of cyber threats to critical national infrastructure. Neither space policy nor cybersecurity policy is prepared for the challenges created by the meshing of space and cyberspace, especially for the spacecraft. With the emerging cyber threats to spacecraft from nation-state actors, additional spacecraft defenses must be implemented.” Bailey_DefendingSpacecraft_11052019.pdf (aerospace.org)
There are numerous convincing arguments why space needs to be formally listed as U.S. critical infrastructure. Unfortunately, it has not been deemed so yet but there is promise. There is pending legislation in the House of Representatives called The Space Infrastructure Act that would designate space as the 17th critical infrastructure. Sam Visner, a technical fellow at the MITRE Corporation and former associate at the Space Information Sharing and Analysis Center, has been one of the prominent experts leading the charge for that formal recognition to have the Department of Homeland Security (DHS) declare space as critical infrastructure along with 16 other verticals.
Sam offers concrete reasons for space becoming part of the listed critical infrastructure and predicts that” the space rush will result in tens of thousands of new assets launched within the decade, which will create a ’truly enormous’ cyber-attack surface.” Sam Visner also illuminates how “legacy assets, which are nodes in space-based and space-to-terrestrial communications that can serve as potential network entry points, much as endpoints (e.g., devices, servers, etc.) do in traditional IT networks” can be exploited by adversaries. Amid Space Race, Cybersecurity And Resiliency Remain Concerns: Experts – Breaking Defense Breaking Defense – Defense industry news, analysis, and commentaryavid Logsdon, Senior Director of CompTIA’s Space Enterprise Council, is another vibrant voice in the emerging global space security advocacy community. David explained to me that many companies do not realize how integral space is for their operations and commerce. He says that many companies are already using satellite platforms to deliver data services, including satellite imagery, broadband communications, and value-added GPS services. He says that cyber-securing space assets are vital for thwarting threat that can dismantle their ability to operate as businesses.
OPTIONS FOR BOLSTERING SPACE CYBERSECURITY
In their article Space is Critical –It’s Time We Act Like It, Edward Swallow, senior vice president and chief financial officer at The Aerospace Corporation and MITRE Fellow Samuel S. Visner offer recommendations for moving forward on enhancing security for our space assets. They are both part of The Space Information Sharing and Analysis Center, or Space ISAC that outlined excellent options for addressing cyber-risk in space. Those recommendations include:
Recognize the critical importance of our space systems — and make our position known to allies, partners, competitors, and adversaries. We must harden space systems and be prepared to respond to and deter attacks.
Create a national and international information-sharing architecture for the security and resiliency of space systems, ranging from engineering best practices to operational threat intelligence. Space ISAC made notable strides in sharing unclassified information, and we need to extend our information-sharing in the classified domain. In addition, the U.S. needs to leverage Space ISAC to launch an effort encompassing the full range of national and international space industry players, from manufacturing and launch services to ground and in-orbit operations.
Establish an interagency, federal risk management structure with responsibility for space systems security and resilience that reports (at least initially) to the vice president.
Take the lead in building international consensus regarding the security of space systems and reinforcing existing norms against attacks on those systems. Article 7 of the Outer Space Treaty could be amended to make explicit prohibitions of cyberattacks against space systems. If other countries are not prepared to accept these changes, the U.S. should signal our resolve with a robust policy statement and be clear in making other parties understand our commitment to respond to perceived hostile acts. This will strengthen the security and resilience of our own systems. See Space is Critical — It’s Time We Act Like It – Via Satellite – (satellitetoday.com)
In an article in Homeland Security Today, Paul Ferrillo Esq, and I composed an article Protecting Space-Based Assets from Cyber Threats. In our article, we set forth below a non-exclusive list of security elements for defending space-based assets and satellites, along with ground-based control flight networks. We have adapted these from “Defending Spacecraft in the Cyber Domain” and government sources (please see references below).
1. Security by design – not security as an afterthought – built into every satellite from the ground up.
2. Identity and access management (“IAM”) – those accessing flight control information and surfaces need to be identified and verified by an IAM solution that will pass muster on the user using machine learning identifiers to attempt to prevent authorized access to critical vehicle functions.
3. Multi check for IoT related devices – IoT devices must be able to be updated; no hard-coded passwords should be allowed.
4. The backbone of a cyber-resilient spacecraft should be a robust intrusion detection system (IDS). The IDS should consist of continuous monitoring of telemetry, command sequences, command receiver status, shared bus traffic, and flight software configuration and operating states, anticipate and adapt to mitigate evolving malicious behavior. The spacecraft IPS and the ground should retain the ability to return critical systems on the spacecraft to known cyber-safe mode. Logging should also be available to cross-check for anomalous behavior.
5. It is critical that spacecraft developers implement a supply chain risk management program. They must ensure that each of their vendors handles hardware and software appropriately and with an agreed-upon chain of custody. Critical units and subsystems should be identified and handled with different rigor and requirements than noncritical units and subsystems and should also be constructed with security in mind. All software on the spacecraft should be thoroughly vetted and properly handled through the configuration management and secure software development processes (DevSecOps).
6. Both the spacecraft and ground should independently perform command logging and anomaly detection of command sequences for cross validation. Commands received may be stored and sent to the ground through telemetry and automatically checked to verify consistency between commands sent and commands received.
7. Protections should be made against communications jamming and spoofing, such as signal strength monitoring and secured transmitters and receivers; links should be encrypted to provide additional security.
Security elements for defending ground-based systems and network assets include but are not limited to (also from the Homeland Security Today article):
1. Adoption of cybersecurity best practices, including those aligned with the NIST cybersecurity framework (“CSF”). As academic professors and pragmatists, we both are ardent supporters of the CSF and see no reason why the hundreds of space and satellite suppliers should not adopt the NIST framework.
2. Key network components should be logically and physically separate to prevent virus-like (ransomware) attacks from spreading throughout the network.
3. All ground-based system and network assets should be required to have the following policies in place: incident response, business continuity and crisis communications plans, patching policies, BYOD policies and backup policies.
4. All ground-based space systems and facilities should be required to hold quarterly employee training for all individuals on things like spear-phishing and socially engineered email attacks.
5. All ground-based space systems and facilities should be required to adopt a fulsome vendor supply chain risk management program that touches all primary and tertiary vendors.
6. All ground-based space systems and facilities must adopt machine learning intrusion detection systems to help guard against anomalous and potential malicious activity.
7. All ground-based space systems, facilities, and space manufacturers and vendors should be required to join the Space ISAC to be able to collaborate by sharing threats, warnings, and incident information.
Josh Lopinso, in his excellent and earlier referenced The Hill article, also offers some great recommendations for enhancing cybersecurity capabilities:
- Fix the technology gaps. Satellite systems were not designed with security in mind. They have weak encryption and use legacy systems that are not easily patched or updated. And some of the navigation protocols are broken — I’ve built systems that spoof some of those protocols and discovered that it’s pretty trivial to do so with a few thousand dollars of investment. Traditional IT security solutions don’t protect the OT layers that satellites rely on. These security lapses make satellites vulnerable to hacking.
- Learn from IT security. Securing space assets is achievable, especially if we lean on the decades of hard lessons in securing IT networks. These include basics such as setting best practices like understanding your assets and observing what’s happening there to help detect attacks. Vendors should harden the code running on space systems and use the principle of least privilege for accessing the systems. These same lessons have been applied to transportation OT systems successfully. It shouldn’t take as long to get there with space systems.
- Agree on standards. This includes establishing reasonable security measures and sharing threat information, as well as developing a common cybersecurity architecture. The U.S. is in the early stages of devising cybersecurity rules for other critical infrastructure — like freight and passenger rail systems — and should get started with space now too.
- Realign incentives. Vendors and customers need more motivation to adopt risk mitigation approaches. When critical infrastructure goes out of service, millions of people can be affected. The total economic loss from these outages is orders of magnitude higher than the expenses incurred by the infrastructure operator. For example, Colonial Pipeline paid a $6.5 million ransom to get their gas pipelines flowing again, but that pales in comparison to the net effect of millions of people on the eastern seaboard who couldn’t pump gas. After the attack, we saw efforts from the U.S. government to apply regulations regarding breach reporting for pipeline systems, and we’re seeing similar efforts in the transportation sector. Federal regulations and the risk of bottom-line impact compel most companies to improve cybersecurity practices — which would benefit space technology as well. See: Space race needs better cybersecurity | TheHill
S.3511 – Satellite Cybersecurity Act
To make Space Cybersecurity more operational, it requires authorization and funding by Congress. Legislators have recognized the deficiencies and importance of satellite cybersecurity and legislation has been advanced. Bipartisan legislation called The Satellite Cybersecurity Act is “designed to assist in the development, maintenance and operation of commercial satellite systems.” Those suggestions would need to include materials addressing risk-based, cybersecurity-informed engineering, protection against unauthorized access to systems and communications jamming and spoofing, supply chain management and more. The legislations proposes that CISA would also be tasked with the role of creating and maintaining a “commercial satellite system cybersecurity clearinghouse” to house all recommendations and resources for interested entities to access in one place. See Lawmakers Propose Expanding Cybersecurity Support for Commercial Satellite Companies – Nextgov
MORE RESOURCES ON SPACE SECURITY
· Introduction to Cybersecurity for Commercial Satellite Operations NISTIR 8270 (Draft), Intro to Cybersecurity for Commercial Satellite Operations | CSRC
· Another excellent resource of the discussion of space based security issues can be found at the Atlantic Council’s Geotech Center video of Dr. David Bray, Dr. William Jeffrey, Dr. Divya Chander, and myself discussing why space will require new regulations and international norms and will create novel opportunities for industry and innovation, from transportation and satellite communications to data sharing, artificial intelligence, and national security. See Cybersecurity of Space-Based Assets and Why this is Important – Atlantic Council
· Space Information Sharing and Analysis Center Space ISAC – Space Information Sharing and Analysis Center (s-isac.org)
CompTIA Space Enterprise Council: Space Enterprise Council | Public Sector | CompTIA
· Space Cybersecurity Symposium II: Applied Cybersecurity for Space Space Cybersecurity Symposium II: Applied Cybersecurity for Space | NIST
This article is intentionally long and aside from discussing the key aspects of cyber-security space was designed to also serve as a resource. Space is an emerging and critical cybersecurity frontier that we are becoming increasingly depend on for both our commerce and security. It needs attention of the national security establishment and certainly to be integrated a priority critical infrastructure to protect by DHS CISA. DOD, the USAF, and Space Command are also initiating programmatic activities to protect space assets that are important to all domain operations. There is an urgency to move forward in a rapid, ambitious, and focused path.
ABOUT THE AUTHOR
Chuck Brooks, President of Brooks Consulting International, is a globally recognized thought leader and subject matter expert Cybersecurity and Emerging Technologies. Chuck is also Adjunct Faculty at Georgetown University’s Graduate Applied Intelligence Program and the Graduate Cybersecurity Programs where he teaches courses on risk management, homeland security, and cybersecurity. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named as one of the world’s “10 Best Cyber Security and Technology Experts” by Best Rated, as a “Top 50 Global Influencer in Risk, Compliance,” by Thompson Reuters, “Best of The Word in Security” by CISO Platform, and by IFSEC and Thinkers 360 as the “#2 Global Cybersecurity Influencer.” He was featured in the 2020, 2021, and 2022 Onalytica “Who’s Who in Cybersecurity” – as one of the top Influencers for cybersecurity. He was also named one of the Top 5 Executives to Follow on Cybersecurity by Executive Mosaic, He is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, Expert for Executive Mosaic/GovCon, and a Contributor to FORBES. He has an MA in International relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague Academy of International Law.