How To Tackle The Space Sector’s Cyber Challenge
It is difficult to protect terrestrial infrastructure from digital intrusion: just ask Kaseya and its customers, or the Colonial Pipeline Co. In space, some cyberdefense challenges are amplified, while others may become easier to tackle. Nonetheless, the stakes are high.
Space may not yet be routinely regarded as an industrial sector as critical to societies as food, oil, finance or defense, but these sectors and many others are heavily reliant on space-based systems.
- Group advocates for seeing space as a critical industry
- Members seek common standards for securing ground systems and satellites
- Industry has grown past “security through obscurity”
“When we talk about a critical sector, we’re talking about economic impact,” says Frank Backes, senior vice president of Kratos’ space federal division. Backes is also the chair of the Space Information Sharing and Analysis Center (ISAC), a nonprofit membership organization co-located with the U.S. National Cybersecurity Center in Colorado Springs.
“Without space systems, there’s a lot of critical capability that couldn’t be delivered the way it is today,” he continues. “Communications, obviously, is one; but if you look at precision timing, navigation, weather—the world relies on space systems.”
The word “systems,” is key. The element that differentiates the sector from other infrastructure is that they are only one part of an overarching system that has a considerable terrestrial footprint.
“You have to look at the ground side as well,” says Rick Greenwood, head of operations and engineering at the division of Airbus in the UK that provides the country’s Skynet military satcom network. “It’s pointless if I’ve got a brilliant spacecraft to command if my satellite control center is vulnerable to cyberattack. The ground side is equally important—in fact, you could say more important because it’s easier to attack the ground segment.”
In aviation, the cybersecurity headlines tend to be dominated by fears of hackers taking control of an aircraft in flight. Yet, the vast majority of the sector’s exposure to digital threats is found on the ground. The same is true with space.Direct interference with an orbital vehicle is a danger that cannot be ignored, but it is an issue that is dwarfed by the scale of the challenge of securing the parts of the system that never leave Earth.
“We’re going to be building global 5G satellite-based networks, which will be connected to global cloud infrastructure,” says Sam Visner, a technical fellow with the Mitre Corp., an adjunct professor of cybersecurity at Georgetown University and a member of the Space ISAC board. “The big 5G operators in space have announced relationships with global cloud operators, which in turn will be connected to global infrastructure, including transportation infrastructure, energy infrastructure and agricultural infrastructure.
“Look at a farm today,” he continues. “A farm has a lot of GPS-guided autonomous equipment that is used to cultivate food. So, agricultural systems depend on space. And these agricultural systems have a lot of embedded IOT [Internet of Things] devices, which will be connected, eventually, directly to 5G networks, some of which will be supported from space. The attack surface will be enormous.
“Now, I’m not saying this is all a bad thing. It can be a very good thing,” Visner says. “But to the extent that space systems are also connected to these global infrastructures, it means that space systems will have an attack surface that is thereby enlarged through that connectivity. The space industry understands this, I think, and is trying very hard to get in front of this challenge.”
The Space ISAC was established in 2019 and has not yet reached full operational capability, but it is coming online at a pivotal point in the space sector’s evolution. Until relatively recently, the high costs of entry and low replicability across projects and programs offered spacecraft programs a measure of security through obscurity. Their unique combinations of hardware and software presented a high barrier to would-be adversaries, with the results of a successful intrusion largely limited to exploiting one system.
“The hardware is unique. You can’t go and buy components from Cisco and throw them on a spacecraft because they don’t have the robustness that’s needed. So everything is custom,” says Bruce Jackson, founder of the aerospace cybersecurity consultancy Air Informatics. One of the clients is NASA, with whom he is working on security for the Lunar Gateway space station. “But that also means none of the existing cybersecurity components in software are readily available, so you have to build them from scratch. And the problem is, a lot of systems have been put up with no substantial security built in. They’ve tried to bolt it on, and that has been inherently challenging because a lot of spacecraft designers haven’t done this before and we don’t have a common set of requirements.”
As large constellations are built and launched, often by new entrants to the aerospace industry, the task of adopting robust standards and sharing best practices will be vital to ensure resilience of the systems and assure the provision of the services that become essential to global populations.
To this end, the Space ISAC is actively engaging with spacefaring entities regardless of commercial or geographic background. In June, Microsoft joined as a founding member alongside Lockheed Martin, Northrop Grumman, Kratos and others. If all goes well, established aerospace contractors, Silicon Valley neophytes, academic institutions and research bodies—such as Mitre—will all be able to learn from each other.
“We don’t want everybody to go all the way over to mission assurance and the in-depth processes that have been in place for years within government,” says Ed Swallow, The Aerospace Corp.’s civil systems group senior vice president and a Space ISAC board member. “The way [consumer tech companies] do things makes good financial sense, good operational sense and good customer sense for them. But they need to be at least cognizant of the impacts [those approaches] are going to have.”
“A system has a series of verticals, where [designers] deal with flight software and command/control and network architecture, but cybersecurity has to go across all of it,” Jackson says. “Blue Origin, SpaceX or Microsoft are aware of this. They have a long history, they’ve been targets for all variety of threats, so it’s more a part of their culture. Hopefully, that will factor into the design more effectively.”