While the term “space age” may have once conjured images of an “out there” intergalactic realm of spinning satellites gathering data – a world largely disconnected from our daily lives – times have changed. Satellites and terrestrial networks are nearly fully integrated, from telecommunications to GPS to reliable internet access in remote communities around the world. In 2023, the space age is deeply connected to everything we do on land. How will this impact cybersecurity? According to Danny Palmer in an article for ZDNET, “satellites and space-based services that they provide are crucial to how we operate as a modern society.” A recent World Economic Forum article predicted that “future generations of smartphones…may well have satellite messaging capabilities for emergency communications where there is no terrestrial connectivity.”
The challenges faced by cybersecurity are no longer out of this world or even out of reach. They are stitched into the fabric of our daily routines, creating significant challenges for cybersecurity that Palmer predicts are, along with space-age technological innovations, “likely to grow.” If “cybersecurity in space is going to be arguably more important than it is on Earth,” how are industries and governments responding, and what does it mean that ensuring the security of the new space race may happen on the ground, and not in the sky?
Until a decade ago, satellites weren’t launched by private companies, and the space race was largely the domain of governments, as well as a few select companies like Boeing and others, which were tightly contractually regulated. Computers and networks were not a part of the average person’s daily life, but now, appliances, laptops, smart watches, and other devices with connectivity are sold in the private sphere and used widely. The explosion in private investments in space satellites and space technology from the commercial sector (Elon Musk, Jeff Bezos and Richard Branson, for example) has changed the cybersecurity landscape, creating unique and complex vulnerabilities. The complicated security aspect is often overlooked as there are no evolving standards nationally or internationally. Whereas satellites historically received data like TV signals from Earth and then amplified and mirrored them back to Earth, software-defined satellites can be reconfigured in space. While this increases vulnerability, it also means dynamic responses can be designed to respond to emergent threats.
Satellites are “more vulnerable than people realize,” according to an article by Brandon Bailey. As satellites have become “more digitized and software-driven, the attack, surface has expanded.” Just like the internet of things (IoT), an expanded surface area means more security risks, and satellites are a combination of embedded hardware and software operation in the physically isolated environment of space, which is already challenging to monitor or regulate. The more devices originate from more diverse sources, the more chances for sabotage. The fallout from an attack could be substantial and catastrophic. For example, blocking communications with a satellite could cut off vital communications and essential services – knocking out the electrical grid, for example, or allowing hackers to infiltrate other critical infrastructures on the ground, creating havoc and conflict on a wide scale.
As noted in IDST, because “the supply chain for hardware and software is depending on multiple component parts,” it makes security liability particularly complicated, especially when some of those parts are purchased overseas from different suppliers. “Where do the roles and responsibilities of hardware manufacturers, software developers, satellite manufacturers, operators and commercial users begin and end?” This will be an ongoing question as the space race develops.
In addition to considering the traditional cybersecurity protocol of identity, protect, detect, recover, and respond, the new “cyber-resilient” definition also includes the ability to adapt, withstand, recover from, and adapt to stressors, attacks, or system compromises, some of which haven’t been seen before and cannot be anticipated until they occur. Specifically, true cyber-resilience on spacecraft might require AI and/or other kinds of machine learning to build this necessary resilience.
Brad Stone, Booz Allen Hamilton’s chief information officer, states that, “for space cyber defense, you need to understand the mission, the ecosystem, and what threats make this environment different – whether in the systems themselves or the processes used to manage those systems.” A few points of emphasis: “location matters” as defense and intelligence space systems gather information using geographical coordinates. All connections within the “ecosystem” of satellites, ground systems, control centers, and connected devices must be checked, in addition to “ageing” software that leave potential weakness in supply chains and leave satellite systems open to attack; finally, jamming (OT attack) and pinging an uplink antenna (IT attack) – both strategies that attack the ground systems and not the satellites themselves – are an ongoing threat.
An article published by the World Economic Forum asks, “Will the battle for space happen on the ground?” This seems to be the most likely scenario, as space services have become more and more interdependent with networks on Earth. These services “support essential services such as military, utilities, aviation and emergency communications, and therefore get drawn into geopolitical conflicts on the ground. This was evident in February 2022, just as the Russian invasion of the Ukraine began, when satellite modems required a hard reset to repair compromised satellites in order to deliver vital communications to Ukrainian refugees in Slovakia. According to RUSI (The Royal United Services Institute; the UK’s leading defense and security think tank), “It does sound a bit ‘Star Wars’ to say, but if you were to take control over a satellite, you could make it do what you want it to.”
Other threats include the possibility of planting an APT (Advanced Persistent Threat) into a satellite (see the January CYRIN newsletter). Although anti-satellite weapons (ASAT) are limited in scope, with a handful of countries having orbital space capabilities, they remain real threats. In addition, regulatory frameworks have been unable to keep pace with technological evolution; hardware and satellite manufacturers, software developers, operators and commercial users must be in sync and close communication to offset cyber vulnerabilities. In other words, “security by obscurity” is no longer an option, because “as space systems have continued to grow in complexity, they are often perceived as a “black box” of poorly understood but interconnected space cyber. As private companies are increasingly involved in space technologies, the risk for criminal cyberattacks increases as well.
The same cyber considerations that impact the private sector are also concerns for the Space Force, the United States’ new service about to enter its fourth year. To date, the military is one of the leaders of cybersecurity in space, planning initiatives across the space community to address cybersecurity for space systems, even in light of the absence of approved cybersecurity standards in this particular realm. With the goal of creating what’s known as “peace in orbit,” the new U.S. Space Force department is dealing with a primary battlespace that is not material, but digital, according to Josh Luckenbaugh, writing in National Defense.
Space Force, still only four years old, is concerned with how to assess cyber risks, as well as anticipate and prevent them in an ever-evolving environment. Lt. Gen. Stephen Whiting, quoted in an article from Space News, states that “the military is more comfortable dealing with physical security threats, whereas cybersecurity is a different problem that requires a nontraditional approach.” In order to increase knowledge of how to measure cyber risks, the Space Force is investing in defensive approaches to cybersecurity, versus just waiting to respond. Whiting goes on to explain that “the Space Force is now looking to add more squadrons of cyber specialists to support military units that operate communications, surveillance and navigation satellites.” Russia’s tactics in the Ukraine, when in February of 2022 they attempted to penetrate Ukrainian communications satellites in advance of the invasion underscore how these cyberweapons in space could be used to do terrible damage before, during and after on the ground conflicts.
As reported in National Defense, Space Force operators recently participated in a new training exercise called “Black Skies,” overseen by STARCOM (Space Training and Readiness Command); this exercise allowed operators to experience “a mix of live fire and constructive” training. An upcoming “Red Skies” training will focus on orbital warfare to train soldiers on combatting threats in space, followed by other trainings to improve readiness and future cyber-resilience. Cyber professionals have been commissioned directly into the Space Force industry, so one light at the end of this cybersecurity tunnel is yet more employment opportunities in the field of cybersecurity for trained professionals. Space Force will also seek to collaborate with industry partners, “setting up a commercial front door at Space Systems Command.”
At CYRIN we know that as technology changes, a cybersecurity professional needs to develop the skills to evolve with it. We continue to evolve and develop solutions with “hands-on” training and our courses teach fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. These tools and our virtual environment are perfect for a mobile, remote work force. People can train at their pace, with all the benefits of remote work, remote training, and flexibility. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!