Brussels Workshop Weighs Risks of Satellite Hacking
Experts map the dangerous new territory of cyber attacks on spacecraft.
The global economy—and especially more technologically advanced countries like the United States—are increasingly dependent on space-based capabilities like GPS and satellite communications.
“When considering our daily lives,” explained retired Canadian Gen. Robert Mazzolin, now chief cybersecurity strategist for the Rhea Group, a global engineering firm. “There’s not an operation or activity that’s conducted anywhere at any level that’s not somehow dependent on space capabilities,” he went on.
Those capabilities have fueled huge leaps in economic productivity, not to mention personal convenience. But they have also left us scarily dependent on a relatively fragile infrastructure. Satellites can be shot out of the sky. Collisions, accidental or otherwise, can knock them from orbit.
And now, it turns out, they can also be hacked.
“One of the mantras in the cyber world is that any piece of electronics ... can be attacked,” pointed out Wolfgang Roehrig, head of the Information Security Unit of the EU Defence Agency.
Roehrig and Mazzolin spoke at a virtual fireside chat moderated Thursday by SIGNAL Magazine Editor in Chief Bob Ackerman. The discussion was part of AFCEA Europe’s workshop titled “Cybersecurity in and for Space Operations.” The event brought together military and civilian officials from the United States and its NATO allies, and a number of academic and private sector experts, to map the dangerous new territory represented by the possibility of cyber attacks on spacecraft.
Speaker after speaker stressed that satellites are no exception to the rule that all technology is vulnerable to hackers. Last year, security researchers identified a series of vulnerabilities in a software package called VxWorks. The flaws meant an attacker could gain full control of the system remotely. Among the two billion or so devices on which the software was installed are almost all satellite modems.
These devices, which receive satellite transmissions and communications, are part of the so-called ground segment—the terrestrially based control stations, communications networks and launch infrastructure that satellites rely on. Traditionally, the ground segment has been seen as the most vulnerable part of the satellite ecosystem to cyber attack, explained Sarah Brown, a senior scientist with the NATO Cyber Security Centre, part of the NATO Communications and Information Agency.
Other parts of the ecosystem were seen as harder to hack. The spacecraft themselves tended to run on “Unique hardware and software” which only the people who built and ran satellites knew how to use, she continued.
But that’s all changed in the past few years. The traditional boutique, one-off, made-to-order for the military or government, satellites in high, geostationary orbits, are increasingly outnumbered by the huge constellations of small, mass-produced spacecraft, launched by the dozen by private sector companies looking to provide ubiquitous 5G phone service or Internet of Things connectivity.
These satellites don’t only use mass-produced parts, they run commodity software, too—programs familiar to hackers from their ubiquity in enterprises across the globe.
“Everything is part of the attack surface now,” noted Roehrig.
These smaller so-called “nanosats brought new attack opportunities for the bad guys,” he continued. “Increased miniaturization of course has a (technical) cost across the whole infrastructure, and often cyber is one of the victims because it requires resources.”
Worse still, he pointed out, “nanosatellites are usually managed as a swarm, rather than as a single or isolated asset. This implies that, by launching a successful attack on one satellite, an attacker could gain control of the entire swarm.”
Over the next few years, five times as many satellites will be launched as have been put into orbit since the first-ever human-manufactured satellite, Sputnik, in 1957.
Moreover, Roehrig argued, the explosion in the number of different players in space—nations and companies new to the orbital game—presents risks of its own.
“Many non-EU countries, with relatively little experience in space have launched nanosatellites, mostly for civilian programs,” he outlined, “In some instances, this lack of experience raises some doubts about the resilience (of their infrastructure) to attacks in general and especially to cyber attacks.”
One other trend that has increased the cyber risks to the space sector, according to Gordon “Skip” Davis, NATO’s deputy assistant secretary-general for defense investment, is the increasing mutual reliance of space and cyberspace. Satellites need a communications channel to reach users on the ground. In turn, ground-based IP networks often rely on satellites to ensure connectivity in very isolated, remote or hard to reach areas.
“NATO recognizes that the effective employment of space-based capabilities depends on the secure access, protection and use of cyberspace and the electromagnetic spectrum,” Davis said. Indeed, he suggested that NATO, which has no space assets of its own, could best assist with securing the sector by focussing “on the security and defense of cyberspace, through which space support is delivered, received and shared.
”We must understand, identify and defend or mitigate the mutual vulnerabilities created by this continued integration of space and cyberspace capabilities … and operations,” he concluded.
Shaun Waterman is an award-winning reporter and editor who has worked for the BBC, UPI and POLITICO. He is currently freelancing covering federal information technology, cybersecurity and homeland security. He can be reached at WatermanReports@gmail.com.