Space Is Cybersecurity's New Frontier
Two nonprofits address the cybersecurity needs of the commercial satellite sector.
Amid growing fears that U.S. military reliance on civilian space infrastructure might prove a weak point, two organizations are seeking to improve cybersecurity in the burgeoning satellite industry. The Orbital Security Alliance has published a detailed set of cybersecurity guidelines for commercial satellite operators, which aims specifically at smaller, newer companies in the fast-growing “minisat” sector. The Space Information Sharing and Analysis Center is bringing together satellite industry giants such as Kratos, SES and Lockheed Martin to share real-time cyber threat information and collaborate to discover and fix vulnerabilities in satellite software.
The two organizations highlight the need for new thinking about the security of U.S. space assets, especially given the increasing dependence of the U.S. military on commercial satellite capabilities, military officials say. “When I’m using something that wasn’t designed and built for me and may not be operated by me, how do the rules change? How does our mindset have to change?” Robert Vick, program manager for the Space Protection and Response Program at the Air Force Research Laboratory, asked at a conference in Reston, Virginia, late last year.
In particular, increasing reliance on civilian satellites has raised concerns that adversaries might try to hack into the computer software that controls U.S. space infrastructure—not only in the satellites themselves on orbit but also in their launch vehicles, groundstations and even the factories where they are designed and assembled.
“The cost to attack a space-based asset through a cyber attack is orders of magnitude smaller than through a kinetic attack,” notes John Sheehy, vice president for sales and strategy at cybersecurity firm IOActive.
He would know. In 2018, his firm found many of the satellite terminal devices that ships, commercial aviation and even the military operate were made using poor software engineering and security practices such as hard-coded credentials, administrative backdoors and nonsecure protocols, he says.
Alarmingly, little consideration appears to have been given to the issue, according to a study last year by The Aerospace Corporation, a federally funded think tank. “The vulnerability of satellites and other space assets to cyber attack is often overlooked in wider discussions of cyber threats to critical national infrastructure,” the authors of “Defending Spacecraft in the Cyber Domain” state.
Worse yet, requirements or standards for cybersecurity for the majority of commercial satellites do not exist, a void that’s getting larger every time a new private-sector rocket launches, they add. “Commercial satellites do not require the same level of [cybersecurity] governance as satellites in the DOD [Defense Department] and civilian [government] sectors, and they do not have standardized security,” conclude the authors.
The Committee on National Security Systems draws up information assurance standards for commercial satellites that carry classified or otherwise sensitive data; the National Oceanic and Atmospheric Administration manages the licensing for commercial remote sensing satellite systems, which includes information assurance requirements.
“But for everyone else, there’s nothing, very little guidance, and no requirements or rules at all,” says Harrison Caudill, director of the Orbital Security Alliance (OSA). He founded the nonprofit to develop cybersecurity standards for the space industry and to lobby to make the standards compulsory.
As space becomes more crowded and contested, even those space assets not providing services to the military become part of the national security equation. For example, if hackers can commandeer a satellite successfully, its propulsion system could be used to crash it into another satellite, he explains.
Caudill calls cybersecurity in the sector “a national security nightmare. …We are transitioning away from this world, this ecosystem, where you have a very small number of highly professional, capable and experienced players working in close concert with the national security [establishment] to a world where space is accessible to everyone” who can raise $50,000 to put a small satellite into orbit, including “hobbyists and high school science teams,” he points out.
OSA’s recent guidelines “are intended to put a stake in the ground and say, ‘This is what a real solution would look like,’” he explains. They’re designed not for Lockheed Martin but for the startup that has the venture capital to put a few satellites into orbit.
The guidelines cover a range of “immediately deployable solutions” for various elements of the space sector, ranging from the telemetry, tracking and control (TT&C) systems that guide satellites to the onboard computing and supply chain issues. For each element, the guidelines seek to identify and map across established relevant cybersecurity standards.
For example, for TT&C systems, the guidelines suggest applying the cybersecurity measures recommended for users of the Society for Worldwide Interbank Financial Telecommunications (SWIFT) international computerized banking payments system. Physical tokens and standalone dedicated PCs that are not web-enabled are used for multifactor authentication. “We realized that the SWIFT network really is a remarkable analogy for the TT&C link to a spacecraft,” recalls Caudill, “It is the nervous system.”
And that’s not the only set of industry guidelines that can be mapped over to the space sector. To secure its supply chain, the guidelines recommend that space companies look to the standards employed by the nuclear power industry. OSA concluded that “the physical security standards from the nuclear power industry would actually be overkill [for the space industry], but the supply chain standards would be about right,” Caudill explains.
“There is, in fact, a large body of well-understood cybersecurity guidelines, standards and best practices,” he continues, saying the OSA guidelines seek to leverage that “wealth of experience that can help implement [security measures in a way] that has been shown to be reasonably secure, even against state-sponsored attacks.”
It was just such a series of sophisticated, apparently state-sponsored cyber attacks against major legacy satellite operators that prompted the launch of the Space Information Sharing and Analysis Center (Space ISAC), according to Frank Backes, senior vice president, Kratos Federal Space.
The nonprofit, based at the National Cybersecurity Center in Colorado Springs, Colorado, joins 21 other ISACs that enable competing companies in an industry sector such as financial services or telecommunications to cooperate in defending their businesses from cyber attacks and other threats.
Satellite industry executives took the initiative to form the Space ISAC after realizing hackers were targeting their companies, Backes says. Disturbingly, the attackers didn’t seem to be trying to steal technology but rather to understand it. The hackers’ goal appeared to be “to understand the methods and the procedures being used to develop space systems so that vulnerabilities could be found, analyzed and ... exploited,” he explains.
Whoever was behind the attacks, Backes relates that “the kind of people who would be exploiting space systems of this type most likely would be much more sophisticated than your average hackers, and the reasons for doing it might be nation-state sponsored.”
Space ISAC enjoys the support of the White House and other agencies, it claims. It is lobbying to have space declared a sector of critical national infrastructure alongside two dozen other industries such as electric power and information technology, which are considered vital to the daily functioning of the U.S. economy, he says.
And like those sectors, space is subject to its own set of unique constraints and limitations when it comes to cybersecurity, explains Kevin Coggins, vice president, Booz Allen Hamilton, one of the Space ISAC’s founding member companies.
“The challenge with space is that you want the lightest satellite you can have, you want the least complex satellite you can have, and you want the most affordable design process you can have,” he says. But that means additional software or hardware elements for improved encryption, or cybersecurity might be “jettisoned.” In the increasingly crowded and competitive space market, Coggins explains, “Your launch weight really matters, because that translates to your launch costs.”
Even the companies that are cybersecurity conscious are “doing it in a cost-constrained way,” he warns. “They’re thinking minimal cost to get capability on orbit. Minimum viable product … they’re racing to profitability.”
The Space ISAC’s first goal is a web portal through which members can share information about new cyber threats. Reports will be vetted by National Cybersecurity Center analysts before being distributed through the portal, which is slated to be up and running by spring. It’s a model similar to one other ISAC—the information technology sector that the Department of Homeland Security (DHS) endorses, for example.
The portal will be unclassified, but Backes says the Space ISAC will leverage procedures the DHS has developed with the information technology ISAC to share unclassified information based on secret intelligence reports. If classified information about vulnerabilities is “broken down into individual components, some of them [will be] unclassified,” he explains.
The organization also plans to launch a space systems vulnerability laboratory “where analysts from the National Cybersecurity Center and Space ISAC members can collaborate and gain expertise in protecting space systems,” Backes related in prepared remarks to a meeting of federal officials he briefed about the ISAC in January.
No details of the planned laboratory were immediately available, and it’s unclear whether there would be any role for third-party researchers in the proposed lab. But Backes says that in general, the ISAC would welcome input from white hat hackers. “If those researchers are willing to share that information, we would absolutely want to be a mechanism for sharing that out to the community,” he states.
Shaun Waterman is an award-winning reporter and editor who has worked for the BBC, UPI and POLITICO. He is currently freelancing covering federal information technology, cybersecurity and homeland security.