Satellite Cybersecurity: Are Your Assets Protected?
As space assets continue to change hands from exclusive government ownership to private companies, the satellite industry is seeing a growing need for cybersecurity standardization. This is especially important because the United States military is increasingly reliant on civilian space infrastructure such as launch vehicles, ground stations, and manufacturing factories. It’s unfortunate that cybersecurity is not a top priority for most businesses in any industry, although it should be. Just earlier this year, the U.S. has seen a cyber attack on Colonial Pipeline, forcing a gasoline shut off, and on a water treatment facility, briefly poisoning the water supply in Florida. Satellites are connected to our GPS, communication, and power grid systems, yet there is little guidance on how to protect them from cyber threats.
Cybersecurity requires resilience. Yet with the space industry’s focus on profitability, it tends to place cybersecurity low on the priority list. The main reason is that satellite weight directly correlates with launch costs making extra security software or hardware additions a very cost-conscious decision. Furthermore, the satellites themselves include a vast attack surface with many components that must work in harmony; navigation, communication channels, onboard sensors, and power generators. Isolating and combating a threat often shuts down the entire ecosystem. Other threats range from scrambling signals between ground and satellite, to malicious collisions in Lower Earth Orbit (LEO).
The market’s response to these threats comes in the form of education and guidance, but without strict requirements or a legal minimum of best practices.
The Committee on National Security Systems has a list of standards, but the document hasn’t been updated since 2014, and focuses more on protecting sensitive and classified data.
The Aerospace Industries Association (AIA) is a body of representatives from the aircraft, space, and defense industries that creates standards and represents the interests of these industries. It has also spent the last 100 years tracking the history of these sectors. The AIA has published NAS9933, an aerospace cybersecurity standard guide to help regulate the requirements for aerospace cybersecurity.
The Center for Space Policy & Strategy, along with The Aerospace Corp, a federally funded think tank, published a study in 2019 that outlined cyber threats, and combined a list of standards from the other organizations to help companies take their security practices more seriously.
The Space Information Sharing & Analysis Center (Space ISAC) is a nonprofit that’s part of another 21 ISACs from other industries that enable competing companies to cooperate in defending their businesses from cyber attacks and other threats. Members share real-time cyber threat information, and collaborate to discover and fix vulnerabilities in satellite software.
The Orbital Security Alliance has published a detailed set of cybersecurity guidelines for commercial satellite operators, focusing on newer companies in the mini satellite sector.
While the guidance is clearly out there, companies still have to decide which options to implement. The first thing all satellite companies need to do is develop a Program Protection Plan describing how information and infrastructure will be protected throughout each mission. Some details to consider include:
Ground-based security concerns are different in a pre- and post-launch environment. Physical access that is available while a satellite is on the ground will not be as much of an attack vector in LEO or GEO, but must be taken into account so the hardware is not compromised from the beginning.
Routine monitoring of communication traffic is crucial to spot deviations from the norm.
Intrusion detection and prevention should be built into the software system to alert companies if a data breach does occur. One thing that some satellite companies have adopted is “satellite honeypots”. They look like every other satellite in a constellation, but their only job is to record hacker behavior so it can be studied back on the ground and the information adapted to prevent breaches.
Supply chain risk management should be adopted and companies should work closely with their vendors to set up safety protocols to protect against malware.
A fail-safe, tamper-proof option should be available to restore spacecraft systems after detected anomalies.
Communication encryption between spacecraft, satellites, and ground stations is needed to project data. Most satellite operators already encrypt telemetry tracking & control (TT&C) with cybersecurity measures that resemble the SWIFT banking system and act as a kind of “nervous system.”
The added expenses to implement security upgrades may seem like unnecessary precautions for start-ups who are struggling to get initial funding for their missions. But they are necessary for the future success of crucial infrastructure systems. There is no such thing as perfect security, so companies just need to focus on being adaptive, prepared, and resilient, as threats and vulnerabilities evolve. The space industry should continue to share standards through private and public organizations while companies work together to track cybersecurity threats. Secure space communications will lead to secure space travel for humanity.