The United States suffers from a catastrophic cybersecurity problem with its critical infrastructure – industries that depend on satellite communications. A November wargame organized by the American Institute of Aeronautics and Astronautics demonstrated the latest cybersecurity threat in space: the ability to turn a software-controlled satellite into a space weapon. In June 2021, the director of US Space Development Agency announced a program to connect commercial satellites with US government satellites in orbit, with the aim of streamlining data sharing. As we know from dozens of historical cyber events, the most recent ransomware attacks, connecting systems with no security in mind is a bad idea. The next major cyber event to befall the United States could soon be a commercial satellite takeover that will impact national security.
The proliferation of satellites is happening in part through the military and civilian programs of nation states, but also because of the growing commercial presence in space. Emerging use cases include broadband internet, 5G from space, space as a service, air traffic control, space tourism and more. From a cybersecurity perspective, little is known about the degrees of separation of commercial satellites and the interdependencies of critical infrastructure or national security. For example, when we compare the 2014 hack of Sony Pictures recent Colonial pipeline ransomware attack, it is easy to understand which attack had the greatest cyber-physical impact. For commercial satellite systems, critical infrastructure and national security that depend on these systems, the potential impacts are starting to wear off.
U.S. space assets represent a tempting Achilles heel, providing vital communications and data to sixteen critical infrastructure sectors. A targeted disruption of satellite communications could impact finances, healthcare, transportation, emergency services, etc. Presenting at the CyberSatDigital conference in May 2021 a senior advisor at the Department of Homeland Security confirmed that all of the more than 50 National Critical Functions (NCFs) vital to the national security of the United States depend in one way or another on space resources.
Many satellite systems work similarly, but not exactly the same. Although they have not yet been included in critical infrastructure, they are increasingly subject to hacking and manipulation, and their security is as paramount as the security of energy or transportation.
Several civilian and military satellite systems have already been hacked. For example, in 1998, hackers took control of the US-German ROSAT satellite, a deep space surveillance satellite, and aimed its solar panels at the sun to overheat them and render them unusable. More recently, in 2018, targeted Garminthe company’s satellite assets with ransomware, affecting the company’s operations for several days and costing the company $ 10 million. In 2020, Chinese hackers successfully infected computers controlling US satellites and engaged in spying on military and civilian communications. While controlling the satellites, it was determined that they had the ability to change their positions and disrupt data flows.
Once in control of a satellite, a malicious actor can change coordinates and cause a satellite to thrust in any direction, manipulate on-board sensors, or interfere with data links and communications traffic. Hackers could also use a specialized antenna to masquerade as the satellite’s ground station to send seemingly legitimate commands to the satellite, or scramble sensors to blind them for a period of time. They could also access sensitive information while masking the attack as if the satellites were functioning normally. To have long-term impacts, an attacker can introduce a supply chain attack against software or hardware components. Finally, they could interfere with systems that deploy artificial intelligence and machine learning to avoid collisions. From 2019, these communications to avoid the collision between business assets like EspaceX and the European Space Agency always took place by e-mail.
Cybercriminals know no borders; therefore, space is only an extension of their playing field. Cyber vulnerabilities of space assets vital to national security present a systemic and existential risk to society with the potential to displace entire critical sectors for a period of time. long periods. A cybersecurity overhaul for satellite systems is long overdue. Steps taken to close the cybersecurity gap in space will require two fundamental elements. First, it will require input from technical experts, not just political jargon. Second, it will require prescriptive and obligatory language, rather than suggestive or optional language.
Any cyber attack against US space assets can result in temporary communication and service outages, loss of integrity or control, or destruction of systems. A coordinated attack could lead to denial of satellite services and could affect entire geographies or industries, as could the potential widespread impact of cloud service provider disruptions across multiple industries. In the worst case, such an attack could result in an interruption of military command and control communications.
Formal cybersecurity legislation is typically too vague to provide actionable information, or too specific to represent a dynamic threat landscape that continues to evolve over time. The incorporation of technical experts into the management of potential risks will achieve two objectives: to provide credible potential scenarios that are realistic rather than hyperbolic and to fill the gaps in the expertise of specific disciplines with collaboration between the functional experts. .
The attack surface of vulnerable space objects continues to grow, with no standardized cybersecurity or protocol governing satellite technologies to date. For example, Starlink now operates 1,844 satellites in orbit, many of which are “now equipped with laser systems to communicate with each other in orbit, and less with the ground.”
To set the level, federal regulations could provide the required security controls for systems that provide critical service across the 50 NCFs vital to national security. While overly prescriptive regulations risk stifling innovation in an exciting technology marketplace, voluntary best practice style guidelines would likely be ignored without significant incentives from government or customers. Without a forcing mechanism, however, satellite cybersecurity will remain an afterthought, perhaps until the first hostile takeover.
Danielle Jablanski is a senior research analyst contributing to Guidehouse Insights’ Digital Innovations research service. She focuses on the disruptive impacts of cybersecurity, artificial intelligence, data integration and blockchain technologies for industrial applications and owners and operators of critical infrastructure.