by Yvette Gonzalez, SpaceWatch.Global
In a blink it seems our lives have become almost completely reliant on space infrastructure and the digital – or cyber – life that has burgeoned from it. Cyber is here and amassed the “trillions” scenario predicted only a decade ago. Weather forecasting, financial interactions, air transportation, defence, global positioning system (GPS), and communications systems all depend on infrastructure on the ground and in space. So long as they are secure, it is business-as-usual. But what is protecting these vulnerable assets, especially satellites orbiting the Earth, from cyberattacks? What measures can we take to safeguard space property and investments?
The threat is REAL!
If you think that hacking a satellite is science fiction, you’re wrong.
In fact, companies and even countries have exercised counter-space capabilities in innovative applications for quite some time, now posing a greater and greater threat to space infrastructure. Neither the space nor cyberspace industries established policy or regulation before creating systems, so they both face a rapidly developing and robust space economy. With the increasing collection of satellites in orbit to connect to terrestrial networks, the need for operational standards is dire. There are a growing number of space cybersecurity standards and regulations, such as the Committee on National Security Systems’ information assurance standards (which focus on commercial satellites that carry classified or sensitive data) and the efforts of the National Oceanic and Atmospheric Administration (NOAA) to manage licensing for commercial remote sensing satellite systems. In 2020, the United States (US) put into effect the Space Policy Directive 5 which was a set of comprehensive principles or minimum standards for space. But what long-reaching enforcement will this take?
Space assets collect and transmit more and more valuable data, hence attracting non-state actors or adversaries to carry out counter-space cyber operations. Cyberattacks are likely to continue happening, so preventing and managing cybersecurity threats is a top priority.
Why we should care
Considering the current level of protection, disrupting or interrupting a service does not necessarily require the resources of a national government. Ransomware is a very efficient way hackers monetize on a cyberattack. Easy access along the supply chain, including open-access software and various components flown on a given spacecraft, leaves actors with endless unknown entry points of attack. Hardware is another readily accessible target. Outsourced manufacturing is in high demand with minimal monitoring or oversight. Making components and subsystems a blind spot.
A cyberattack in space can have potentially dramatic and damaging consequences. If a space operator were to be sabotaged, it would be akin to a 9/11 event for the space market. Investors and end-users would lose trust in the space eco-system and market, ultimately detrimental to existing businesses and the future of the industry.
Dangers in LEO, where it is increasingly crowded (see our SpaceWatch.Global article on orbital debris) leave deep concern for commercial missions as they now represent the majority of the spacecrafts in orbit. Dual-use actors and institutional missions (e.g. Galileo) are more protected, but their investment and solutions do not transfer to commercial space, nor is it within their mandates.
With the market evolution, satellites are becoming more connected, becoming more intelligent with advanced processing on board, hosting more advanced payloads to capture sensitive data, and carrying more software-defined missions. All making the attack surface larger, growing the dependency on third parties (such as ground segment as a service, satellite as a service, cloud services) which makes it even more difficult for an operator to have the complete control or overview of its own architecture.
A complex and unusual topic for space sector engineers
Cybersecurity is a complex and transversal topic as it encompasses all aspects of the value chain of a space system. It includes satellites themselves, ground stations, mission control, cloud, and software. Space sector engineers may not always have an education in security: a topic absent from engineering programmes. This aspect only adds to the fact that satellite systems and infrastructure are trailing behind in terms of cyber prevention, mitigation, and resilience.
The issue of EU sovereignty
The US are seemingly ahead on the cybersecurity front. They host conferences dedicated to security (CYBERSAT), have hacker competitions (Hack-a-Sat), and have significant government investments from the likes of Defense Advanced Research Projects Agency (DARPA) and NASA.
China is leading the charge on the quantum race. India is quickly catching up. Sovereignty is a key concept for security matters. Given the stakes are so high, space actors, policy makers, military actors, and users alike cannot afford to depend on other powers to secure critical infrastructures, sensitive data, and, ultimately, market competitiveness.
CYSAT’21: the first European event on security for commercial space
Space and security have operated predominantly in their own lanes. Slowly but surely they are aligning efforts and learning how to work together. This has to be the way forward to safeguard the space market.
From March 17 – 19, 2021, CYSEC will host the CYSAT Davos 2021 (CYSAT’21) event which aims to close the gap between these communities of security researchers, ethical hackers, space engineers, policy-makers, and decision-makers. CYSEC SA, in partnership with AP-Swiss, wants to give the European space community the opportunity to learn, share, and connect on the topic of cybersecurity by bringing stakeholders together for a three-day event. CYSAT’21 will be the first edition of a hybrid event based out of Davos, Switzerland.
We intend to foster a forum of exchange, education, and learning amongst these stakeholders. By bringing security professionals (a few have published research on satellite vulnerabilities), ethical hackers (such as members of SolarWine, a team that participated in the latest Hack-a-Sat), engineers, industry experts, operations managers, industry leaders (Airbus, Telesat), innovators, institutions (ESA, GSA), venture capital teams, and legal experts to the same table, we will facilitate a dialogue to understand cyberattack risks and the solutions to prevent and mitigate them.
Innovations: a long shot for both attack and defence
Innovations will be key to ensuring Europe’s space cyber security, sovereignty, and competitive sustainability in the market.
Solutions and topics can be complex and extremely technical, and often with a long time-to-market roadmap, not well-suited for the rapidly evolving commercial space timeline, and limited budget.
We look to the threat of quantum with the quantum computer. As a solution, quantum key distribution (QKD) could be explored to offer a secure method to implement cryptographic protocol.
Other tech solutions will also be considered. For example, artificial intelligence for detecting anomalies and blockchain for data integrity. But the question remains, when will this all be available on the market? How long will adoption of these solutions take? What is the real road to cyber sovereignty?
In a 2019 Aerospace Corporation paper, Defending Spacecraft the Cyber Domain, they introduced critical areas in space systems that need to be protected against cyberattacks: space; ground; link; and user. This highlights that solutions for the ground segment is just as pivotal in securing the space market. Malware has the potential to infiltrate systems on the ground, disrupting links in communication and leaving untrusted sources unverified.
No commercial solutions on the market today
Not only are commercial space operators lacking in-house cyber security expertise, security experts being already on high demand, but are difficult to recruit. Security professionals often specialize in niche areas and very few take into account all the specifics of a space mission or look at security from the architecture level.
In addition, off-the-shelf solutions available to space operators for ground segment infrastructure exist, however, are not widely used because of lack of awareness or other limitations. In addition, on-board solutions ensuring that all sensitive data and cryptographic operations can be trusted are even more limited today.
Switzerland is ranked as one of the most innovative countries on Earth. Cybersecurity is a national priority and the nation boasts an industrial ecosystem dedicated to the space market. According to an article published in July 2020, Swiss startups are among the most venture capital-backed in the space industry.
As a team comprised of leading security architects, experienced cryptographers, ethical hackers, cloud security engineers and embedded systems security engineers, CYSEC is equipped to deliver agile confidential computing solutions for the most complex IT infrastructures, being on premises, in the cloud, on the edge and beyond.. For the space market, CYSEC is the first to offer “ARCA Space”, a plug-and-play and easy-to-integrate end-to-end protection for space assets and data, specifically designed to accommodate the requirements of commercial missions. Founded in 2018, the Swiss company already managed to be selected for the ESA Business Incubator and count prestigious names such as the European Space Agency (ESA), Astrocast, the Swiss Space Office or ClearSpace among its client portfolio. The company also announced a strategic partnership with Milan-based LEAF Space to secure its ground segment as a service offering.
You can learn more about CYSEC at https://cysec.com/space
Click here for the full programme.
To register for the upcoming CYSAT’21 cybersecurity event on March 17-19th, click here.
 Space News. Startups in U.K., Switzerland, led Europe in space investment last year. July 22, 2020. https://spacenews.com/startups-in-u-k-switzerland-led-europe-in-space-investment-last-year/