By Mathieu Bailly
The least we can say is that 2022 has been an eventful year on the world stage, and with no doubt, space took a major part in the headlines. From global environmental challenges to the sudden perception of a war fought in Europe’s backyard, the space domain and its technology have suddenly reached a level of public awareness and public utility never experienced before. What have we learned from the year that has just gone by, and what still needs to be addressed?
Satellites are not only used for science and exploration
The rise of satellites to celebrity stardom started in February 2022, when for the first time a commercial satellite operator, Viasat, was successfully attacked by the state of Russia, shutting down not only the satellite communications used by the Ukrainian army but also impacting civil applications in France and Germany. The Viasat attack was a reminder to all civil players, commercial and institutional, that cyber threats on space systems are no longer theoretical. Shortly after, the world realized the power of Earth observation imagery when commercial operators released daily images showing in great detail, and in near real-time, the evolution of the conflict as well as numerous pieces of evidence of the atrocities committed by the Russian army.
The war in Ukraine has been an eye-opener for the public, realizing that satellites are not only good at science and exploration but rather form a critical infrastructure that is subjected to digital and physical attacks and should be protected adequately.
Member States need to invest in cybersecurity
Space professionals discovered with dread that Russia will also go after civil missions that are supporting Ukraine in one way or another. This new situation requires a fundamental update of the “threat model” of our institutional and commercial missions and should trigger the application of “security-by-design” for all future civil missions. Meaning that cybersecurity should be considered from day 1 when system engineers start putting together the ground and space segments needed to operate a spacecraft.
Unfortunately, today the reality is different since most civil satellites currently in orbit embark on zero -or close to zero- cyber protection making European civil space assets vulnerable. While it is difficult to patch satellites that are in operation, many actions can be immediately taken to better prepare for future missions. To name a few:
- Space Agencies need to write cybersecurity specifications for all civil missions based on a threat model considering the entire lifetime of the mission as well as the current and future geopolitical context, assuming the worst-case scenarios.
- Universities need to include crypto and security in their aerospace programs so that engineers can understand cyber risks and include them in the risk assessment plan of the mission.
- Agencies need to draft a cybersecurity technology roadmap to identify and develop all the missing pieces of the puzzle and trigger the interest of cybersecurity companies currently not looking at space applications.
- Member states need to subscribe to the programs featuring cybersecurity and leverage synergies with their national initiatives.
- Space and security agencies need to work hand-in-hand to draft cybersecurity standards applicable to civil missions and serve as a reference to authorize the launch of any spacecraft with propulsion capabilities.
The future European Secure Connectivity program -if it will ever see the light of the day- will be a great test for building a sovereign ecosystem capable to provide secure and market-competitive dual-use services. In other words, it will need to find a compromise between military-grade security that would scare off commercial users because of its added layer of complexity and no security that would put at risk significant investments made with European taxpayers’ money.
The reality today is that scientists cannot quantify the impact of a space mission on climate change.
Innovation vs resilience?
Another takeaway from the year that has gone by is that all military experts were stunned by the nature of the conflict turning out much more “low tech” than anticipated. All NATO allies are consequently reworking their roadmap to accommodate this new reality. Technology is cool but it does not win a war in 2022. To some extent, this may also be a lesson learned for space. I have come across many presentations picturing the future of space as an immensely complex, interconnected system of systems (multi-orbit, multi-network, multi-layers, multi-tenant, etc) with exciting capabilities but also representing an enormous attack surface that becomes impossible to secure homogeneously. Unfortunately, the security of a system is only as good as its weakest link. Hackers apply that mantra every day. The question is then should we keep investing only in this vision, or should we also keep a plan B with simpler yet more resilient capabilities?
Fighting climate change start by stopping ignoring the impact of space missions
Besides the war, the most important topic for European citizens is the fight against climate change, which is more urgent than ever. Space data are instrumental in monitoring climate change, an argument often put forward to justify funding future EO missions -very rightfully so.
But some may say that monitoring is great as long as it does not fuel the problem. And we’re not sure today to which extent space is part of the problem. Sending satellites to space certainly does not capture carbon dioxide. The reality today is that scientists cannot quantify the impact of a space mission on climate change. For example, we don’t understand the physics behind the emissions of black carbon and aluminium oxide particles in the upper layers of the atmosphere and their impact on global warming and ozone depletion. Scientists are telling us these phenomena could be significant (even compared to today’s civil aviation emissions) but are currently unable to quantify them .
I am aware this is a sensitive topic. We do not want space to be perceived as a carbon-heavy industry and receive the same level of “eco-bashing” and finger-pointing as civil aviation. I do not believe in the approach of trying to stay under the radar and praying to remain invisible. Space tourism already shed a light on the emissions related to launches and the pressure will only increase. Sooner or later, we will need to provide science-based evidence of the impact of space missions. Are the member states aware of this knowledge gap, and are they willing to fill it by funding research?
Like any risks, cybersecurity and climate change remain very theoretical until people or companies become directly confronted with them.
Towards carbon accounting in the space industry
Besides the unknown impact of launchers, the industry still must find a way to quantify the impact of all the other activities necessary to design, develop, build, test, assemble, integrate, transport, re-test, re-build, re-design, re-test, re-transport, launch, commission, operate and decommission a spacecraft. Just like we do it for Euros, we will need these data for “carbon equivalent” metrics. This is already a reality in other industries, informing the consumer how much CO2 kilograms a product -or a dish! – required for its production. In space, only a handful of Life Cycle Analysis (LCA) studies have been performed on a few institutional missions over the last 10 years and unfortunately, the results have always been kept confidential. In a week, the 22 member states funding the European Space Agency will meet in Paris to discuss how the taxpayers’ money should be best spent on future European space programs. Will the CM-22 encourage more transparency and the development of eco-design, carbon accounting, and LCA analysis for future missions?
Reducing the attack surface and the carbon footprint
Lastly, it is interesting to note that these two global issues have many common characteristics. Like any risks, cybersecurity and climate change remain very theoretical until people or companies become directly confronted with them. And again, in both cases, the consequences can be devastating and put people’s lives in danger. They both require urgent actions but also planning and long-term vision. They are both deeply rooted in people’s behaviours, with cyber-attacks being caused mostly by human mistakes and anthropogenic climate change by humanity’s choices. Both leave a heavy weight on the shoulders of the next generations to improve the current situation. Both could benefit from simplification. For example, fewer lines of code means a reduced attack surface without necessarily affecting the performance of the system while there are many ways to reduce our carbon footprint without affecting our standard of living. Both require mastering the entire supply chain, the carbon price of a sub-system being known only if the carbon price of each part is known. They both benefit from more transparency: we need to put an end to “security by obscurity” by encouraging ethical hacking, common security frameworks, etc… just like the “carbon price” to pay for each mission should be public information.
The challenge of the European space industry is then very much the same as our society today: finding the right balance between the excitement of pushing technology and the necessity to minimize our carbon and cyber footprints. I believe finding such a balance can be achieved at very low costs of performance for cyber and standard of living for carbon, but it requires strong political action.
References Miraux et al, Acta Astronautica, Environmental sustainability of future proposed space activities, November 2022.
Mathieu Bailly is heading the space activities at CYSEC, a cybersecurity company headquartered in Switzerland. He has spent his entire career in the space industry and started realizing in 2018 that cybersecurity was going to become a major concern. Since then he has driven the development of CYSEC products for space and is also the co-founder and director of CYSAT, the biggest European event dedicated to cybersecurity for the space industry.