The functioning of a large portion of the world’s essential infrastructure depends substantially on space, more especially, space-based assets. Communication, air travel, maritime trade, financial services, weather monitoring, and defense are just a few of the critical systems that significantly rely on space infrastructure, which includes satellites, ground stations, and data links at the national, regional, and global levels. This dependence presents critical infrastructure providers and policymakers with a significant, but largely ignored, security challenge, particularly in the context of cyber attacks.
Satellites and other space-based assets are susceptible to cyberattacks, much like any other increasingly digitalized essential infrastructure. These cyber vulnerabilities seriously endanger important infrastructure on the ground as well as space-based assets. These dangers could obstruct the expansion of the world economy and, consequently, compromise international security if they are not eliminated. Furthermore, these worries are no longer just conjecture. More nations and commercial entities have acquired and used counter-space capabilities in cutting-edge applications during the past ten years, posing a larger existential danger to crucial space assets.
Why are space systems vulnerable?
Many space systems date back to a time before cybersecurity was given primary consideration by policymakers. They feature flaws like hardcoded credentials, which are employed by military, commercial aircraft, and ships and make access by knowledgeable actors relatively simple. We are seeing the transition of spaceflight from a publicly funded activity to a for-profit sector. The range and scale of activity in this field will grow as more business actors can access space through commercial service providers and offer a variety of services there. By demonstrating that space exploration is no longer the exclusive purview of affluent spacefaring nations’ governments and their academic affiliates, NASA’s SpaceX Demo-2 mission, which was successfully completed on August 2, 2020, created history. NASA will no longer need to use Roscosmos exclusively to carry its astronauts to the International Space Station (ISS), which will save the agency more than $30 million per astronaut every trip. Additionally, SpaceX’s Crew Dragon spacecraft will become the first approved commercial launch vehicle. In contrast to a decade ago, current technology is now enabling states, international organizations, enterprises, and individuals to utilize space capabilities. However, the shift from a public to a commercial enterprise raises concerns about how to control the space activities of private companies. And more is more: as more spacecraft interact with people and resources on the ground, the attack surface grows exponentially. However, this poses a concern if all enterprises operating in space do not apply cybersecurity best practices.
What are the vulnerabilities?
Vulnerabilities to space systems and infrastructure vary across a range of potential attack surfaces. As the Aerospace Corporation explains there are four main segments of space infrastructure that need to be hardened against cyber attack. Spacecraft could be vulnerable to command intrusions (giving bad instructions to destroy or manipulate basic controls), payload control and denial of service (sending too much traffic to overload systems). Malware could be used to infect systems on the ground (like satellite control centers) and for users, and links between the two and spacecraft could be spoofed (disguising communication from an untrusted source as a trusted one) or suffer from replay (interrupting or delaying communication by malicious actors).
Take GPS, a technology whose precision is often taken for granted. All it takes is the production of a relatively inexpensive spoofer, and an attacker is able to command and control the uplink signal to a satellite. If the downlink from a satellite is spoofed, false data can be injected into a target’s communications systems, fooling the receiver — GPS — into calculating an incorrect position. In the near-term, these kinds of attacks will likely remain posed by nation state actors but as more communications capabilities come online via space, the group of actors could expand to well-resourced non-state actors (e.g. criminal groups) seeking financial gain.
Space-based services are strategic, therefore, not immune to geopolitical conflicts.
Space services play a crucial role in modern life, supporting critical services, including the military, utilities, aviation, and emergency communications. This makes them particularly appealing for cyberattacks, the effects which are unpredictable, especially during times of geopolitical tensions.
We learned in 2022 that cyberattacks on satellites providing services to one nation could affect that nation’s vital national infrastructure. In February 2022, right before the Russian invasion of Ukraine began, many satellite modems in Europe and Ukraine were the target of a cyberattack and rendered inoperable. As a result, global operator Viasat had to perform a hard reset in order to resume providing critical communication, including to Ukrainian refugees in neighboring Slovakia. To provide a connection for Ukrainian inhabitants, SpaceX shipped thousands of Starlink satellite internet terminals to Ukraine in March 2022.
Historically, the majority of satellites can be thought of as bent pipes in space (meaning that the uplink signal is received, amplified, converted to a downstream frequency, amplified again, and pointed toward the ground using a high-gain antenna) (meaning that the uplink signal is received, amplified, translated to a downlink frequency, amplified again, and directed toward the earth using a high-gain antenna). They gathered information from Earth, like as TV signals, magnified it, and then reflected it back to Earth. With the introduction of software-defined satellites, they are currently getting more complicated. Satellites can operate independently of one another and are designed to be sturdy and resilient. As a result, they are linked to private networks that are not directly accessible via the Internet. With the advent of software-defined satellites, satellites may now be modified in orbit, allowing for dynamic response to threats as they materialize and adjustment of space-based services in response to shifting demand.
Many more satellites are being launched into orbit as a result of the entrance of new market players, especially huge constellations of 100 or more satellites or more. Ignoring ongoing discussions about space sustainability, the sheer number of satellites in these networks allows for the creation of alternate routes in the event that a single satellite is compromised. However, because of the widely deployed terrestrial infrastructure and the commoditized nature of the satellites’ designs, there is also the potential that the satellite network might be exploited.
Unique Cybersecurity Challenges Facing Space
The space industry and technology share a lot of similarities with our terrestrial digital world’s infrastructure and perform many of the same tasks. However, size, distance, and the importance of systems and equipment operation pose the most problems. For instance, if a hacker infiltrated earth-based systems and supplied a satellite with false information, it might result in an interstellar collision and possibly bring down important communications networks worldwide.
Second, more governments and corporate groups than ever before are getting involved in space programs. The number of potential access sites for hackers grows even as the entry barrier is dropped, encouraging creativity and discovery. The primary player that needs to be protected is no longer NASA. Malicious actors now have a much wider range of potential targets, including other governments and equipment suppliers.
The development of sophisticated technology that can be used for hacking, such quantum computers, also poses a serious cybersecurity risk to the ecosystem located in space. As industries like space travel and militarization advance, hackers who are aware of the potential financial benefit of ransomware and other assaults will turn their attention to these developments. The significant lack of international cybersecurity collaboration combined with space technology creates a number of challenges that must be overcome in the coming decades.
Examples of cyber threats to space systems
The cybernetic world observatory (1), in its March 2020 study, cites four main types of cyber threats that threaten space systems:
Compromise: Compromising a system is an attacker’s ultimate goal. Indeed, once the system is compromised, it is under the full control of the attacker. In the context of space systems, the attackers will seek to compromise as a priority the systems of the Control-Command centers which pilot the satellites. Once the system is compromised, the attacker will have control over the communication network. He can then carry out several secondary attacks such as data interception or a denial of service attack. Insofar as the Control-Command centers are mainly made up of traditional IT, they are vulnerable to the different stages of the cyber kill chain. We describe below the 7 stages of the cyber kill chain:
- The gratitude
- Targeting the victim
- Payload delivery
- Operation
- Installation
- The connection with the Command and Control (C2) servers
- Data exfiltration
One can imagine a spearphishing attack, ie an attack targeting a certain population operating in the ground stations in an attempt to break into the systems of the Control-Command center. One can also imagine an attack to try to introduce a virus into the systems of the Control-Command center or into the systems of the ground stations in an attempt to compromise them and take control of them. This was the case for the Stuxnet worm which we will discuss in a future article.
Interception or illegitimate eavesdropping: The objective of an attack by interception is most of the time to carry out illegitimate eavesdropping of a signal. With the advent of Software Defined Radio (SDR ), it has become relatively easy and inexpensive to capture a satellite signal. An interception attack is carried out either for intelligence purposes or as the first step in a system compromise. This type of attack is increasingly difficult to carry out insofar as communications are now encrypted to be protected in confidentiality. In the context of an encryption that is too weak, this type of attack remains possible if the attackers manage to break the encryption.
Denial of service or DOS (Deny Of Service): The denial of service can be achieved either by jamming the signals, or by sending illegitimate packets. To do this, the attacker produces a signal that interferes with the legitimate signal. It can interfere with the downlink signal, ie that transmitted by the satellite to the ground station. It can also interfere with the uplink signal, ie that of the ground station to the satellite. In both cases, the objective is to try to interrupt the communication. If the owner of the targeted asset has the means, he could locate the source of the attack in order to launch a counter-attack to stop the attack, end the impact to regain nominal service. This type of situation often comes under electronic warfare with systems of reprisals within the framework of a conflict between nations.
Spoofing or spoofing: A spoofing attack consists of the attacker sending a signal to a target by substituting and pretending to be a legitimate source. The objective is to mislead the target in order to compromise a system. The most classic case is the spoofing of GPS signals. Unlike jamming, the target does not realize it is under attack. In the case of a GPS signal spoofing attack, the victim may thus think that he is in a different place. For the most extreme case, it is also possible to make the victim think that he is at a different instant in time since the GPS signals are also used to maintain temporal synchronization. The Cyber World Observatory cites an example of such an attack.
What are the potential impacts of cyberattacks on space systems
A cyber-attack on space systems could impact the services provided by them. We can site, for example:
- Disruption of PNT (Position, Navigation, and Timing) or GNSS (Global Navigation Satellite System) type services: These services are used by both civilian and military domains for geographic location, for example. These services also allow systems to achieve time synchronization of their clock. The antennas of mobile operator networks use this system to synchronize with each other. This will mainly be the case for 5G networks being rolled out.
- Fraudulent use of meteorological data such as the recovery of data or images.
- Eavesdropping and hijacking of communications for surveillance, espionage, or reconnaissance.
For better cybersecurity, stakeholders need to work together.
Satellite-based service infrastructures require additional stakeholders operating various components of the infrastructure as they grow more complicated and develop into full end-to-end services. It is challenging to assign responsibility and liability for the ultimate security and resilience of the provided services because the supply chain for hardware and software is dependent on numerous component parts. Where do the duties and obligations of equipment producers, software creators, satellite producers, operators, and business users begin and end?
Another factor is the inability of regulatory frameworks to keep up with the advancement of technology. This affects cyber resilience across many industries, not just space. Developing appropriate regulatory frameworks will take time, especially if they are to be internationally harmonized. Thus action must be taken now.
It is thus crucial for states to consider increased efforts and coordination. The advice that follows are particularly relevant to dependencies, dependence, security of space assets, and privatization.
Multiply efforts for cooperation
Despite currently limited results, most recently illustrated by the inability of the Group of Governmental Experts (UNGGE) on further practical measures for the prevention of an arms race in outer space (GGE PAROS) to produce a final report, cooperation should remain a priority. The junction of cybersecurity and space security should be taken seriously and certainly requires specific international assessments. Possible steps include the creation of a new group of governmental experts to provide guidance on this topic as well as the production of more working papers to build upon during international for a, such as the Conference on Disarmament. Transparency and confidence-building measures (ICBMs) or Codes of Conduct could be an alternative to a binding treaty but should not become the practical illustration of a lack of will or a weakening of institutions’ power in regulating outer space practices.
Increase the level of space cybersecurity
Actions should be taken in the interim to lessen the sensitivity of Earth-space and space-Earth interactions. One possible, if long-term, solution is the use of quantum encryption that is currently being studied by several nations. The expertise and techniques required might be an obstacle to a large0scale diffusion of quantum encryption but could at least help mitigate the risk for those with access to such systems. States with less capacities could start by an assessment of vulnerabilities and first-level corrections. National actors could also ensure that private companies launching space assets obey tough security rules in supply chains and network safety.
Reduce the influence of private actors
Another critical action to take is to reduce or at least reflect on the influence of private actors in the space domain. At the junction of cyber and space security, they are critical in providing innovation, tools, and support. However, their influence should never go beyond the authority of the state as to ensure a lack of profit-based policy decisions. This goes notably through the implementation of parliamentary auditing in space activities and cyber space activities. International institutions such as the United Nations Office for Outer Space Activities (UNOOSA) could also have an impartial mediating role in these dynamics.
Reflect on the overreliance on space assets and possible alternatives
Finally, states should conduct a reflection on their overreliance on space-based assets and Earthspace/space-Earth interactions. They should think about the ways in which their needs could be met with the same quality but within a diverse portfolio of techniques. At the more technical level, it is also relevant to diversify data intakes. As an example, NATO overreliance on the GPS system for navigation was pointed out and the use of the European Galileo was proposed to ensure better resilience in case of failure. For the time being this policy has not been implemented.
Think through scenarios
An important aspect of space assets security concern our common ability to think in advance and plan in advance with a risk-focus mindset. The best way to deliver on this aspect is to conduct scenariomaking exercises. Based on the different types of threats outlined, policymakers should outline the relevant actors to mobilize, the different stages of response and tasks to achieve. Below, I provide examples of scenarios for mitigating kinetic physical threats and jamming threats. Cybersecurity and space security are two interlinked domains. Space assets are crucial for modern statecraft but face serious vulnerabilities. The range of threats at the junction of these two domains as well as the current lack of cooperation requires immediate actions. It remains in the hand of states to unlock the potential of international fora at their disposal and avoid serious incidents.
Conclusion:
There are legal challenges, too. Using existing laws and agreements, it’s difficult to effectively verify and monitor ground-based counter space capabilities such as cyberattacks. A state can gain international goodwill by signing a new space law agreement, or supporting space arms control, for example. But if those agreements can’t be monitored, it’s easy for the same state to violate them by covertly developing and employing counter space capabilities in a grey-zone-type operation. If a satellite begins behaving oddly or is failing to send data, is it a technical fault or a cyberattack? If it’s a cyberattack, who’s behind it? How do we respond to non-state cyber threats against satellites? The fragility of norms and legal regulations is an issue that proponents of laws and arms control measures as means to stop proliferation in space don’t seem to have answers for. India’s test of a direct-ascent anti-satellite weapon in March led to an international outcry because it generated space debris and went against desired norms toward non-weaponization of space. Soft-kill threats such as cyberattacks are more insidious and potentially more dangerous because they can be used without the fallout of space debris and offer scalable, potentially reversible effects. Australia must understand and meet the challenge of soft-kill counter space threats to its critical space systems, including those in the cyber domain.
