Securing a Galaxy Far, Far Away: Cybersecurity’s Final Frontier

Written by

Space systems and services already play a critical role in day-to-day life. James Coker examines what it will take to secure the space arena now and into the future

For many people, space conjures up images of fantasy and adventure, providing a wealth of fictional content, from The Hitchhiker’s Guide to the Galaxy to Star Wars. Space provokes plenty of imagination and entertainment but can feel remote and inconsequential to everyday lives.

The reality couldn’t be more different. The modern world is hugely reliant on the space industry in areas like communication, navigation, timing and weather monitoring. Frank Schubert, head of cyber programmes Germany at Airbus Defence and Space tells Infosecurity: “Over the last 50 years, satellites as well as space systems and services have evolved to become a fundamental pillar for nations across the globe touching economies, sustainability, energy, civil protection and many aspects of a citizen’s daily life.”

This has made this industry a tempting target for cyber-threat actors, who have the potential to impact critical services, whether for financial gain or to damage geopolitical rivals. For example, the Russia-Ukraine conflict provides a stark reminder of how cyber-attacks on space assets can be weaponized by nation-states.

Todd Moore, vice president of encryption solutions at Thales, notes: “Following the Ukraine-Russia war, satellite communication providers faced cyber-attacks and disruption to their services. Also, a recent cyber-attack targeted ViaSat satellite modems that prevented customers from connecting to the Internet, while SpaceX’s Starlink terminals were jammed in a separate incident.”

The cybersecurity challenge is only going to exacerbate. Looking ahead, the sky’s (or more accurately, the space’s) the limit for the space industry. With the cost of rocket-launch decreasing, this arena in no longer solely the preserve of nation-states or intergovernmental organizations like NASA, as highlighted by enterprises by entrepreneurs like Elon Musk and Richard Branson. It is not fanciful to suggest that over the coming decade and beyond products may be manufactured in space and space tourism could take off; we could perhaps even see the colonization of other planets.

This promises huge benefits, but also greater and potentially terrifying consequences from cyber-attacks. Jenai Marinkovic, executive director, CISO, advisory board - GRC for Intelligent Ecosystems Foundation, believes that cyber-attacks in space will pose a threat to life as well as systems and data. “As an example, I could take control of the flight control systems on a ship that has tourists or consumers on it and hold it for ransom.”

It is crucial that the particular cyber challenges for the space industry are understood and acted upon before this dystopian scenario becomes a reality.

The Unique Space Frontier

One fundamental problem posed by growing activity in space is the lack of established rules regarding appropriate behaviors as there is on Earth, according to Marinkovic. “There’s no definition for what is permissible in space, what a space norm is,” she explains. “If it’s allowed in space then there’s not much that can be done.”

"There’s no definition for what is permissible in space, what a space norm is"

She anticipates that without such rules, heavy competition between commercial entities and nation-states could spill into cyber-attacks being used routinely to damage rivals and steal intellectual property. Currently, the rules in space are governed by the Outer Space Treaty 1967 which was composed at a time when only two nations – the Soviet Union and the US – had spacefaring capabilities. This treaty offers very limited guidance on what is permissible in space, and certainly not in respect of cyber.

Given significant global tensions and the high levels of competition between private companies in space, Marinkovic predicts it will be a “slow slog” before a comprehensive set of rules are agreed. “I think we’re going to see some severe incidents to catalyse why we all need to work together.”

Another issue is the growing interoperability of the systems used, creating more connections from Earth to space. This is removing the “technology barrier” for cyber-threat actors, says Daniel Fischer, head of the applications and robotics data systems section, European Space Agency (ESA). “If you are able to hack a system on the ground, you are able to hack the same system in space if you have the right access channel,” he notes.

Thales’ Moore concurs, highlighting how the commercialization of satellites has led to increased connectivity and familiar systems being utilized. “A few years ago, satellite systems were static as there was no software onboard and the ground control segment was controlled singularly – shut off and disconnected from the internet. Since then, some parts of the system have been replaced with community software to implement new capabilities such as improved telecommunication, navigation and crypto agility. In short, there are now multiple actors who have access to the satellites and those who operate them, including the software and programmable elements; this creates a greater attack surface for malicious actors.”

The problem is exacerbated by the fact that many space assets are in service for long periods, up to two decades in some cases. Fischer notes that “you cannot exchange pieces of the spacecraft when it’s up,” meaning many of these assets are vulnerable to attacks enabled by technological advances. A particularly pertinent example of this is quantum computing, which experts believe will be capable of breaking existing encryption methods in the next 5-10 years. Fischer says that the ESA is investing heavily in post-quantum cryptographic systems to be able to place them on spacecraft as soon as possible to mitigate this risk. “We know it’s coming and we have to plan for it,” he states.

Increasing Collaboration

It is clear that greater collaboration and agreement is required to mitigate the substantial cyber-risks in the space sector, especially given the distinct lack of international rules currently governing this domain. While political agreements look a remote prospect at this stage, cybersecurity standards for organizations operating in space are more realistic. This includes in areas such as threat intelligence sharing, and minimum security standards for the technologies in use. “International standards will provide reliable sets of cybersecurity requirements depending on the needs of specific missions: ranging from science missions over commercial to military applications,” says Airbus’ Schubert.

"International standards will provide reliable sets of cybersecurity requirements depending on the needs of specific missions"

Encouragingly, a number of initiatives are taking place to achieve just that. International standardization groups such as the Consultative Committee for Space Data Systems (CCSDS) and the European Cooperation for Space Standardization (ECSS) are working on developing standards in areas like supply chain management. In 2020, the US government published a policy directive, Cybersecurity Principles for Space Systems, which outlined five main principles for space system owners and operators to follow.

These are positive steps but require all stakeholders to be engaged with time to be effective, from governments to private satellite operators and software providers. “Industry will need to be invested and involved in such activities to ensure they anticipate and reflect changes in their products,” says Schubert.

Tech Solutions

It is also clear that significant investment and advances in emerging technologies are required to overcome the unique cybersecurity challenges in space. One emerging area is quantum-secure cryptography and how to ensure such solutions are in place before ‘Q Day’ — the date when quantum computers are able to break existing cryptography.

Additionally, AI technologies need to be taken to another level to help secure space systems, says Marinkovic, with intrusion prevention systems needing to interact with physical systems. She is also concerned that “there’s not a lot of knowledge on how to properly secure an algorithm,” and this must be a priority when it comes to the use of AI and automation in space, where there will be more reliance on such systems.

At the ESA, Fischer explains that there is significant work ongoing in the area of optical communications – essentially using light to carry the signal – to secure data flows to and within space. The agency is also developing a specific R&D cybersecurity track, which requires approval from all member states at its Council of Ministers meeting in November 2022. If agreed, “there will be a lot of investment and activities in areas like AI, optical communication, zero trust architecture, post-quantum cryptography systems and secure spacelink technology,” he says.

The Human Factor

It is also vital to recognize that securing space is not just a technological challenge, but a human one. Marinkovic believes the skillsets required by cybersecurity professionals will exceed those required back on Earth for a variety of reasons. “We’re going to have to be more skilled in the hard sciences, in physics, thermodynamics and mechanical engineering to understand how digital systems work with physical systems,” she observes.

Cybersecurity professionals in the space domain are also likely to undergo stress and hardship beyond the high levels already experienced in the industry. This is partly because some personnel may be required to actually live in space for periods. “There’s going to be times when you cannot communicate with Earth from lunar systems, and you’ll be reliant on human beings on board,” she notes. “We currently do not truly understand the levels of stress that this will place on these workers, who will potentially be putting their own lives in danger through their work.”

Another aspect is the added pressure brought from the potential life and death consequences of cyber-attacks in space. “You are going to have to respond at lightning speed under immense amounts stress to protect yourself and everybody else who’s on that ship with you,” comments Marinkovic.

ESA’s Fischer agrees that cybersecurity workers in space “requires a special mindset.” He points out that in space, it will be even more critical that security measures do not encumber spacecraft operators in their work. “The operator wants as little in its way for saving a spacecraft if it starts tumbling for example,” states Fischer. This requires good communication and new ways of thinking to be able to cater for the unique needs of space.

In light of these significant human considerations, Marinkovic believes that “our workforce has to become more technical and think outside of the box in a way we haven’t had to do before.” This requires a fundamentally different approach to training and recruitment.

She argues that the approaches used in sports training, such as American football, to respond rapidly to events in a game, are applicable for cybersecurity professionals in this domain. “In sports, we have the mindset of detecting and responding rapidly and they drill like that – that is the type of behavior you’re going to have to execute when in space.”

Marinkovic also believes that neurodivergent individuals could be best suited to certain cybersecurity roles in space, especially those required to physically go into space. “People who are neurodivergent are comfortable with being by themselves, following processes and thinking outside the box,” she notes. Therefore, relevant organizations must update their recruitment strategies to identify and entice such individuals.

Reasons for Optimism

There are a number of unique challenges to overcome to secure the space industry, both now and in the future. As space travel itself has highlighted, we should never underestimate the ingenuity and adaptability of the human race in the face of adversity. Fischer believes that cybersecurity in space will evolve through experiences over time. “I’m not overly concerned because all the other industries have gone through this,” he observes.

There are people already thinking and planning ahead for securing space in the future as mankind expands its reach into the final frontier.

What’s hot on Infosecurity Magazine?