There’s a new war under the stars, but it’s not being fought in a galaxy far, far away. Instead, it’s being fought right here in Earth’s orbital atmosphere, and it’s a battle happening in the digital dark between hackers and their shining new targets: satellites. Specifically, commercial satellites.
In 2022, the EU announced its ambitions of becoming a commercial space force to be reckoned with, but many challenges lie ahead – and space cybersecurity is one of them. Russia’s attack on ViaSat sent nearly an entire country offline, affecting customers and services in several other countries, including France and Germany. It exposed how vulnerable Europe’s emerging space industry is. And how critical it is to change that.
Josep Borell, VP of the European Commission, has acknowledged: “Without security, there can be no future in space.”
Why is Commercial Space Vulnerable?
Space used to be the sole domain of governments and their official bodies, and their satellites were isolated from ground-based commercial systems. That’s no longer the case.
We now rely on commercial satellites for a substantial portion of our critical infrastructure and data collection and transmission. While innovations such as software-defined satellites, in-orbit reconfigurations, cloud-native applications and on-board intelligence are incredible solutions, they also expand the attack surface and increase the interdependence of systems.
Yet, few satellites have been developed with security in mind. Unfortunately, space cybersecurity has been a neglected topic. Especially amongst European civil satellite operators, whose focus has been on improving mission capabilities instead of guarding against cyber threats. And why not? They’d been driving without seatbelts for years, so why worry about it now?
During CYSAT ’22, the largest European cybersecurity event for space, former US Airforce CSO Nicolas Chaillan confirmed the lack of commercial security investments. “Over the last 10 years, most satellite companies have not invested in it whatsoever... even SpaceX, which is probably the most leading and innovative company in the industry, had to stop and focus on anti-jamming and cybersecurity before entering Ukraine.”
As his comments testify, Europe still has a long way to go in terms of security before it can realize its grand ambitions for space.
Who Poses a Threat and Why?
Potential attackers include the entire spectrum of cyber-criminals – from thieves to terrorists – and even geopolitical players exercising soft or direct power. Whether the goal is financial gain, strategic damage or to sow chaos, they usually choose targets based on the following criteria:
- Digital valuables: funds, data, etc.
- Mission-critical operations or infrastructure: supply chains, communication, production, etc.
- Attack surface: vulnerable software, third parties, poor security postures, etc.
Commercial satellites meet all three requirements. One route for attackers is to steal and hold vast amounts of information to ransom, possibly disrupting entire industries. Another is corrupting infrastructures and potentially sending entire countries offline – such as with the attack on ViaSat.
Russia made history when it launched Europe’s first-ever state-sponsored cyber-attack on a commercial operator. ViaSat’s satcom terminals were hit hard. But the wave of damage didn’t stop in Ukraine; it continued into countries such as Germany and France, sinking wind farms and affecting private users. Thankfully, Elon Musk’s Starlink intervened and kept the Ukrainian telecom network connected.
The only positive takeaway from all this is that Russia’s attack opened Europe’s eyes to the threat.
“The Russian aggression against Ukraine has demonstrated how crucial space-based sovereign and secure communication services are in case of conflict,” said Thierry Breton, the EU’s Commissioner for Internal Market.
IRIS²: A New Hope
This year, the EU included defense as one of the four pillars in their new strategy to become a European space power:
- An EU-wide resilience and security framework for national and commercial space systems
- A strengthened capacity for the Union’s ability to respond to threats
- An enhanced use of space for security and defense operations, such as new Earth Observation and Space Situational Awareness services
- An intensified cooperation with global partners, notably NATO.
And they mean business. The EU recently approved a sovereign multi-orbit constellation plan worth €6bn named Infrastructure for Resilience, Interconnectivity and Security by Satellite (IRIS²). The goal is to secure European infrastructure while providing services such as humanitarian aid and border surveillance, and commercial services such as broadband.
Whether IRIS² reaches its full potential remains to be seen, but the pressure is on. If Europe ever wants to catch up to China and the US, who are already miles ahead of the curve and operate with far larger budgets, it can’t let its foot off the accelerator.
The good news is that these ambitions represent an unprecedented opportunity for the cybersecurity community to unite and establish a safe space… in space.
All that remains is to seize it.