Space - the final frontier for cybersecurity7th October 2021
Satellites are the backbone of our daily lives – which makes them an increasingly attractive target for hackers.
We rely on satellites for just about everything in our everyday lives. That dependence is only set to grow, as thousands more satellites are launched to enable “Industry 4.0”, a fourth industrial revolution in which smart systems control autonomous robots, machines and vehicles and everyone in the world has access to high-speed broadband.
The new digital economy offers rich pickings for cybercriminals – estimated to cost the global economy about $1 trillion a year and rising. But whereas the companies and government agencies that provide our critical infrastructure have responded to this growing threat by beefing up their defences, the cybersecurity of the satellite system on which they depend lags behind – exposing a critical weakness the space industry needs to address.
How hard is it to hack a satellite?
The satellite system is cybersecurity’s soft underbelly. It offers the opportunity to create maximum disruption for minimum effort – every cybercriminals’ dream.
The problem is that security wasn’t really considered an issue with satellites. Back in the early days of space exploration, only a handful of countries could afford to send up satellites. Their design, construction and launch were often shrouded in secrecy; once up in orbit, away from prying eyes, their missions were simple: relaying signals to and from ground stations in line with their purpose.
But the space industry is completely different now. Space/Industry 4.0 will be powered by thousands of small, smart satellites in low-Earth orbit (LEO). ‘NewSpace’ companies have used commercial off-the-shelf parts and free, opensource software to build a new generation of cheap, mass-produced satellites, known as CubeSats.
The cybersecurity threat from CubeSats has been likened to the early days of the Internet of Things, in which a wave of web-connected products, from heavy machines to fridges and TVs, was produced that were so vulnerable they became a popular weapon by which hackers launched attacks.
“We must work together to ensure Space 4.0 connectivity does not open our global connectivity and infrastructure dependency to the Mirai botnet or WannaCry worm on LEO,” stated cybersecurity experts McAfee in a blog.
Why are satellites vulnerable?
The NewSpace business model is cost effective but insecure, argues Gregory Falco, a Harvard space cybersecurity researcher. There’s a multitude of potential weak spots hackers can probe to try to break into an organisation’s system.
It has a long and complex supply chain, in which components are made by a host of manufacturers around the world, over which satellite operators have little or no control. Once they’re up in space, the satellites’ hardware can’t be replaced and quickly becomes outdated. It’s not like you can pop up and replace a central processing unit.
The opensource software on which CubesSats rely is also vulnerable. Anyone has access to it, meaning hackers can analyse it to discover any flaws. Everyone is free to contribute code, so they can even plant backdoors in it that they can exploit in space. Also, like any computer program, they need to be regularly updated. But if installing newer software on your computer is a chore, imagine what it’s like to update a constellation comprising hundreds of satellites orbiting thousands of kilometres above Earth.
Cloud attack in space
In space, satellites rely on ground support – SpaceX’s Starlink constellation providing high-speed broadband will alone require 123 ground stations. These radio signals are often unencrypted, which is why they have been regularly jammed, overridden or eavesdropped.
An attack on the cloud could create havoc in space, because it now powers most of a ground station’s IT systems, with Amazon and Microsoft now offering ‘ground-station-as-a-service’ to operate your satellite. You don’t even now need to own a satellite: there are firms that hire theirs out.
Hackers also have plenty of opportunity to break into a satellite’s systems by exploiting flaws in the IT networks of the many organisations – government agencies, companies, the military, research institutions – with access to its data.
In a 2012 briefing to Washington lawmakers, NASA described the sprawling scale of its IT. It maintained networks at 16 different sites, using 58,000 desktop computers, 44 data centres, and 23,582 servers, as well as its own headquarters’ systems. It also managed over 3,000 websites, roughly half of all civil government sites, and over 130,000 unique internet protocol (IP) addresses.
The agency has been a prime target for hackers: it has suffered numerous cyber attacks including one in April 2018, which worried officials at the Johnson Space Center so much that they chose to disconnect from the main network for fear that hackers could move further into its systems and disrupt its manned space flights, including the International Space Station (ISS).
Today, there is more data than ever passing between satellites and Earth, while the scope for attack has vastly increased, says Heike Bienvenu, a space underwriter at Hiscox London Market. Even worse, there are no common cybersecurity standards within the space industry. “There are few guidelines and even fewer requirements in space, which is one of its attractions to entrepreneurs, but also its biggest pitfall,” Bienvenu says.
What’s the solution?
There’s an increasing focus on cybersecurity in space, as all the major NewSpace players – governments, military, industry and academia – recognise the scale of the threat.
The problem is that satellite cybersecurity has continued to lag behind that on Earth, argues Falco.
Additional security would mean extra costs in an industry in which profit margins are already razor thin – you can put a satellite into space now for $100,000.
Encrypting data would take up more processing power and bandwidth, both of which are at a premium in satellites measuring no bigger than a shoebox and weighing little over 1kg.
Also, satellite developers working for the common good haven’t seen the need to secure their systems. Why encrypt data when you intend it to be made widely available? But, as the global economy becomes increasingly reliant on the data transmitted by satellites, the more attractive that information becomes for cybercriminals. Even ‘free” data now has a price tag – either to steal or to ransom.
“Everybody recognises the increasing threat from hackers,” says Bienvenu. “There needs to be a new balance found between additional cybersecurity for satellites and the extra cost and time that involves.”
Several are already taking action. The US military adopted a novel approach: offering hackers the opportunity to break into one of its satellites.
The US Air Force and Department of Defense organised the “hack-a-sat” competition at 2020’s DEF Con, the big US hackers’ convention. They came up with the idea to help them identify flaws in their computer systems, but also to headhunt talented hackers.
Many companies remain reticent to discuss their cybersecurity or make their technology available to be tested for potential flaws, however, for fear of revealing commercial secrets.
A first step is for cybersecurity to become a priority, rather than an afterthought in the space industry, experts agree. All satellite data should be encrypted, where possible, too, they say. The space industry should also become more transparent, by sharing information on new threats and vulnerabilities, like a new type of malware.
Also, organisations responsible for operating satellite-based critical infrastructure should comply with minimum cybersecurity standards – and ensure their own supplier and partners do so too – as is common practice in public and private enterprise on Earth.
The insurance industry could also help. Cyber has become a growing risk: 61% of large businesses have suffered at least one attack over the past 12 months, while nearly half suffered at least six attacks, according to Hiscox’s Cyber Readiness Report 2021.
Insurers’ experience in tackling the threat of hackers could help the space industry improve its security, says Bienvenu. “The biggest cyber threats to space companies are the same as for any other business: viruses, dedicated denial of service attacks, email hijacking and ransomware. Insurers’ understanding of these risks is growing all the time, as are their skills in tackling hacks. They could share their knowledge with space organisations to help them to address their cyber risk.”