It’s Only a Matter of Time and Space Until a Satellite Takeover
The United States suffers from a catastrophic cybersecurity problem with its critical infrastructure – industries which are dependent on satellite communications. A November wargame hosted by the American Institute of Aeronautics and Astronautics demonstrated the latest cybersecurity threat in outer space – the ability to turn a software-controlled satellite into a space weapon. In June 2021 the director of the U.S. Space Development Agency announced a program to connect commercial satellites with U.S. government satellites in orbit, in an effort to streamline data sharing. As we know from the dozens of historical cyber events, most recently ransomware attacks, connecting systems without security in mind is a bad idea. The next major cyber event to grip the U.S. may soon be a commercial satellite takeover that impacts national security.
The proliferation of satellites is happening in part by nation state military and civilian programs, but also due to the growing commercial presence in space. Emerging use cases include high speed broadband internet, 5G from space, Space-as-a-Service, air traffic control, space tourism and much more. From a cybersecurity perspective, there is little awareness of the degrees of separation for commercial satellites and the interdependencies of critical infrastructure or national security. For example, when comparing the 2014 hack of Sony Pictures to the recent Colonial Pipeline ransomware attack, it is easy to understand which attack had a larger cyber-physical impact. For commercial satellite systems, critical infrastructure and national security that rely on these systems, the potential impacts begin to blur.
U.S. space assets represent a tempting Achilles heel, providing vital communications and data to the 16 critical infrastructure sectors. A targeted disruption in satellite communications could impact finance, healthcare, transportation, emergency services, and more. Presenting at the CyberSatDigital conference in May 2021 a senior advisor at the Department of Homeland Security confirmed that all of the more than 50 National Critical Functions (NCFs) vital to U.S. national security depend in one way or another on space-based assets.
Many satellite systems function in similar, albeit not exactly the same ways. Though they have yet to be included as critical infrastructure, they are increasingly prone to hacking and manipulation, and their security is as paramount as energy or transportation security.
Several civilian and military satellite systems have already been hacked. For example, in 1998, hackers took control of the U.S.-German ROSAT, a deep space monitoring satellite, and aimed its solar panels toward the sun to overheat and render them useless. More recently, in 2018, targeted Garmin’s satellite assets with ransomware, affecting the company’s operations for several days and costing the company $10 million. In 2020, Chinese hackers managed to infect computers controlling U.S. satellites and engaged in espionage on military and civilian communications. While they were in control of the satellites, it was determined that they had the ability to alter their positions and disrupt data flows.
Once in control of a satellite, a malicious actor might alter coordinates and cause a satellite to thrust in any direction, manipulate onboard sensors, or interfere with data links and communication traffic. Hackers could also use a specialized antenna to masquerade as the satellite’s ground station to send the satellite seemingly legitimate commands, or jam sensors to blind them for a duration of time. They could also gain access to sensitive information while masquerading the attack as if the satellites were operating normally. To have long-term impacts, an attacker might introduce a supply chain attack to software or hardware components. Finally, they could interfere with systems that deploy artificial intelligence and machine learning to help avoid collisions. As of 2019, these communications to avoid collision between commercial assets like SpaceX and the European Space Agency were still taking place via email.
Cyber criminals know no boundaries; therefore, space is only an extension of their playground. The cyber vulnerabilities of space-based assets vital to national security present a systemic and existential risk to society with the potential to displace entire critical sectors for extended periods. An overhaul of cybersecurity for satellite systems is long overdue. Action taken to shore up cybersecurity gaps in space will require two fundamental elements. First, it will require technical experts’ input, not only policy jargon. Second, it will require prescriptive and obligatory language, rather than suggestive or optional language.
Any cyber-attack on U.S. space-based assets might result in temporary communication and service outages, loss of integrity or control, or systems being destroyed. A coordinated attack could lead to a denial of satellite services and could impact entire geographic areas or industries – similar to the potential widespread impact of cloud service provider interruptions across several industries. In a worst case scenario, such an attack could lead to a disruption in military command and control communications.
Formal cybersecurity legislation is typically too vague to provide actionable insights, or too specific to represent a dynamic threat landscape that continues to change over time. Incorporating technical experts into addressing the potential risks will accomplish two goals: providing credible potential scenarios that are realistic rather than hyperbolic and filling in gaps in specific disciplines’ expertise with collaboration between functional experts.
The attack surface of vulnerable space objects continues to grow, with no standardized cybersecurity or governing protocol for satellite technologies to date. For example, Starlink now operates 1,844 satellites in orbit, many of which are “now equipped with laser-based systems to communicate with each other in orbit, and less with the ground.”
To level set, federal regulation might offer required security controls for systems which provide a critical service across the 50 NCFs vital to national security. Though regulations that are too prescriptive risk stifling innovation in an exciting technology market, voluntary best practices-style guidance would likely be ignored without significant incentives from the government or customer base. Without a forcing mechanism, however, satellite cybersecurity will remain an afterthought – perhaps until the first hostile takeover.
Danielle Jablanski is a senior research analyst contributing to Guidehouse Insights’ Digital Innovations research service. Her focus is on the disruptive impacts of cybersecurity, artificial intelligence, data integration, and blockchain technologies for industrial applications and critical infrastructure owners and operators.