Key Considerations for Satellite Cybersecurity in 2023
Cyber and physical threats against commercial satellites are no longer a hypothetical discussion. Russia has demonstrated intent and capability to attack commercial satellites amid the ongoing Ukraine conflict, while China continues to advance its offensive space capabilities. The expanding threat environment is forcing the satellite industry and governments to consider new tactics, strategies, and policies to address the new geopolitical reality.
Amid all of these concerns, the CyberSatGov 2022 Conference in November 2022 took place at a critical juncture for the satellite industry. Four key takeaways emerged during the conference as participants grappled with the new cyber threat environment to satellites, that should inform companies’ approach to cyber concerns in 2023.
First, the Russian cyberattack against Viasat ground terminals earlier this year was an inflection point for the commercial space sector. There was a strong consensus across industry and governments speakers during the conference that commercial satellites are now direct targets in geopolitical conflicts.
Space companies — both big and small — must dedicate more resources to secure their entire space systems (satellites, communications links, and ground assets) against nation-state kinetic and cyber-attacks. However, while larger satellite companies have been preparing for cyber threats for years, small and medium sized companies are at higher risk due to limited resources to mitigate cyber vulnerabilities.
Second, the U.S. government has not yet decided upon how it should respond to cyber and/or kinetic attacks against U.S. commercial satellites in the context of armed conflicts. To date, the U.S. government has only vaguely stated that it would respond at a time and manner of its choosing if Russia targeted an American commercial satellite. Some experts, such as Sam Visner of the MITRE Corporation, called on the U.S. government to transparently communicate “red lines” to its adversaries. For example, the U.S. should clearly state what actions against commercial satellites are unacceptable (i.e., what activities would be considered crossing a “red line”).
Senior U.S. government leaders are engaging in internal discussions on how best to protect and defend commercial satellites. One consideration is whether the U.S. government should indemnify commercial space companies working on behalf of the U.S. government that are attacked by a foreign adversary. To date, however, the U.S. government has not announced any new policies in this realm.
Third, space companies are wary about the Department of Defense’s (DoD) current plans to enhance cybersecurity through the Cybersecurity Maturity Model Certification (CMMC) and Infrastructure Asset Pre-Approval (IA-Pre) Program.
The CMMC will require DoD contractors to adopt hundreds of cybersecurity controls listed under NIST 800-171 meant to protect controlled unclassified information (CUI) as a condition for working with the DoD. The U.S. Space Force’s IA-Pre Program will require satcom providers to comply with over 400 cybersecurity controls, aligned with the NIST 800-53 High-Impact level.
Several industry representatives during the conference expressed concerns about the compliance requirements of both programs. Some highlighted that the CMMC is not even a full security program — its controls focus narrowly on protecting CUI. Others noted that the hundreds of controls for the CMMC and IA-Pre could become major barriers to entry into the DoD marketplace for many small and medium sized space companies.
Fourth, the space community requires a culture change to improve its cybersecurity. A key step in promoting cybersecurity is for the space community to conduct outreach to the cybersecurity community and learn from cyber experts. In turn, cyber experts must learn more about the space industry to develop better cybersecurity solutions for the space sector.
For example, audience members learned how DOD is engaging with the U.S. hacker community through its Hack-A-Sat competitions at the annual DEFCON conference. In addition, the Aerospace Corporation presented its SPARTA platform to help space professionals learn about cybersecurity issues. Other key organizations promoting cybersecurity in the space sector include the Space-ISAC and the DHS Cybersecurity and Infrastructure Security’s Cross-Sector Working Group on Cyber of Space Systems.
Overall, no one organization alone can fully manage cyber threats to the space sector. But several steps can be taken. The U.S. government can develop clear policies that deter foreign attacks against American commercial satellites. The DoD can shape reasonable cybersecurity standards for satellite companies through its acquisition programs. Industry and government leaders can push for a culture change across the space community to better integrate cybersecurity into everyday operations. Combined, these efforts can help to better manage cyber risks in an increasingly threatening space environment.
Robert Shields is the director of Space, Cyber, and Emerging Technology for the International Technology and Trade Associates (ITTA). He provides strategic analysis and advisory services to ITTA clients interested in the U.S. space, cybersecurity, and technology sectors.