The security of civil and commercial space systems from hackers and cyber-attacks was the subject of a 28 July hearing by the House Science Committee on Space and Aeronautics. According to the hearing organizers cyber threats facing commercial space systems pose significant risk to the global “space-related” economy, which grew from $161 billion in 2005 to $447 billion by 2020.
Russian cyber-attacks on Viasat and other commercial communications networks used by Ukraine and in Europe helped bring the issue into focus. Among the threats that the hearing explored were:
- Use of cyber weapons developed and targeted to specific spacecraft systems
- Potential vulnerabilities in the supply chain
- Hacking of ground systems, causing service disruptions to commercial and government customers
- Command intrusion into an operational satellite presenting potential physical risks to other satellites and the orbital ecosystem
- Spoofing of the link between the satellite and the user, providing false information to the user
- Disruption or intentional or unintentional manipulation of signals
Dr. Theresa Solway, a space cybersecurity engineer for The MITRE Corporation, told the committee that one of the most urgent cybersecurity risks for commercial space is the possibility that one or more satellites could be hijacked to cause a collision in space, taking out a communications system, a space station, or national security asset, and causing a debris field that would limit the use of that orbital path for other satellites. To mitigate risks, Solway urged adding encrypted links to tracking telemetry and control, incorporating autonomous security systems using on-board sensors to evaluate income command signals, and updating and patching of legacy software systems to reduce points of vulnerability.
Matthew Sholl, chief of the computer security division in NIST’s Information Technology Laboratory, highlighted NIST’s work in space cybersecurity. He noted a presidential executive order issued in September 2020 (Space Policy Directive – SPD-5 – Cybersecurity Principles for Space Systems) that directs U.S. government agencies to work with commercial companies to promote adoption of key cybersecurity principles in commercial space operations. He also described a current government-wide effort to mitigate the potential impacts of a disruption or manipulation of global Positioning, Navigation, and Timing (PNT) services used by the commercial and military sector. NIST has also generated guidance on cybersecurity for commercial satellite operations, including security of ground control segments and hybrid satellite networks.
Brandon Bailey, Senior Project Leader, Cyber Assessments and Research Department with The Aerospace Corporation, which is a non-profit, federally funded R&D center created to advise the government on all aspects of the nation’s space enterprise, provided a rundown of the existing gaps that create cybersecurity vulnerabilities in the commercial space sector:
- Disjointed oversight and governance of cybersecurity for space technology
- The lack of binding space cyber policy for commercial space technology (The Executive Order SPD-5 is non-binding and treated as informational by the commercial space sector)
- Significant gaps in technical cybersecure solutions, standards, and best practices for space technology
- Lack of cybersecurity information sharing, and R&D for space technology as many efforts within space-cyber are siloed and fragmented
- Significant lack of security-focused, defensive capabilities on board the satellites, and overemphasis on protection of ground elements of the satellite communications network
- Lack of technical focus on validating security implementations in space systems
- Supply chain risk-management challenges, given dependence on global sources for specialized equipment
- Critical need to protect space technology and likely need to create a dedicated space technology sector
Baily raised the question of why space technology has not been classified as a critical national infrastructure, or emphasized as a critical component of the already designated communications and IT sectors in planning by the Department of Homeland Security.
He closed with the observation that “we are entering into an era of space-based capabilities that are not driven by government therefore do not fall under existing legislation nor governance. Currently, there are gaps on multiple fronts with respect to policy and technical standards.”
From a technical point of view, he noted there are little to no onboard security-focused capabilities in most deployed satellites (i.e., monitoring, logging, and alerting), and a lack of technical focus on validating security implementations in what is currently typically a paperwork-driven review for most civil and commercial systems. He also emphasized the need for cyber controls to supplement personnel security/background checks to guard against insider risk.
