Questionably Secure Satellites Must Take Cybersecurity Seriously

Posted on by Robert Ackerman

The wonder and excitement of space has finally made its way back into the news in recent months, and at least one of the tidings was not only highly positive but breathtaking. The new James Webb Space Telescope revealed its first science-quality images earlier this summer and portrayed images of a span of the universe never seen so brilliantly clear before, opening tens of millions of eyes to the enormous amount of science still to be learned.

Other space-related developments also made the headlines, notwithstanding that they were markedly less successful and even potentially worrisome. This month, the new, 30-foot-tall US Artemis rocket made two attempts, with more on the way, to set the stage again for Americans to return to the moon for the first time in roughly a half-century and enhance preparations to eventually go to Mars.

This was the less successful initiative. Downright anxious was the formal announcement by China late last year that it planned to send three exploratory rockets to the moon, followed by putting humans there around 2030. This could plant the seeds for a threat to the United States amid its deeply troublesome relations with the second-biggest country in the world.

Regardless, the sad reality is that by far the most threatening space-related development this year—and one painfully underscoring yet additional vulnerabilities of cybersecurity—was a Russian cyberattack in February that crippled a satellite network in Ukraine and neighboring countries in Europe. The Russian attack disrupted communications and a German wind farm with thousands of turbines used to generate electricity. It also managed to destroy thousands of modems used by customers of US-based communications company Viasat, highlighting that space-based assets, such as satellites, are as vulnerable to a malicious attack as any other type of critical infrastructure.

Viasat is a defense contractor for the US government and became the victim of what is commonly deemed the most prominent hack of space equipment ever. It’s considered worse than a 2014 incident that froze the ability of the National Oceanic and Atmospheric Administration to transmit weather satellite data to the National Weather Service.

Worst of all, the Viasat attack is considered to be a harbinger of what lies ahead—likely a sizable security headache for satellite infrastructure in space and on the ground. In the worst-case scenario, a cyberattack could cause two satellites to collide or one satellite to collide into the International Space Station, making orbital paths unusable.

According to Statista, there are now nearly 4,900 satellites orbiting Earth, including 1,809 launched last year, and a comfortable majority of them belong to the United States. About 40 percent are used for business communications, and 30 percent support a mix of civilian and military operations. Most of the rest focus on mixed-use remote sensing and meteorological and navigational missions, a balance likely to increase as ubiquitous broadband service and remote sensing capacity expand. This emerging sector is often referred to as “New Space.”

These developments, fueled by the diminishing cost of launches, are expected to increase materially—and increasingly threaten—the already robust growth of satellites. Communications satellites, used for, among other things, TV and radio, already number more than 2,200 and are expected to be supplemented by sizable networks of satellite devices that communicate with each other.

The resilience of satellites and their networks is becoming a particularly big concern at the Department of Defense, which relies on a mix of government-owned and commercial satellites for internet and global communications. There are currently no cybersecurity standards for commercial satellites, and some don’t even bother to use data encryption.

It helps that multiple military-controlled satellites operate in different orbits, thereby minimizing the risk of collision, but they are far from impervious to an attack. Ground-based electronic radio frequency jamming can (and does) occasionally scramble communications, for example. And a military confrontation could lead to a satellite missile attack.

Many people don’t realize how essential satellites are because they’re generally out of sight and not given much thought. But if the growing network of satellites ever failed, life would virtually grind to a halt. Smartphones and ATMs would stop working, and even many TV stations would stop functioning because they rely on satellites to transmit their signals. In addition, anyone relying on GPS would find themselves lost, whether on land, at sea, or in the air.

Hackers, of course, can also tweak functionality, not merely shut things down altogether. If, for instance, a hacker sends incorrect GPS information to a smartphone that leads to a driver taking a wrong turn and getting lost, that’s obviously not a particularly big deal. But consider what happens when spoofed information ends up on a naval ship or a commercial airliner for a nefarious purpose. Fleet owners would suddenly lose the ability to keep track of them. Spoofed altitude could even cause an airline autopilot to crash into the tarmac because the airliner would perceive itself to be thousands of feet higher.

Looking ahead, we can expect that the resilience of critical services on Earth will become increasingly entwined with the resilience of satellites in space. Despite signs of growing cyber expertise among satellite operators, Russia’s attack on a Ukraine satellite network nonetheless demonstrated that satellites remain too vulnerable. The answer? Governments and other entities involved in space-dependent technologies need to step up to the plate, identify critical space-enabled services, and prioritize protecting them better.

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Technology Infrastructure & Operations

critical infrastructure cyberattacks cyber warfare & cyber weapons supply chain infrastructure security industrial control security

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs