This article is more than 1 year old
In space, no one can hear cyber security professionals scream
Miscreants hacking vulnerable orbital hardware could set living standards back by decades in seconds
Feature "Space is an invaluable domain, but it is also increasingly crowded and particularly susceptible to a range of cyber vulnerabilities and threats."
That's not an overblown sci-fi movie strapline, but rather the chilling words of Gina Galasso, managing director of The Aerospace Corporation UK, a member of the international collaborative organisation, Space ISAC (the Space Information Sharing and Analysis Center.) And she's not wrong on either count.
In the UK alone, Galasso told The Register, the space sector contributes £5.7bn to the national economy each year and underpins a further £5.5bn in exports.
When it comes to threats, Galasso says some types are quickly detected – including orbital, kinetic and electronic attacks – but there are other less easily detected forms of cyber intrusion that "result in data manipulation or corruption, communications jamming or supply chain interruption".
Mi NASA, su NASA?
Now add to the sense of foreboding with a report published by the NASA Office of Inspector General in May 2021 [PDF here] investigating how ready the organisation is from a cybersecurity perspective. This audit found that during the last four years, NASA had experienced more than 6,000 cyber incidents, and 1,785 in 2020 alone. With some 3,000 websites and 42,000 publicly accessible datasets, perhaps that's not surprising.
"I know NASA suffers a large amount of nearly daily cyber attacks by sophisticated and unsophisticated actors," says Ian Thornton-Trump, CISO at threat intelligence outfit Cyjax. "But the team at NASA is constantly vigilant as they have a keen understanding of just how dangerous a place it is to lose control of something moving tens of thousands of miles per hour or even faster."
The space attack surface, one giant leap for threat actors
Also filed under "not surprising" is the fact that the space attack surface is both huge and attractive. After all, space is a crucial part of international critical infrastructure.
"Persistent, over-the-horizon vision and continual, assured, high data-rate connectivity is fundamental in winning modern wars," Kevin Curran, a senior IEEE member and professor of cyber security at Ulster University, tells us. The importance of space to the largest nation states cannot be overstated, according to Prof Curran.
"Essential systems such as communications, air transport, maritime trade, financial services, weather monitoring and defence all rely heavily on space infrastructure, including satellites, ground stations and data links at the national, regional, and international level," he adds. Attacks on any of these core space- or ground-based components could disrupt an entire nation.
Paul Kostek is an advisory systems engineer to Base2 Solutions, and a former president of the IEEE Aerospace and Electronics Systems Society and member of the American Institute of Aeronautics and Astronautics. He tells us his concern is not only that as the number of satellite constellations increases, so does the interest from adversaries, but also the sheer number of possible threat actor entry points.
These range "from the ground stations transferring the data to the telemetry stream, which is not currently encrypted," he points out, as well as the reliance on IoT devices which provide even more access opportunities. Then there's the small matter that "most ground stations may not be controlled by the owners or providers of the constellation and as a result may not provide adequate security", Kostek adds.
The threat risk will "only increase as the need for connectivity grows and we see more reliance on space-based infrastructure such as high-speed internet access", Phil Mar, CTO of government systems at satellite communications specialists Viasat, insists.
Logic clearly dictates the security needs of the many outweigh the needs of the few
It's all too easy to think of the attack surface being limited to national space missions and the organisations that support them, including the military. However, the truth is that the private spaceflight industry, including companies such as Space X and Blue Origin, has served to highlight the true size of the problem.
The space industry has a huge target on its back because it's so innovative and has such a rapid R&D rate, says Lisa Forte, a partner at Red Goat Cyber Security. When it comes to data theft there's a hefty financial reward for any successful attacker. "The space industry has one huge problem," Forte told The Register. "It may well be have the biggest supply chain in the world."
We already know that supply chain attacks are a favourite of ransomware groups: "With the recent rise in commercial ransomware attacks, the issue of cyber security must be a top priority for anyone operating in the sector," Mar suggests.
Indeed, you may recall a story last year that revealed aerospace industry players including Boeing, Lockheed Martin and SpaceX had been caught up in just such a supply chain ransomware incident.
"In purely monetary terms, NASA's current annual budget is close to $23bn," Thom Langford, a global security advocate at SentinelOne points out. "So from the perspective of a ransomware demand, there is plenty of money to be had." And with thousands of subcontractors in the supply chain, the attack surface is certainly expansive.
- This drag sail could prevent spacecraft from turning into long-term orbiting junk. We spoke to its inventors ahead of launch
- More cracks found in Russian annex of the International Space Station
- The Register recreates Apollo 15 through the medium of plastic bricks, 50 years on
- Bonkers rocket launch sees craft slip sideways, barely climb and tear up terrain
"Space is hard, resulting in extremely complex operations, multinational cooperation, and rigorously tested environments that are classed as critical infrastructure, and protected by their relevant nation-states," Langford continues.
This level of strong collaboration between superpowers, which results in the sharing of benefits, could be one reason that the space sector has largely escaped direct targeting by ransomware players. When it comes to space: "The attackers who may normally be tacitly endorsed by nation-states may not enjoy this support and may therefore take aim at other softer targets as a result," Langford suggests. Unfortunately, he adds, "this level of community may not last".
How many assholes have we got on this ship, anyhow?
Spaceballs could have provided so many sub-heads, but the "how many assholes have we got on this ship?" one seems most appropriate when examining the defensive measures being taken to protect the space sector from a policy perspective. The principles set out in the Trump presidency – Memorandum on Space Policy – Directive 5 – Cybersecurity, for example – are all well and good on paper, but how do you go about putting them into practice?
The Register spoke to HypaSec CEO, Chris Kubecka, who served in the US Air Force before transferring to Space Command, where she handled command and control systems, securing military and intelligence assets from nation-state attacks, and cyber security.
"There are less than a handful of policy wonks who know anything about cyber security on the technical level," Kubecka says. "Instead, there are lots of lawyers and political science folks who work in cyber policy and approach the issues from a purely theoretical perspective, using the newest buzzwords to get their unimplementable policy through."
Kubecka compares this to health policy, where people who have never seen the inside workings of a medical facility wouldn't be expected to write implementable policy during a pandemic.
"Until major governments bring the technical cyber security community into policy, more useless 'cyber' policy will continue to be written," she adds. One reasons for this, Kubecka suggests, could be that policy and national defence leadership in the US lament Russia for being ahead of the game because they include hackers.
"Yet the same USA leadership trust non-technical people whilst locking out the ethical hacker community," she says. "It’s mind-boggling."
Space, the final unregulated frontier
The trouble, according to Martin Rudd, co-founder at SECQAI, is that to date there are limited regulations and policies concerning this area.
"When it comes to cyber conflict, the Outer Space Treaty (1967) only covers the issue that kinetic weapons (including weapons of mass destruction) must not be placed in orbit," Rudd says. Despite an increasing number of space-based assets – both commercial and government-owned – there is no reference or amendments to cover cyber security and the data stored on, or transiting, the satellites in orbit.
"This is extremely interesting as by their very nature these space-based assets are facilitators of cyber warfare," he warns. "To avoid conflict or cyber warfare, it will become increasingly important to develop international standards and agreements to govern all space technology."
Space is a fundamentally contested environment. As Pete 'Rocky' Rochelle, previously chief of staff for capability acquisition in the Royal Air Force and part of the Five Eyes working group on space capabilities, and now COO at quantum encryption provider Arqit points out: "In both doctrine and operations, the US has declared offensive space capabilities," he says, adding: "China has also demonstrated capabilities to shoot down rival satellites and there are frequent proximity testers happening with Russian satellites."
All of which means that the risk of cyber or kinetic attack can massively heighten tensions. This, Rochelle says, has led to a recognition of the need to unify, cohere and coordinate efforts that were previously cut across various governmental units.
"In the UK too," he tells The Register, "space integration has featured as an important element of the government's recent Integrated Review. Within an allied context, the Five Eyes coalition serves a similar purpose." The space domain awareness coalition based at Vandenberg Space Force Base monitors all space activity, whether accidental or deliberate, in order to pre-warn commercial vendors about space conjunctions (significant debris impact, for instance).
"Such crucial information is shared among western allies through federated satellites which need cyber protection," Rochelle says.
A quantum leap into space security
To understand the cyber threat to the critical infrastructure in the sky – essentially, the digital platform that the space industry has created – we need to imagine what it would be like were it to be disrupted.
"If these satellites stopped working, our modern lives would be set back decades in a matter of seconds," Rochelle says. "The global transport of people and goods across supply chains would be seriously affected, an increasingly decentralised energy supply would become impossible to synchronise without time signals from satellites and entire power grids would become unstable."
Yet, according to Galasso: "Space systems are often overlooked in wider discussions of cyber threats to critical infrastructure." This requires a quantum leap towards taking space security seriously. "All space systems, hardware, firmware and software components, should feature cyber hardened designs with risk-based, defence-in-depth cyber protections to detect and deter threats and vulnerabilities," Galasso insists.
Currently, the UK has designated space as one of 13 critical national infrastructure sectors, and it is a joint, cross-government responsibility for the defence, civil space and commercial sectors. "The EU and US are considering similar designations to enable better internal coordination for securing space systems," Galasso continues. "This is an international priority that requires a degree of collaboration and coordination, which has traditionally happened in a top-down approach through organisations like the United Nations."
However, a bottom-up process – utilising national space legislation like the Space Industry Act 2018 and using guidance from bodies like the UK’s National Cyber Security Centre – is required to allow each state to develop a regime that best suits their respective national interests and may achieve global consistency in developing norms more quickly, Galasso insists.
Indeed, in order to combat threats, whether from cyber criminals or state-sponsored attacks, as well as to protect infrastructure and sovereign integrity in space, we will need to see the same nationalistic cyber security endeavours that have been rolled out on Earth also implemented in orbit and beyond, Rudd says.
These include "space versions of the UK government's creation of the 'High Risk Vendor' category and subsequently numerous decisions concerning Huawei, for example," he suggests. "It's likely that the same inter-country/continent trade agreements and relationships will be established in space as a defensive strategy against cyber attacks."
But, as Galasso says: "Resilience for space comes not just from high-quality sovereign capabilities and cross-government responsibilities, but also from strong relationships with allies and international partners that emphasise the value of partnership and information sharing. The space enterprise needs a fully integrated approach across policy and technology to enhance resilience." ®