Industry experts gathered in Rome and virtually on Thursday in hopes of answering a question that has long vexed people who worry about defending outer space: How to engineer cybersecurity into complex space systems from ground stations to satellites that reach far beyond.
Building security into the software and networks that control complex space systems is no easy task. But the U.S. government and many other nations around the world are dedicating more resources to protecting space systems such as GPS, space-based imaging and the satellites that provide internet service around the world over concerns that one successful cyberattack could have catastrophic consequences.
Cyberattacks aimed at satellite communication systems such as Viasat, which hackers attacked at the beginning of the Ukraine war, drove home the importance of building in more security into space systems. And the attacks and intrusions are ongoing; last year the Cybersecurity and Infrastructure Security Agency found Russian hackers sniffing inside U.S. satellite networks.
“We have the unique opportunity that we can build this from scratch because of the new space era. There [aren’t] many other industries where we can do that. But in space, we’re building all the infrastructure right now, so let’s just do it right,” said Gregory Falco, a professor at Cornell University who studies the cybersecurity of space systems and chair of the Space Systems Cybersecurity Standard working group that met on Thursday. “We need to create secure-by-design specifications for different components of a space system.”
Additionally, the working group comes at a turning point for the space industry that has moved from one mainly run by government agencies and the military industrial complex to private venture capital and Silicon Valley companies such as SpaceX.
The transformation that is well underway means there is a larger market for off-the-shelf space products that introduce more cybersecurity risks, said Falco, who also noted that most equipment for space systems is produced overseas.
“We have really needed to move onto an international model because we’re not getting access to American-made products in a reasonable time frame anymore, given the amount of scale that we’re encountering in the ecosystem,” Falco said. “So that’s something that has prompted questions like: What’s inside? And nobody really knows.”
Falco continued: “The ambition is to just rule out a whole bunch of classes on security issues for future generations of space systems, not looking backwards necessarily.”
Standards set by the Institute of Electrical and Electronics Engineers, which houses the Space Systems Cybersecurity Standard working group, will be voluntary. But the international organization is widely known and the standards are often adopted by regulatory bodies, says Gunes Karabulut Kurt, an associate professor at Polytechnique Montréal and member of the group.
“IEEE standards are very widely accepted around the world, the most famous one being the internet and Wi-Fi,” says Karabulut Kurt. “What standardization does is basically helps international partners be able to use the same products.
“The standardization aspect becomes very important and especially for security because these devices — I’m mostly talking about communication systems perspective — become more and more capable and, of course … attackers are becoming more and more capable,” she said.
Currently, some guidelines and standards exist for space systems such as those developed by the National Institute of Standards and Technology. But critics have said those standards aren’t specific enough. In a paper calling for space systems technical standards signed by more than 40 researchers last October, including individuals from multiple U.S. and international government agencies, noted that NIST is “still currently aimed at providing general guidance, not tailored recommendations for modular spacecraft.”
Similarly, space policy directive 5 issued under the Trump administration offers generic cyber risk management guidance but again nothing specific or tailored. Other regulatory bodies like NASA’s Space Asset Protection Standard and Japan’s Guidelines on Cybersecurity Measures for Commercial Space Systems similarly don’t cover the full gamut of cyber defenses.
“We need to get down to the nuts and bolts of actually providing people technical best practice guidance on how to protect your system,” said Brandon Bailey, senior project leader for the Cyber Assessments and Research Department at the Aerospace Corporation.
“The devils in the details on what you actually need to do about it. That’s where there’s a struggle, because historically people who build space systems that are not cyber professionals, right, they’re space people,” Bailey said. “Just like you saw this in industrial control systems in the last 20 years, where you have those the industrial control as the engineers, building these cyber physical systems, but they never were trained and educated on cyber threats and TPPs.”
What the working group and industry needs are more cybersecurity professionals participating, said Falco from Cornell.
“We need cyber folks at the table,” he said. “And we need we need space people at the table. We also need the policy folks at the table too, because we need someone to ultimately inform the future policy that’s written that will help people to comply with the standard, right? So we need all walks of life engaged in this process from all over the world.”
Correction June 1, 2023: This article has been updated to correct the affiliation and role of Gregory Falco.