To make this website work, we log user data. By using Shephard's online services, you agree to our Privacy Policy, including cookie policy.

Open menu

Digital Battlespace

US strives to address space cyber challenge

9th June 2021 - 15:19 GMT | by David Walsh in Washington DC


Cyber is the primary weapon of choice against US and allied space infrastructure. (Photo: NASA Ames/Wendy Strezel)

Securing space assets from direct attack or hacking is an ever more important task — but is it impossible?

In April, the Center for Strategic and International Studies released its annual ‘Space Threat Assessment’ that described four main vectors of attack: Kinetic Physical (direct anti-satellite attacks), Non-Kinetic Physical (use of directed-energy weapons or high-altitude nuclear detonation); Electronic (jamming and spoofing); and Cyber (described as data intercept or monitoring, data corruption or seizure of control).

Of these, cyber is the primary weapon of choice against US and allied space infrastructure. Satellites are reportedly susceptible to command intrusions with bad instructions to destroy or manipulate basic controls, or to payload control and denial-of-service attacks in which systems are overloaded with traffic.

Cyber hacks and infiltration of the supply chain are other worries, as Space Development Agency director Derek Tournear told the Washington Space Business Roundtable in mid-April.

‘Cyber and supply chain problems are common mode failures, so it doesn’t matter if I have one satellite or I have a thousand satellites, those [cyber attacks or hacks] may have the ability to take them all out,’ he said.

China is a particular concern for the US. Dr Gregory Falco, a cybersecurity and space expert at Harvard University, told Shephard that China ‘is much more dangerous than Russia … given that they have the financial means and the will’ to dominate the US and its allies’.

US military space assets are by no means immune to attack but they appear fairly robust, because the National Security Agency is mandated to ‘harden’ communications and control links from supply chain to launches to ground stations, and everywhere in between.

'Dual-use sats are really a nightmare waiting to happen'Dr Gregory Falco, Harvard University Cyber Research Fellow

Still, this is no time for US complacency as its highly adaptable adversaries are constantly evolving their tactics.

‘Generally speaking, military ground stations are targets [for] both external and internal threat actors,’ noted Steven Austin, senior cyber engineering manager at Raytheon.

‘To mitigate these threats, there is a renewed emphasis on cyber security in all phases of the system development life cycle.  This includes both designing and implementing a secure architecture, and maintaining that secure architecture during system operations.’

In August 2020, Oxford University researcher James Pavur told delegates at the annual Black Hat conference how he used cheap COTS equipment to covertly access 8TB of information, much personal or otherwise sensitive. The haul allegedly included navigational data sent to a Chinese airliner over an unencrypted connection.

What Pavur did suggests that satellite broadband is largely insecure and satellite network communications are easy to intercept. For one thing, no technology allows parties to validate the integrity of an encrypted connection.

One inherent problem is that the ever-increasing volume of satellites in orbit gives hackers a target-rich environment. About 4,000 of all kinds are now in orbit, a third of them launched by privately owned SpaceX.  

Disclosures like Pavur’s must give every satellite-launching entity pause for thought but military and national security satellites are believed to be far more hack-resistant.  Increasingly, defence agencies will turn to constellations of small and inexpensive satellites that are reputedly harder to target than traditional large platforms.

Austin responded in the affirmative when asked by Shephard if there is a trend in the military towards putting more hardened satellites into service.

He said: ‘The majority of government systems are now implementing the Risk Management Framework [RMF] with security requirements based on the NIST 800-53 Security Controls.

‘Throughout the system development life cycle, risk assessments are conducted via Cyber Table Tops and other assessment activities to ensure the right cyber security controls are implemented to reduce the overall risk posture.’

Still, US and allied space agencies must continually fight penetration attempts. Amid an exponential increase in malware attacks on its systems, NASA issued detailed instructions in 2020 to help thwart efforts by nation-states and cyber criminals to gain employee information and thus access to mission-critical systems.

'There is a renewed emphasis on cyber security in all phases of the system development life cycle'Steven Austin, Raytheon senior cyber engineering manager

Dual-use space vehicles give cause for concern. John Pike, founder of US-based consultancy and think tank Global Security, reminded Shephard that some commercial satellites have always undertaken clandestine missions or carried classified material, doubtless with the odd close call.

He cited analysis from 2019 by Italian space law expert Carlo Belbusti, who noted: ‘A [dual-use] satellite … becomes in fact an objective to be neutralised in case of conflict.’

This issue is especially pertinent now, as superpower tensions rise along with space competitors’ apparently unprecedented hacking exploits and other provocations. An inflection point may have been reached.

UK think tank Chatham House published research in mid-2019 underscoring the hazards and emphasising ‘an increasing need to apply higher-grade military hardening and cyber protection specifications to civilian capabilities – [ones] that have the potential to be used in support of military applications’.

Falco did not mince his words. ‘The dual-use sats are really a nightmare waiting to happen,’ he said. They are not usually designed for dual-use but fall into the business model after they have been architected.’

He noted that there are ‘innumerable new space companies that do not take security seriously or have any guidance on this’ — but in a conflict, they would be ‘the weakest link’.


Back to News

Share to