CyberSight 360: Is space the forgotten sector in critical infrastructure cyber security?

Outer space has become a critical domain for daily life. From essential services and national security applications to the growing role of commercial ventures in space activities, our dependence on space assets, and in particular satellites, cannot be understated.

As cyber operations are enabled by space and space operations are enabled by technology and cyber operations, space security and cyber security are closely interlinked.

While there are no mandatory international cyber security requirements currently in place for space systems, it is critical that space actors put in place adequate cyber security measures.

However, most governments have yet to implement adequate cyber security measures in relation to space assets.

In Australia, space technology was added as one of 11 critical infrastructure sectors covered under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) following reforms in 2021-22. The SOCI Act defines the "space technology sector" as the sector of the Australian economy that involves the commercial provision of space‑related services including:

• position, navigation and timing services in relation to space objects
• space situational awareness services
• space weather monitoring and forecasting
• communications, tracking, telemetry and control in relation to space objects
• remote sensing earth observations from space, and
• facilitating access to space.

However, the SOCI Act does not clarify how cyber security reforms implemented in recent years will apply to the space technology sector. For example, the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 (Application Rules) which commenced on 8 April 2022 have not “switched on” Part 2 of the SOCI Act (Information Provision Positive Security Obligation (PSO)) for the space technology sector. Similarly, with no asset currently prescribed as an asset within the "space technology sector", neither Part 2B of the SOCI Act (Mandatory Cyber Incident Notification PSO) nor the Risk Management Program PSO have been “switched on” for any particular space assets, other than where they may also fall within other deemed critical infrastructure sectors, such as the communications sector.

Even in the US — one of the key space superpowers, which in 2020 issued a comprehensive cyber security policy for space systems (the Space Policy Directive-5 Cybersecurity Principles for Space Systems) — the development and implementation of cyber security standards and measures to protect commercial space systems remains a work in progress. Further, the space sector has not been designated as a critical infrastructure sector, and the debate continues as to whether space should be added as the 17th “critical infrastructure” sector in the US.

This suggests that space continues to be a forgotten (or at the very least, overlooked) sector in critical infrastructure cyber security, which in our view needs to be rectified. As a nation and as a global community, we cannot afford to allow space security to be compromised by cyber security vulnerabilities or malicious cyber threat actors. Cyber security considerations for the space sector should be prioritised for the following reasons.

Space systems are essential in daily life

While the reliance of the military on satellites for surveillance and communication is well known, the extent to which space systems are integrated in our daily lives is often underestimated. From powering electrical grids to enabling ride-sharing services, weather monitoring, air traffic control, internet connectivity, cashless payments and stock exchanges, satellite and other space system technology forms the backbone of numerous critical services.¹

Key to that infrastructure are the Global Navigation Satellite Systems (GNSS), a constellation of satellites from several countries, including the Global Positioning System (GPS) owned by the United States government. In addition to positioning, GPS allows service providers to measure time with near-perfect precision globally. For example, banks rely on synchronised timing and time stamps to monitor transactions, deal with fraud and ensure payments. When swiping a card at a café, the seamless functioning of this everyday activity requires determining the exact time the transaction occurs in order to prevent the bank account from being overdrawn.²

Space systems encompass technologies and infrastructure supporting various applications that have become integral to military, governmental, economic and civilian domains. While these bring a wealth of opportunities, they also present significant challenges, particularly in relation to cyber security. Space systems are a central point of failure for the functioning of critical infrastructure and systems of national significance.³ While GPS is operated and maintained by the United States Space Force⁴ and therefore has many layers of security, other space systems such as those owned by commercial operators are unlikely to have as stringent protections, if any. While commercial space systems will vary in significance and also, therefore, their associated cyber security protections, it is not always clear what is in place, nor what is appropriate (let alone what is or should be best practice). With our heavy dependence on space-based services, any interruption or shutdown could range from being an inconvenience to being disastrous, from both a civilian and humanitarian perspective, in addition to presenting military concerns.

Space systems are part of an interconnected threat environment

Cyber attacks on space systems

There are four broad segments of space systems that can be the target of cyber threats:

(1) the space segment (including satellites and their payloads) (2) the link segment, being the communications network that connects the other segments (3) the control segment, including launch facilities, ground and control stations, and (4) the user segment, which deals with the application of satellite systems and includes user-facing interfaces and infrastructure for space-based services, such as handheld GPS devices.⁵

The space segment, such as satellites and their payloads, increasingly participates in cyberspace (which can be understood to be the virtual platform and links between computers for communication) in providing internet and other connectivity and are therefore prime targets for cyber threats. Ground-based control segments of space systems are seen as more likely targets, including computer systems on ground infrastructure. This extends risks not only to those actors with assets in space, but also those that are linked to space, for example, through cloud computing, which sends data via satellite.

However, all space system segments can be targeted, which amplifies risks to supply chains and data security.⁶ This is particularly concerning given that relatively inexpensive commercial off-the-shelf technology (which may be unpatched or outdated)⁷ and open-source software is now more commonly used among satellites and ground control systems,⁸ which significantly increases the potential for vulnerabilities to be exploited on a larger scale. The convergence of space systems and cyberspace therefore necessitates an evolution of traditional security measures to address emerging risks.

The collection, transmission and control of data, along with the data itself, are prime targets for cyber attacks, including by interception or illegal transfer. Attacks may aim to deny, disrupt, distort or destroy the functions of space assets, networks and services. Understanding these vulnerabilities is crucial for developing effective cyber security measures.⁹

Escalation risks and uncertainties

Cyber attacks on satellite systems can have cascading consequences, leading to potentially large-scale disruption and catastrophic damage, particularly in times of conflict. While these attacks may seem less escalatory than conventional weapons, they are often difficult to detect, attribute and distinguish from unintentional or natural sources of satellite interference in the space environment, which can pose a real risk in escalating military tension, among other things.

The uncertain dynamics of conflict and escalation in space further complicate the assessment of cyber threats. What one actor perceives as conflict escalation might not be the same in all cases. For example, some governments may view certain cyber attacks on satellites as a trigger for armed conflict, while others may view those as being below that threshold. There is therefore a real danger that efforts to deter or test an adversary by conducting a cyber attack in space could inadvertently lead to military escalation on Earth.¹⁰

Cyber attacks could be used to harm military and commercial satellites, including by disabling or hijacking the satellite for use as a projectile weapon against other satellites.¹¹ Such an attack could increase orbital debris hazards in the space environment, which may add to already escalating tensions.

Expanding role of commercial industry

The increasing role of commercial industry in space activities introduces new stakeholders to the design, manufacture, operation and ownership of space system assets and spans a variety of companies and nation states. This amplifies access and other points of vulnerability across software and hardware, including components, services and providers across space system supply chains. Those chains may be involved in the supply, assembly, integration and other access points, further magnified when considering data and other service providers that are linked to space systems.¹²

The more stakeholders involved, the more opportunities for malicious actors to infiltrate space systems through exploits such as malware¹³ or data theft, increasing the risks to system and end users. The interconnected nature of space, cyber, and data systems emphasises the need for appropriate cyber security measures that are likely to require more comprehensive consideration in many cases.

Responsible space actors

It is projected that from 2020 to 2030 the satellite and space sector will yield US$1.2 trillion in retail revenues, see over 24,850 satellites launched into space and generate more than 504,000 petabytes in data volume.¹⁴ Although there is no overarching clear and consistent international regime dedicated to managing cyber risks associated with space activities, there is a need for nations and commercial operators to act responsibly and be proactive in their cyber security measures in light of our increasing dependency on space systems.

Proactive cyber security initiatives

A comprehensive approach to cyber security is required across the space system segments. Recognising and addressing vulnerabilities will be key to ensuring the safety and resilience of space systems, minimising the potential harm of this threat to human infrastructure and daily life.

While the SOCI Act recognises space technology as a critical infrastructure sector, the legislation does not yet specify what is captured as a “critical infrastructure asset” within the space technology sector. This regime and its cyber security components have not yet been enacted in respect of space systems (other than, as noted above, some assets that may be captured under current definitions such as telecommunications assets). Safeguarding space assets as part of critical infrastructure needs to be a priority for government and should not be further delayed.

Proactive cyber security management and learning from best practices

Given the interconnectedness of these systems, the private sector has a crucial role to play in adopting and contributing to collaborative efforts for the cyber defence of space technology. Space actors should take into account known risks, vulnerabilities and dependencies, and proactively manage them through cyber security initiatives. This involves integrating cyber security considerations from the inception of satellite and space project development. Rather than an afterthought, cyber security should be a foundational element in the design and deployment of space systems, irrespective of the operator.

The private sector can leverage existing guides and protocols. For example, on 22 December 2023 NASA released its inaugural Space Security Best Practices Guide¹⁵ to bolster mission cyber security efforts for both public sector and private sector space activities. The guide was designed to benefit international partners, industry, and others working in the expanding fields of space exploration and development and to provide security guidance for missions, programs, or projects of any size.¹⁶

Space actors can and should consider existing guides and protocols to assist in proactively mitigating cyber security risks to foster responsible behaviour and continuously ensure the peaceful and secure use of outer space. In light of our dependence on space system assets from both a national security and humanitarian perspective, it is crucial to prioritise cyber security to defend this vital sector and its assets. This will require foresight, collaboration, and a commitment to developing best practice norms.

A potential way forward

Given that regulation can take years to formulate, more momentum in the private commercial sector could be the answer to prioritising the cyber security of the space industry.

Regulatory frameworks are rarely able to keep pace with technological innovations, and take time to progress due to the multifaceted needs of multiple stakeholders. Considering the importance and interconnectedness of space and cyber systems, more urgent action is needed.

This presents an opportunity for industry to lead the way, drawing on their best-placed insights into possible threats and the appropriate solutions. At an organisational level, this could involve:

• developing proactive cyber security initiatives
• contributing to the development of guidelines and best practices for products or services
• implementing and updating initiatives with evolving best practices
• embedding responsible behaviours, such as considering the cyber security measures of supply chain participants and uplifting requirements where necessary.

In doing so, organisations will demonstrate and further embed a culture of responsible space behaviour that is a cornerstone of, and generally aligned with and integral to, the values of the space industry.

While these initiatives will involve varying levels of cost and effort, and any initiatives are certainly not a "one size fits all", we nevertheless consider this would be a worthwhile and crucial endeavour.

By developing responsible cyber-aware industry norms that guide the operation of the space industry, space industry participants will:

• benefit from greater security
• encourage best practice amongst new entrants
• build the trust of customers, domestic and international partners, supply chain participants and the general public, and
• continue to develop and demonstrate the industry's commitment to the security, safety and sustainability of our critical infrastructure and use of outer space.

Access CyberSight 360 - A legal perspective on cyber security and cyber insurance for more on the key events, legislative and regulatory changes, trends and lessons from the year in cyber, and what we can expect in the year ahead.

¹ https://cybernews.com/editorial/heres-how-a-hacked-satellite-can-impact-your-life/

² https://qz.com/1106064/the-entire-global-financial-system-depends-on-gps-and-its-shockingly-vulnerable-to-attack

³ Risk Management in Outer Space Activities: An Australian and New Zealand Perspective - Chapter 6, "Managing the Cyber-Related Risks to Space Activities", Sarah E. O'Connor, page 151

⁴ https://www.gps.gov/systems/gps/

⁵ https://www.airforce.gov.au/sites/default/files/2022-09/213304_space_power_emanual_v1.0a%5B1%5D.pdf

⁶ https://www.cigionline.org/articles/where-outer-space-meets-cyberspace-a-human-centric-look-at-space-security/>

⁷ Cyber security in New Space: Analysis of threats, key enabling technologies and challenges, International Journal of Information Security, M. Manulis, C. P. Bridges, R. Harrison, V. Sekar & A. Davis

⁸ Risk Management in Outer Space Activities: An Australian and New Zealand Perspective - Chapter 6 "Managing the Cyber-Related Risks to Space Activities", Sarah E. O'Connor, page 154

⁹ Ibid, page 156

¹⁰ https://www.cigionline.org/articles/where-outer-space-meets-cyberspace-a-human-centric-look-at-space-security/

¹¹ Ibid

¹² Ibid

¹³ Risk Management in Outer Space Activities: An Australian and New Zealand Perspective - Chapter 6 'Managing the Cyber-Related Risks to Space Activities', Sarah E. O'Connor, page 155

¹⁴ Northern Sky Research. 2022. Space Cybersecurity: Current State and Future Needs. White Paper. April. www.nsr.com/wp-content/uploads/2022/04/NSR-Space-Cybersecurity-White-Paper-FINAL.pdf

¹⁵ https://swehb.nasa.gov/display/SWEHBVD/7.22+-+Space+Security%3A+Best+Practices+Guide

¹⁶ https://www.nasa.gov/general/nasa-issues-new-space-security-best-practices-guide/