The Evolving Space Cybersecurity Landscape: Is the Space Industry Secure?

The space industry is undergoing rapid transformation, accelerated by reusable rocket technology and increasing payload capacity to orbit. As of August 21, 2024, there were over 10,336 active satellites in orbit interconnected to critical infrastructure, with tens of thousands more expected by the end of the decade. As these networks become software-defined and increasingly interconnected with critical infrastructure, all parts of the space ecosystem, including launch, space, ground, user, and link segments, are potential attack surfaces. Indeed, cyberattacks or electronic warfare targeting the space sector have become increasingly common in recent years and have come in various forms:

• State-Sponsored Cyberattacks: The space industry has seen a surge in cyberattacks, particularly from malware and jamming, to deliberate denial or service degradation exercises. One of the most notable attacks occurred in February 2022 at the start of the invasion of Ukraine, on the Viasat KA-SAT network. This coordinated attack infected Viasat modems with a malware update, cutting off thousands of Ukrainian customers. Additionally, state-sponsored hacking groups, such as the North Korean-linked group, Andariel, have broadened their targeting to include firms from the aerospace sector. Federal agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), have documented Andariel's targeted attacks on aerospace entities, showcasing the group's interest in satellite, satellite communications, and nano-satellite technology.
• State-Sponsored Jamming: The month following the cyberattack on Viasat, SpaceX Chief Executive Officer (CEO) Elon Musk indicated that Russian forces were jamming Starlink radio frequencies by transmitting signals that would mask end-user terminal transmissions. At the same time, Russians were also attempting to hack into Starlink’s satellite Internet equipment by planting malware on mobile devices to steal military communications from Starlink servers. While these attacks ultimately failed, in January 2024, Musk again reported hacking attempts on the SpaceX network, which proved successful, causing widespread outages to the Starlink network. Alongside disruption to SpaceX systems, Global Positioning Systems (GPS) satellites have also seen a surge in the scope and scale of interference attacks, with over 46,000 flights and 117 vessels impacted between 2023 and March 2024. Airspace continues to be impacted by jamming in the region.

The growing volume of successful cyberattacks against the space ecosystem is reflecting a growing confidence of threat actors against the sector. It also highlights that the current space sector is ill-equipped to face the challenges of increasingly advanced electronic warfare today, let alone adversarial Artificial Intelligence (AI) or quantum attack-capable computers on the horizon. As more applications and software become deployed on satellite networks, attack surfaces are increasing, therefore generating a need to secure more of the value chain. In this regard, the industry faces several challenges due to its existing operational practices and limited regulatory frameworks.

• Operational Cyber “Insecurity”: Due to the general inaccessibility of space, operational satellites will often retain the cybersecurity defenses they had at the time of launch. Even when remote updates are possible to help these systems stay on top of cybersecurity, there are limitations to how far the firmware and software can be upgraded with the equipment onboard the satellite. As a result, system updates and cyberattacks will most often occur through remote communications systems on Earth. The industry has attempted to help obscure vulnerabilities with a security-by-obscurity approach, to deter would-be attackers without the time and resources. Such an approach is incredibly flawed and as more sophisticated remote access systems come online, there will be consequences for satellites without the appropriate defense. Indeed, in 2023, the European Space Agency (ESA), together with Thales Alenia Space, was able to successfully upload software to an orbiting satellite that allowed the team to access the satellite’s orbital controls, misalign the satellite, and replace images taken by its camera.
• Zero Cyberattack Governance: Compared to physical (kinetic or chemical) attacks, cyberattacks are not governed by legal frameworks, especially in the context of space. While Article 45 of the International Telecommunications Union’s (ITU) Constitution does prohibit signal jamming and spoofing, the ITU has little enforcement mechanism and relies on good-faith cooperation by the parties involved. Furthermore, while Space Law is outlined in the Outer Space Treaty (OST), it was ratified in 1967 well before modern cybersecurity concerns and has served mainly as a basic framework that the United States and former USSR could minimally agree to. While new treaties and agreements have been developed since, there remains no clear applicable law or governance around international cyberattacks, especially those done in outer space.

The combination of outdated operational practices and a lack of cybersecurity governance and enforcement mechanisms manifests significant cyber insecurity in the space ecosystem. Without an evolution in the way the space industry and international agencies approach cybersecurity risks and incidents, there will be a heightened threat of cyberattacks that will grow in sophistication and scale. One of the worst-case scenarios would be hacking an active satellite to force a chain reaction of collisions in space from satellite space debris, also known as the “Kesler Syndrome,” which renders entire orbits in space unusable by humanity. While this is very much a worst-case scenario, the lack of appropriate tactics now may introduce fear and concern about investing in the ecosystem, stifling growth and innovation.

While there are challenges facing the industry, there are some blanket approaches that can help overcome these challenges. At the organizational level, companies in the space industry can help curb and reduce risk elevation by implementing basic security principles to help make their systems more secure. From an industry and even national perspective, there should be a concerted effort to test legal frameworks that may be potentially introduced to a range of near- and long-term scenarios to close gaps.

• Implement Zero-Trust and Security-by-Design Principles: Based on the principles of zero trust and security by design, it would be more effective where there is control of the entire process for developing and manufacturing components of the network. While companies may not be vertically integrated and can enforce assurance to a consistently high standard, ecosystem players can pursue measures to implement zero trust in space, from the space segment to the link segment. This includes introducing strict authentication measures for users and devices, encryption of data traveling between Earth and space, and employing continuous monitoring and analytics to detect anomalies. For organizations planning to launch new systems and implement zero trust, this may mean developing a zero-trust roadmap for space systems that breaks down the key activities and objectives toward implementing a zero-trust architecture in the space domain.
• Test Proposed Legal Frameworks: For organizations taking part in forming governance and enforcement mechanisms in the space industry, consider introducing protocols for testing legal and regulatory frameworks against a range of scenarios, including those with a low probability of occurrence, but that have a disproportionate impact on the space tech sector, to proactively close gaps. Work done by the Ethics + Emerging Sciences Group at California Polytechnic State University (Cal Poly) has produced a new taxonomy to help produce potential scenarios to consider, known as the ICARUS Matrix (Imagining Cyberattacks to Anticipate Risks Unique to Space), which could assist organizations in developing and deploying scenarios to test regulatory frameworks against.