Interesting news in the past month is the increasing awareness that there's a cybersecurity threat vector that hangs over everyone's heads... literally - in orbit around the Earth. While previously technology launched into orbit was from an era that predated most cyber threats - we are now entering a new "Space Race" where this is no longer the case. With so much increased energy by governments & private industry in space projects, the threat of cybercriminals is larger than ever, and companies around the globe are racing to make sure they are protected.
"How does this threat affect me?" Is probably the first question people ask. Many companies aren't involved in the industry of this new race into the atmosphere, so are they a target? The answer is complex. With technology critical to the running of countries these days, satellites operate as key components of infrastructure - where having a satellite crash or otherwise become inoperable would be damaging to networks across any developed nation. There are several scenarios that could play out:
This sounds like something out of a science fiction story, but it isn't. In 1998 hackers took over the U.S.-German ROSAT X-Ray satellite and directed it's solar panels at the sun - frying it and rendering it useless. It later crashed in 2011, but the damage was done. Additionally, in 1999 a satellite in the U.K. was held for ransom by hackers. More recently, in 2008 & 2018 hackers that likely originated from China attempted and managed to take control of satellites, and there have been attempts from many state-based hackers around the globe that attempt this as well. The reality of cybersecurity attacks on satellites is not a new thing... but what is, is the change from "mostly governments with firm cybersecurity practices" to the growing demographics of private companies and developing nations entering the race as well.
This new space race has the additional problem of being one where every dollar matters. As companies race to complete contracts they will be put in situations where they could lose out on a bid by small amounts of money - and the desire to cut costs is increasingly high. And even if companies do not "cheap out" by not ensuring best cybersecurity practices, many outsource or have long supply chains where there are a multitude of attack vectors where technology can be compromised.
We have witnessed this firsthand in the new rise of supply-chain attacks' and RMM Technology attacks - the vectors for attack are growing larger, meaning a greater risk. These kinds of attacks are going to become more prevalent, and with any success cybercriminals will become bolder and attempt larger and more intricate attack methods. Cybersecurity professionals around the world will be hard-pressed to make sure that the "infrastructure of space" will be as hard-protected as it can be in the face of this new time.
On a more positive side, companies are aware of these difficulties and problems. Many organizations are taking steps to consider the problem and take steps to prevent them. Other considerations are that many governments and companies are considering frameworks based on "zero trust architecture" or the idea that actions within and without are equally susceptible to attack - and must be verified before actions can be taken. This is an entirely different model from implicit trust environments where assumptions are made about technologies or communications being safe or unsafe - all would be treated equally.
This policy is hopefully going to become the standard for objects being launched into space. Hermetically sealed, supply chains verified, and the components guaranteed so that there are no backdoors or easily exploitable zero day threats could all be critical in preventing satellites from being hacked or ransomed. And that's a good thing. As these technologies develop and improve, it is important to learn a very simple lesson from the innovations occurring in the current space race - that Cybersecurity is about creating a process that removes implicit trust - because all trust is verified. That should be the model of the future.