Space: learning to reconcile reliability and security

A deep and unrecognised dependence on satellites

In 2021, Peeters et al. published an article entitled “A World without Satellite Data as a Result of a Global Cyber-Attack“, in which they discuss the disaster scenario of a total or partial interruption of communication with civilian satellites. The consequences after a few days are absolutely dramatic.

In cyber terms, to recognise a dependency is to recognise a vulnerability, and therefore the risk of malicious actors exploiting it for financial, political, or terrorist purposes. Let’s detail what the risks are.

Today, cyber risks and attacks are both real

Orbital systems appear to be falsely protected thanks to their distance from the Earth. But actually, in terms of IT security, this real physical distance is only relative, as satellites can also be seen as ‘simple’ connected objects. The numerous attacks on IoT networks since the 2000s have demonstrated how easily hackers can penetrate a distributed network of connected objects.

Similarly, operating a fleet of satellites requires a complex and distributed architecture, with on-board and ground systems linked together by different communication channels—whether wire, optical, or radio frequency.

A public database [3] lists more than 70 attacks on infrastructure related to satellite design or operations, including national space agencies such as NASA and CNES. It is easy to imagine that this figure is only the tip of the iceberg and that the reality goes far beyond.

With the risk being so real, why does the space industry seem so little interested in cyber issues?

Cybersecurity: very recent challenges on the time scale of satellite development

Historically, the space industry has always optimised the lifetime of satellites. For instance, operators of geostationary communications satellites calculate the investment for a new satellite based on a certain lifetime. It is not uncommon for some satellites to exceed this lifetime by several years, allowing the operator and shareholders to make substantial margins once the cost of the satellite has been amortised. It is therefore easy to understand the pressure put on engineers to maximise the lifetime. The same logic applies to institutional missions financed by taxpayers’ money: they want to make the most of a satellite capable of collecting scientific data for as long as possible, even if it means repairing it once it is in orbit, as was the case with Hubble.

As a result, despite a deceptively ‘high-tech’ image, traditional space industry remains very conservative. Technological choices are primarily aimed at minimising the risk of failure in orbit, thus favouring in-flight ‘legacy’ over performance and innovation.

Surprising as it may seem, cyber is therefore a ‘new’ subject in the time scale of space missions. Imagine that the design of the James Webb Space Telescope—which was launched with great fanfare a few weeks ago—began in the 1990s…more than 30 years ago! [4]

So how can you hope protecting assets against today’s cyber threats with technologies from 15 years ago or more?

A challenge for all stakeholders and countries

Space may seem vast, but low Earth orbit is becoming seriously saturated with space objects of all kinds—most of which are inactive and pose a collision threat to others. In May 2021 NASA counted 27,000 objects larger than 10 cm orbiting the Earth [5]!

The cyber vulnerabilities of orbital systems and the lack of regulations can only amplify the debris problem in the long run. Imagine an attack that cripples a satellite or, worse, an entire constellation, thus forcing other satellites to burn fuel for evasive manoeuvres, at best, and at worst to collide with other inert debris, causing a vicious circle known as the “Kessler syndrome.”

No standards, no norms, no police forces

Similarly to international waters located in the middle of the oceans, space law is governed by international treaties with very little binding force, where everyone can still do what they want without being accountable to anyone.

Today, almost anyone can launch a satellite—even one with propulsion capabilities that make it even more attractive to malicious actors—without having to meet any norms or standards related to computer security.

The Americans, pioneers in the recognition of the problem, are starting to think about it [6] but it would obviously be desirable for these rules to be applicable to all countries in order to be effective, which could take years or even decades given the geopolitical sensitivity of the subject.

The NewSpace wave further accelerates the urgency to find solutions

The space industry has undergone profound changes in recent years with the arrival of the ‘NewSpace’ wave, which represents this new way of looking at space as a business opportunity through the collection and transmission of data. Technological advances—such as reusable launchers, the miniaturisation of satellites, and new approaches to risk management—have made it possible to close business cases that remained in the realm of science fiction just 10 years ago.

This NewSpace wave, which plans to launch tens of thousands of mini-satellites in the next few years, is accompanied by a sharp increase in the global attack surface: many more satellites means much more data, and therefore much more value, and thus a much more attractive sector for cyber criminals, making the probability of success of major attacks soar.

Space: learning to reconcile reliability and security

Engineers who design satellites are experts in managing risks, but much more risks related to the reliability of systems than cyber risks.

This may seem paradoxical, but given the agility required to defend against highly mobile attackers, space actors must learn to define a new type of compromise in the trade-off between the risks linked to the system’s reliability and those linked to its security.

In practice, this means agreeing to implement cyber solutions that do not have the same flight heritage as other more traditional subsystems, but that mitigate a new category of equally critical risks and thus contribute to the statistical success of the mission.