While interstellar travel and asteroid mining is a while off, the current and emerging uses of space for global positioning systems (GPS) and satellite communications are integral to our daily lives. Although we are only beginning to uncover the opportunities, the interplay between space assets in orbit and on the ground will support future space enterprise, such as research, transportation, manufacturing, and resource extraction. However, these opportunities do not come without significant risks.
Space technology is vital critical infrastructure
Historically, access to space resources has been the reserve of governments and major telecommunications providers, however the increasing affordability and optionality offered by micro or 'cube' satellites (cubesats) which operate in low-earth orbit (LEO) has opened space up to a range of different actors and interests. Cubesats orbit closer to Earth than larger conventional satellites, allowing them to move and transmit information more quickly, simultaneously generating increased opportunity and risk. Security must therefore remain a central consideration for what is an increasingly fragile space ecosystem.
Owing to the lack of an enforceable international regulatory architecture for space traffic and operations, as well as the inherent risks of operating in orbit, no single organisation can fully protect against security risks in space. On Earth, ground stations help receive data, and monitor and direct satellite trajectories. The risks of a congested and volatile space environment, however, necessitates a robust security foundation for all space assets.
Key risks to space assets
Threats to space assets principally include natural, human-generated, and technical risks. The inherent precarity of Earth's orbit and delicate interaction between space assets means that risks affecting one asset can quickly create cascading harm.
Natural risks encompass the range of environmental hazards to which space assets are exposed. In orbit, this includes meteor showers, solar flares, and magnetic storms, whereas on the ground this includes environmental factors relevant to asset location, such as tsunamis, hurricanes, or earthquakes. While many natural risks are difficult to avoid, space assets, such as satellites, can be protected against meteor showers and debris by continuous monitoring and location tracking, and possessing emergency fuel reserves.
Human-generated risks include those which occur either intentionally or unintentionally in handling space assets. As a strategically contested zone, intentional risks include those from cyber, kinetic, or electromagnetic weaponry. However, the incompetent or improper governance of space assets can also threaten space security.
Technical risks are those that involve failures or vulnerabilities present within software or hardware.
These risks should not be considered in isolation but as part of an interconnected whole. More so than perhaps other critical infrastructure, the fragility of the space ecosystem demands a sustained and careful consideration of relevant risks to space assets themselves, as well as their second- and third-order effects. The hypothesised 'Kessler Syndrome', for example, envisions a scenario where the accumulation of space debris in LEO significantly reduces the feasibility of space operations altogether.
Identifying and mitigating space cyber risks
Cyber risk mitigation strategies need to consider the risks in context and across all stages of space asset operation. Intentional human-generated and technical risks, such as cyber attacks can be protected against through appropriate encryption, intrusion detection and prevention, and identity management.
Ground stations
If they are improperly secured, ground stations can be the weakest link in a space security network. Threat actors can exploit system configurations, software flaws, or gain physical access to the information and operational technology that support the proper functioning of in-orbit assets. Such access could prove catastrophic in certain cases. A strong cyber security regime consisting of encryption, data management, micro-segmentation, and real-time continuous monitoring, as well as rigorous personnel screening and security, including identity and access management should therefore be maintained.
Supply chain vulnerabilities
Supply chains and vendor dependencies are central inputs to space asset security and they need to be monitored and protected accordingly. This includes both hardware and software. The increasing customisability and modularity of many cubesats means that security mechanisms may vary depending on the purpose of the asset. Many space assets also leverage cloud infrastructures for storage and processing. Failing to secure these inputs into space assets can jeopardise both in-orbit and on-ground operations. Therefore, supply chain awareness, effective internal governance, and cooperation can greatly enhance security.
Space segment assets
Space segment assets include satellites, space stations, and launch vehicles. Satellites consist of a payload and systems that receive and process telemetry, transmit commands, and control the satellite's orbital orientation. These systems can be exploited if left unsecured, or through vulnerabilities upstream in the asset's supply chain. The consequences of an in-orbit compromise can threaten the security of assets in proximity, and create cascading consequences in-orbit and for Earth.
Communications systems
GPS jamming and spoofing are the primary threats to the communication channels that support space asset operations. Jammers emit signals on the same electromagnetic frequency as GPS devices. Spoofing involves altering GPS signals, which can be more dangerous than jamming. Threat actors can manipulate uplink signals to satellites with low-cost spoofers, supplying incorrect data into a target's communication systems and causing receivers to calculate an incorrect position. More sophisticated electronic warfare capabilities can deny GPS access at scale and for extended periods of time. More conventionally, threat actors can intercept unencrypted satellite traffic and compromise the confidentiality of data in-transit.
Safeguarding space security
States with launch capabilities maintain various requirements for objects going into orbit, ranging from the highly secure to the insecure. If and until greater cooperation is reached, there are certain measures that spacefaring entities should individually abide to foster a greater security culture for space.
While many natural risks are difficult to avoid, space assets, such as satellites, can be protected against meteor showers and debris through continuous monitoring and location tracking, and emergency fuel reserves. Intentional human-generated and technical risks, such as cyber attacks, can be protected against through appropriate encryption, intrusion detection and prevention, and identity management. A broader regime of supply chain awareness, appropriate internal governance, and cooperation can improve vigilance to relevant threats and decrease the likelihood of unintentional risks being realised. Importantly, it can underscore trust among relevant partners and the public.
MinterEllison is a leader in cyber security, offering integrated legal, cyber risk, and technology consulting. This combined capability enables us to advise and navigate clients through the challenging and complex environment of supply chain cyber risks. Should you or your organisation require assistance in managing your supply chain cyber risks, please do not hesitate to reach out to the MinterEllison National Cyber Security Consulting Practice.