Small satellite sector grapples with cybersecurity requirements, cost
For cybersecurity experts, it’s clearcut: smallsat operators should take the same precautions as large satellite operators, including encrypting uplinks and downlinks, safeguarding ground stations and monitoring network activity.
“We’ve learned that everybody is a target,” said David Fidler, an Indiana University law professor whose report, “Cybersecurity and the New Era of Space Activities,” was published in April by the Council on Foreign Relations. “It would be a gigantic mistake for small companies to think they don’t need to worry about cybersecurity because they are not well known and are flying below the radar. If you are engaged in commercial space operations, you better believe you are on the radar of foreign intelligence agencies.”
Todd Harrison, director of the Center for Strategic and International Security’s Aerospace Security Project, agreed.
“Every link to and from a satellite should be encrypted,” Harrison said by email. “There is really no excuse for passing data in the open anymore. Every satellite, no matter how small or whether or not it does anything national security-related, is a target for hackers and can be used to affect the safe operation of other satellites.”
In many cases, however, small satellite developers and operators are not focusing on cybersecurity. Many of the hallmarks of the rapidly growing sector — low-cost satellites, lean operations and continual hardware and software improvements — are the same characteristics that make cybersecurity challenging.
Nevertheless, there is a growing recognition within the industry that small satellites could become targets if hackers identify ways to profit from gaining access to their networks or ways to inflict harm by controlling or disabling them, which is prompting some companies that have not taken the threat very seriously to enhance security.
“There are some emerging systems, under 100 kilograms, that are quite capable,” said David Langan, a member of NOAA’s Advisory Committee on Commercial Remote Sensing. “In my opinion, these are potential targets like dams or power stations that an adversary may attempt to exploit or disrupt at a time of national crisis.”
Small satellite industry executives and engineers discussing the steps they need to take to safeguard their spacecraft agree there is no one-size-fits-all solution.
Small satellites range from simple cubesats built by university students to capture low-resolution imagery or atmospheric data for a few months before they re-enter Earth’s atmosphere to spacecraft weighing 100-kilograms or more and providing communications or high-resolution imagery to the U.S. military.
No one really expects the university teams to take extensive precautions. Even if a hacker took control of the cubesat, “what’s the worst that could happen” asked Michael Swartwout, a St. Louis University engineering professor whose students build them. “With no propulsion and no pointing control, it’s very likely you couldn’t do anything other than turn the camera off.”
It’s a different story for commercial satellites, particularly the ones with onboard propulsion. “If someone hacks in, they could take your satellite and ram it into something else,” said a satellite industry executive. “It’s in our best interest to make space safe and secure. But we can’t do exactly what DigitalGlobe or Intelsat does. If you have a satellite that costs $1 million you can’t spend $2 million to ensure its cybersecure.”
Langan, agreed with that assessment but added, “It’s not necessarily a $2,000 problem either. It will require thought and investment to make sure you get it right.”
In terms of cybersecurity, Langan sees the biggest threat occurring when networked systems are connected to a global internet. “Properly encrypted and authenticated communications are relatively secure,” he said.
Gregory Falco, a research fellow at the Harvard Kennedy School’s Belfer Center Cyber Security Project, underscores the threat posed by internet connections. Falco, who has focused extensively on the Internet of Things, equates cubesats to IoT devices.
“At the end of the day, they have the same characteristics,” said Falco, whose report, “Job One for Space Force: Space Asset Cybersecurity,” was published in July. “They are ubiquitous, they rely on open-source operating systems and anyone with money can throw one up there.”
The danger is that cyber criminals or nation states could use cubesats or small satellites as an entry point to complex communications networks or billion-dollar satellites. If that seems unlikely, imagine warning people five years ago that hackers would employ refrigerators, digital video recorders and other IoT devices to take down Twitter, Netflix and Spotify, as they did in 2016.
“History tells us it’s absolutely going to happen at some point,” Falco said.
To keep the threat at bay, companies employ a variety of approaches to cybersecurity. Not everyone adopts encryption.
“Demanding the uplink encryption misses the purpose,” said Tomas Svitek, president of Stellar Exploration, a small aerospace manufacturing company in San Luis Obispo, California. “Instead, we need to focus on authentication, thus assuring that only authorized commands are executed. That can be implemented by various well-established computer network techniques.”
As examples, Svitek cited popular approaches to verifying data integrity, including Secure Shell tunneling, Transport Layer Security, passwords and tokens. “Encrypting RF links is an excessive and unnecessary burden, and a major potential mission-reliability risk for many low-cost spacecraft missions,” Svitek said.
Another way to address the problem is to rely on a ground network with robust security built-in, said Katherine Monson, U.S. business development director for KSAT, a Norwegian company.
“All our security requirements for our government customers trickle down to our small satellite customers,” Monson said. “Because we work with many different missions, we can help newer companies get up to speed with respect to data security.”