WASHINGTON — The commercial space industry is facing an onslaught of cyber attacks and other threats, but lacks the resources and coordination to adequately defend itself, the head of the Space Information Sharing and Analysis Center (ISAC) warned June 18.
“Every week we’re recording over 100 attacks against critical infrastructure related to space systems,” Erin Miller, executive director of Space ISAC, said on a webcast hosted by the National Security Space Association.
Most space companies would have a difficult time defending against well-orchestrated cyber attacks by a nation state, she said.
The Space ISAC is a non-profit organization that analyzes and shares information on cyber threats and vulnerabilities related to space systems.
Space, terrestrial networks connected
Miller said space systems now face an expanding array of threats including jamming, suspicious satellite maneuvers and state-sponsored hacking campaigns. Space systems are closely connected with critical infrastructure in terrestrial networks, so the threats are serious, she said.
“When we look at what space systems are used for, it’s national security, the energy sector. our food supply chain, our aviation and our automotive industries. It’s everything that we rely on,” Miller said.
Companies pay anywhere from $2,500 to $50,000 a year to be members of the Space ISAC. The organization operates a “watch center” in Colorado Springs that monitors, analyzes data and alerts members about cyber threats, supply chain intrusions, space weather events and other risks based on intelligence provided by industry and government sources.
To better defend themselves, the ISAC urges companies to share information across the industry.
Russian cyber hacking has not stopped
The 2022 cyber attack on Viasat’s ground modems at the outset of Russia’s invasion of Ukraine was a high-profile example of the risks facing the industry. Miller said this type of malicious activity has not stopped, even if it hasn’t garnered major headlines.
“In order to defend our critical infrastructure against these activities and attacks, we have to work together,” Miller said.
Publicly available sources of information are not enough, she added. “The timely actionable information comes from when companies come together in a community and they’re viewing it as an attack against one is an attack against all, and that’s the only way to outmaneuver the adversary, in my opinion.”
Miller said she is seeing growing interest from the U.S. government in collaborating with industry on cyber defense for space systems. “I won’t name all the agencies but over the last seven working days, there hasn’t been a day that I haven’t had a meeting with a U.S. government agency trying to figure out how to work more closely with the space industry and the global space community,” she said.
“This is a high priority right now,” Miller added. “And it doesn’t have to be done in a classified environment only. It can be done unclassified.”
The cyber threats that we’re seeing today are likely to evolve, she said. “Living-off-the-land attacks could evolve to living off the constellation,” she said, referring to a type of cyber attack where intruders leverage legitimate software and tools already present on the targeted system to carry out malicious activities, rather than introducing external malware, which makes these attacks hard to detect by traditional security solutions.
Lack of lead agency complicates response
Miller said one of the challenges is the lack of a lead federal agency responsible for coordinating incident response to cyber attacks targeting space assets. With authorities fragmented across multiple agencies, getting government assistance can be complicated.
“It’s always interesting to see how companies decide how they’re going to engage with the government, or who they want to call,” Miller said. “And I think that’s a symptom of a broader problem.”
The Space ISAC has identified about 50 different government agencies that have space operations as part of their mission portfolios. But with responsibilities splintered, “when everyone is responsible, no one is responsible,” Miller noted.
During cyber wargaming exercises, companies can’t even agree on which agency they would contact first in a crisis, she noted. “There should be a responsible party or responsible agency looking at sector risk management,” Miller said. The Space ISAC is coordinating some activities, “however, we’re not the U.S. government.”
The stakes are becoming even higher as consumer technologies like iPhones gain satellite connectivity, Miller said. “It’s easier to see how much our lives actually depend on the security of space systems.”