Cybersecurity: Space sector seeks security rules
This article was licensed through Dow Jones Direct. The article was originally published on The Wall Street Journal.
Germany's security guidance for satellites would be a good model for cyber standards for the space industry as it grows and introduces commercial software, according to European satellite experts and the German government.
The German agency that recently put out the guidance, the Federal Office for Information Security, is seeking to make it the basis for European or international cybersecurity standards related to the space industry. Space missions often involve vendors and expertise from various countries, making common standards crucial, according to space researchers and satellite companies.
"In Europe we need sort of a consensus for many countries," said Frank Schubert, head of cyber programs in Germany for Airbus SE's defense and space unit, which contributed to the guidelines. The document lays out minimum cyber measures to help satellite companies ensure their supply chains address specific vulnerabilities, and businesses would benefit from having common terms they can refer to with partners and suppliers in other countries, he said.
The German guidelines list measures to protect satellites during different phases, such as when they are being transported and tested, and when they are in orbit.
The vulnerability of satellites was illustrated by a cyberattack on satellite-communications company Viasat Inc. on Feb. 24, the day Russia invaded Ukraine. The attack brought down internet connections for thousands of Europeans and remote-monitoring systems for German wind farms.
The attackers targeted modems and other equipment in Ukraine that were serviced by a Viasat satellite, the company said at the time. In March, the U.S. Cybersecurity and Infrastructure Security Agency circulated a warning about threats to satellites. In May, the U.S., U.K. and European Union blamed Russia for the Viasat incident. Russia has consistently denied launching cyberattacks.
Elon Musk, founder of Space Exploration Technologies Corp., tweeted in May that SpaceX's Starlink satellites had so far resisted Russian hacking attempts, "but they're ramping up their efforts."
Government space agencies from countries including the U.S., Japan, China, Canada, Germany, and Italy discuss cybersecurity through the nonprofit Consultative Committee for Space Data Systems. Another member of the group is the European Space Agency, which falls outside the EU system and includes non-EU countries such as Switzerland and Norway.
The committee discussed how to protect satellites that might stay in orbit for 10 years or so, should post-quantum computers emerge that can break today's level of encryption, said Daniel Fischer, head of applications and robotics in the European Space Agency's data-systems unit.
The European agency is researching potential post-quantum encryption technologies, he said, and is monitoring an international competition held by the U.S. National Institute of Standards and Technology that is aimed at identifying secure cryptographic algorithms. "It's still a crystal ball, but we have intelligent guesses," he said.
Satellites provide internet connectivity, media broadcasts, scientific data and navigation services, among other things. The global space economy is valued at an estimated $469 billion, driven mostly by commercial-space services, products and infrastructure, according a report published last month by the Space Foundation, a Colorado nonprofit.
"No one nation can do this on their own because everything is super interconnected when you go to space," said Erin Miller, executive director of the Space Information Sharing and Analysis Center, another nonprofit in Colorado. The group facilitates information exchange about cyber threats among its members, which include companies based around the world.
Cyber threats are evolving as the satellite industry becomes more commercial, with companies sending satellites into space for shorter periods and using components that are cheaper than they were in the past.
Issuing system upgrades and applying security patches to satellites already in orbit is a particular risk, said Stefan Langhammer, head of the information and cybersecurity unit at OHB SE's OHB Digital Connect GmbH, a German satellite maker, which contributed to the German guidelines.
Companies need guidance on patching, upgrading and changing features after a satellite is launched, Mr. Langhammer said. Issuing system and security upgrades comes with risks, especially for satellites that remain in orbit for several years. "We can't make mistakes. If the update doesn't work then we can't send anybody to the satellite and press the reset button," he said.
In the coming years, experts expect more commercial technology to become available, potentially using more off-the-shelf internet-connected components. That raises the risks of cyberattacks, because hackers could potentially launch ransomware attacks that could affect a large group of satellites that work together as a system, said Brandon Bailey, a senior cybersecurity project manager at the California-based nonprofit Aerospace Corp.