Analysis & Opinions - San Francisco Chronicle
Invaders from space — hacks against satellites threaten our critical infrastructure
You may not realize it, but you probably interact with some space object every day. Maybe it’s your car, your television or even your internet — each relies on some space-orbiting satellite to function. Satellites are accessed by millions of devices a day and are robust providers of service. But trusting these satellites as much as we do is risky as they are all extremely vulnerable to cyberattacks.
While you may not think this is an issue of concern because satellites are pretty far away and might be difficult to access, there is not quite the barrier you might expect. Many of these space assets were built with absolutely no security features because the designers thought no one would have the capacity to hack into something floating in space. Yet, in June, GPS devices were spoofed in U.S. ships in the Black Sea to make them think they were in an entirely different location. Imagine if this spoofing were done for your semiautonomous vehicle, something not so far-fetched because anyone can build a communication mechanism to engage with satellites for about $1,000 in parts. Once you get access to the satellite communication, the sky, or should I say the stars, is the limit.
President Trump’s call for, and Vice President Mike Pence’s outline of, a “Space Force” is especially troubling because of this lack of cybersecurity. Before launching new military infrastructure into space, the first task for the “Space Force” must be to secure existing military, intelligence and civilian satellites. All are prime targets for cyberattackers because of their low levels of security and considerable importance.
Much of our critical infrastructure relies on satellites for such services as receiving precise time and location. This includes systems such as our “smart” electric grid, water networks and transportation systems. While many of these systems must meet some kind of cybersecurity standards and guidelines, the satellites that facilitate their operations are not technically considered critical infrastructure and therefore have no cybersecurity requirements.
Many of these satellites were sent into orbit before most people thought about cybersecurity. And the reality is that it’s not so easy or so cheap to send these satellites security updates. Securing satellites is not much different from securing industrial systems that control electric infrastructure and other critical infrastructure. These industrial control systems were deployed decades ago, and they operate 24/7, 365 days a year. Taking down a system to run security updates would be cost-prohibitive and in many cases infeasible, as it would cause huge service disruptions. Further, these devices rarely have the computing memory or processing power to even host typical antivirus software programs.
Space-system cybersecurity is getting even more precarious with the frequent launching of cubesats or minisatellites. Cubesats are to space what drones are to aviation — small devices, which can be sent aloft at relatively affordable costs, that are both a boon to cool space projects and a challenge to securing space assets. Cubesats have all the characteristics — including the security challenges — of “internet of things” devices: These open-source systems are riddled with vulnerabilities for hackers to exploit. Some of these cubesats even have propulsion capabilities. If a hacker took over one of them, then he or she could potentially change its orbit to collide with a military defense or critical infrastructure-enabling satellite, causing major damage.
While there are concerted efforts to address some of these satellite cybersecurity issues, the pace at which the industry is working to fix anything is disconcerting. In a recent paper, I outline some steps we should take to rapidly improve satellite cybersecurity, such as establishing a space system security information analysis center to share information on threats and vulnerabilities.
As we continue to capitalize on exciting technological advancements, we need to understand more about the legacy infrastructure on which these new technologies rely. Soon we will be hearing about hacks against our satellites as often as we hear about major data breaches. Unfortunately, the repercussions of a satellite hack may be much more dire. And it sounds much worse that you are being attacked by an invader from space.
Report - Cyber Security Project, Belfer Center
Analysis & Opinions - The Washington Post
In the Spotlight
Discussion Paper - Belfer Center for Science and International Affairs, Harvard Kennedy School
Magazine Article - The Atlantic
Analysis & Opinions - National Post