Last February, Russian hackers launched destructive malware against American satellite provider Viasat an hour before the country’s troops invaded Ukraine. The hack was the most substantial of the war, as the Ukrainian military (like the U.S. military) relies on Viasat for command and control. SpaceX’s Starlink satellite, requested by the Ukrainian government to alleviate internet connectivity disruptions, also faced interference from signal jamming, further limiting bandwidth.
While attacks on satellites might sound like the result of expensive and sophisticated military operations, a cybersecurity researcher was able to build a tool to hack into Starlink for just $25, as demonstrated at Black Hat last year. The ability to cost-effectively sabotage networks stands to become a new weapon in the cyberwar arsenal.
Because satellites underpin both military operations and everyday services, they are prime targets for foreign adversaries and other bad actors. China has been “aggressively pursuing” weapons to seize control of U.S. satellites – a capability that would exceed what Russia has deployed in Ukraine. And yet, satellites are not currently classified as critical infrastructure and are generally behind the curve when it comes to cybersecurity.
The state of satellite security
Without satellites, communications, transportation, weather forecasts, and more would break down. In addition to creating massive disruption, a hack could also result in the loss of sensitive data. But when it comes to cybersecurity, satellites are the “forgotten domain.” In fact, a recent analysis by German researchers, for example, found that satellites often lack basic cybersecurity hygiene such as access control and encryption. Hopefully, that’s about to change.
In May, lawmakers reintroduced a bill that aims to protect satellite operators from cyber-attacks. While the legislation was passed in the Senate last year, it was struck down in the House. The new bill, called the Satellite Cybersecurity Act, acknowledges the vulnerabilities lurking in space, particularly given the link between satellites and the systems such as pipelines and utilities that are typically considered critical infrastructure.
While the Cybersecurity and Infrastructure Security Agency (CISA) outlines 16 sectors that currently qualify as critical infrastructure, President Biden’s recently released National Cybersecurity Strategy calls for additional sectors to be added to the list. But as things currently stand, satellite operators do not make the cut. However, if the Satellite Cybersecurity Act passes, CISA will be required to help protect commercial satellite operators as well – an important first step in taking satellite cybersecurity more seriously.
Treating satellites as critical infrastructure
The proposed legislation outlines several steps to improve satellite cybersecurity. To start, CISA would be required to consolidate cybersecurity recommendations for satellite operators. Additionally, the Government Accountability Office (GAO) would be asked to perform a study on the relationship between satellite vulnerabilities and critical infrastructure. Finally, the National Cyber Director and the National Space Council would be tasked with developing a strategy to increase coordination across the federal government related to satellite security.
These high-level guidelines represent a step in the right direction and the bill, if passed, could kickstart a move toward seeing satellites as not just directly linked to critical infrastructure, but as critical infrastructure themselves. That paradigm shift is important, as the cybersecurity requirements for critical infrastructure are far more rigorous. For example, requiring the implementation of zero trust principles, in which no data or connections are inherently trusted, into the data flow of satellites would be a major first step toward improved cybersecurity. Zero trust ensures that only the right individuals can access satellite data and that said data is free of malware like that which compromised Viasat.
On top of more stringent security protocols on the actual devices, treating satellites as critical infrastructure will also require collaboration between vendors, chipmakers, developers, and governments. In simplest terms, everyone needs to work together to ensure satellites are designed with proper physical security and cybersecurity in mind and that potential vulnerabilities are sufficiently tested and addressed.
The bottom line
Satellites are simply purpose-built computers and therefore are vulnerable to the same cyber threats we face on earth. And yet, they have been built and rolled out in a manner that has failed to prioritize proper cybersecurity hygiene. This is particularly concerning given how many things rely on satellites – and how many don’t have backups in place. We must learn from the recent attacks on satellites that impacted everything from Ukraine’s weapons systems to communications. If we don’t address the cybersecurity risks associated with satellites now, there will likely be even more attacks on the technology to come. Due to our dependency on satellites for myriad activities – from supply chains to navigation to communication, travel and much more – these attacks could impact our life as we know it.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email editor @ hstoday.us.
