Reading the new research paper published this week by Chatham House, the Royal Institute of International Affairs; something that struck me was the ambiguity of ownership and use of space-based hardware and control, and the fledgling maturity in cyber-security as it relates to military strategy and engagement of these assets.
When I talk to my customers and contacts in the Industrial Control/Operational Technology field - there are changes occuring in connectivity between systems, oversight and control - and hence the risk of compromise; but there's never a question of who owns and runs these plants and systems. When it comes to space-based equipment (and really, space itself!) jurisdiction is far less easily attributed - countries may own satellites and associated uplink hardware, as may private companies - but NATO for example owns nothing directly. This has very interesting implications for security, specifically cyber.
The paper covers how all parts of the chain of control of satellites are at risk of attack - and the wide ranging impact this might have. You might be familiar with the accusations leveled towards Russia around GPS data spoofing, leading to not only a loss of use of GPS systems in affected area, but even a complete change in reported location (ships reporting their positon as hundreds of miles inland for example). With no clear coverage in terms of cyber-defense responsibility for these systems - my prediction is we'll see this worsen significantly before it improves.
In closing, two recommendations from the end of the paper outline both the immaturity of this sector, and the yet the commonality it shares with other critical asset industries in terms of cyber security enhancement:-
• Current cybersecurity maturity standards and guidelines (such as those published by the US National Institute of Standards and Technology) help organizations to improve their cybersecurity measures and best practices. How effectively cybersecurity maturity standards can be applied to space-sector maturity should be analysed further. If the two areas are different in essence, then separate standards and guidelines for space could be developed.
• Securing space assets against cyberattacks at the design stage is particularly important, and should be a fundamental component of satellite and ground station design from the initial concept – giving rise to a ‘security-by-design’ approach.
All satellites depend on cyber technology including software, hardware and other digital components. Any threat to a satellite’s control system or available bandwidth poses a direct challenge to national critical assets.