The Federal Bureau of Investigation, the National Counterintelligence and Security Center (NCSC) and the Air Force Office of Special Investigations (AFOSI) released an advisory: Safeguarding the US Space Industry. The advisory recognizes the growing value of the global space economy and highlights the motivation for foreign intelligence entities to target the US space industry.
Cybersecurity is vital in any industry, terrestrial or not, and this advisory serves as a reminder of what is at stake in the skies above.
US Space Industry Players
Who should be paying attention to the new advisory?
“I think it’s important to note when we talk about the ‘space industry,’ we’re really mostly talking about legacy industries that are involved in the space business here and now. We have a mix of engineering, defense, technology, aerospace, etc., that all play roles in the ecosystem,” says Jason Atwell, Mandiant principal advisor, Google Cloud, in an email interview.
Atwell also indicates that organizations on the periphery of the industry could benefit from thinking about what the advisory means for them. Those players could include “academia, state and local entities who host space industry or infrastructure and downstream suppliers who may make dual-use tech that ends up in space products and platforms,” according to Atwell.
Investment capital in the space economy is spread across three categories: launch capabilities (10%), satellites (88%), and emerging industries (2%) including stations, lunar, logistics and industrials, according to the Space Investment Quarterly: Q2 2023 report from venture capital firm Space Capital. Companies like SpaceX, Uber, Google, and Amazon are just a few of the big-name companies participating in the space economy.
While capital is pouring into space on the commercial side, the US government is also an essential player. The commercial sector is playing a role in government missions in space, and the government is exploring the adoption of commercial capabilities, according to Lindsey Polley de Lopez, Ph.D., director of disruptive technologies at VentureScope, a consulting and venture investment firm.
“Most of the US’ space assets, both public and private sector, are inherently intertwined with one another,” she says in an email interview.
Critical infrastructure sectors, a total of 16, rely on space-based assets in many ways, making cybersecurity in the space industry all that more important. Polley de Lopez shares examples like the communications and emergency services sectors’ reliance on GPS, the agriculture and energy sectors’ reliance on sensors and operational technologies to monitor and control certain operations and the financial sector’s use of space-based assets to transport critical data.
“In fact, so much of our daily lives and the functioning of our economy is rooted in space-based assets that certain space systems should be deemed a critical infrastructure sector,” she says.
Threats and Potential Consequences
What kind of cyber threats does the space industry face, and what are the potential consequences of insufficient cybersecurity?
The new government advisory points to foreign intelligence entities as a key threat. “Threat actors: The big ones are China and Russia right now because they want to gain everybody’s trade secrets, intellectual property,” Jeff Hall, principal security consultant and North American aerospace lead at security consultancy NCC Group, says in a phone interview.
Threat actors will use various strategies to gain access to space-based assets, including insiders and supply chain attacks, according to Hall.
Atwell also notes the potential for insider threats. “I would also add that in an industry so heavily defined by emerging and unique technology, insider threats play a huge role as well, so having detection and loss prevention capabilities in that area can pay huge dividends.”
Directly compromising a space-based platform is possible, but threat actors can also seek vulnerabilities in the land-based systems that control space-based assets.
“It is more likely a threat group will target a company to compromise its environment rather than go after a physically deployed space-based asset,” says John Bennett, global head of government affairs in the Cyber Risk Practice at Kroll, via email. “However, threat groups and nation states will continue to learn and improve their attack strategies. Satellites will be in reach.”
Successful cyberattacks could lead to two broad categories of consequences: data compromise and system hijacking, according to Polley de Lopez.
Data compromise could mean loss of intellectual property. The recently released advisory indicates the potential for stolen IP to negatively impact global competition and the economic security of the US commercial space sector.
Data interference could also have consequences for critical infrastructure. “For example, a jammed signal or system (such as GPS) could make emergency services unreachable within a specific region. GPS is particularly vulnerable because it is unencrypted, which is why many companies are trying to develop alternative PNT [positioning, navigation, and timing] capabilities that do not rely on GPS,” says Polley de Lopez.
Space-based systems could potentially be hacked by threat actors. These types of attacks could be “quiet” or “noisy,” according to Polley de Lopez. She describes a quiet attack as one in which “the asset owner does not realize their system has been compromised, which can lead to IP theft and significant profit losses for the commercial sector, as well as national security implications if the IP relates to advanced technology.”
If the intent of an attack is to be noisy, a threat actor could intentionally cause internal damage to a space-based asset or manipulate the system to cause a collision with another asset. “This particular possibility becomes even more concerning with the advent of space tourism and hospitality,” says Polley de Lopez.
Collaboration between the public and private sectors is a recurring theme in cybersecurity, and the space industry is no exception. But fostering that collaboration can be challenging. “Absent any regulatory requirements to cooperate with governments, there is little incentive for private companies to report cyber incidents,” says Bennett.
The new advisory is a step in the right direction. It may serve as a reminder of the cyber risks for larger companies that have relatively mature cybersecurity programs. And it may even be a wakeup call for the smaller companies just getting started in the space sector.
“Many space organizations are young and technology oriented, but also small. I’m sure plenty recognize security is a factor, but probably isn’t within their immediate scope/budget/skills on staff,” says Jake Nicastro, Mandiant tech lead, Google Cloud, in an email.
The advisory details indicators that a company is being targeted by foreign intelligence entities and approaches to mitigate threats. “The good news is that the threats to the space industry are not unique to that industry alone. A robust, mature, and well-resourced (funding and staffing) program goes a long way to mitigating threats,” says Bennett.
The same cybersecurity strategies and tools that can help companies with ground-based assets, like two-factor authentication, managed detection and response, patch management and zero trust, can help companies with space-based assets to mitigate risk.
If a company in the space industry does experience a cybersecurity incident, this advisory provides clarity on incident reporting. It urges companies to contact the Private Sector Coordinator at its local FBI Field Office and to submit a tip to AFOSI.
Bennett urges stakeholders to get to know the appropriate contacts before an incident occurs. “Meetings should occur on a regular basis so a relationship of trust can be established prior to the bell ringing,” he advises. “Knowing who to call, what information is required, what can be shared are all elements that need to be worked out before the house is on fire.”
As is often the case, government regulations lag the development of technology. The private sector can be proactive and begin setting standards for the space industry.
“The space sector should be highly proactive in building relations with governments and not waiting for the governments to make the first move,” Bennet argues. “Waiting for the government to initiate regulations, guidelines, or a relationship is burying your head in the sand. What remains exposed will get bitten.”
There are already standards emerging from federal agencies that could act as a baseline to begin bringing stakeholders, public and private, together. Nicastro points to the cybersecurity readiness plan developed by National Aeronautics and Space Administration. The National Institute of Standards and Technology published a document on cybersecurity for commercial satellite operations. But there is still more to be done.
“Do I think additional policies or regulations around cybersecurity for companies operating in space are needed? Yes, absolutely — particularly as the government-commercial lines continue to blur and as space tourism begins taking off,” says Polley de Lopez.
What to Read Next:
How to Build True Cyber Resilience
Cyber Risk and Resiliency Report: How CIOs Are Dueling Disaster in 2023
Looking at the Dole Cyberattack and the Future of Critical Infrastructure Cybersecurity