House Committee examines cybersecurity issues for civil, commercial space systems

A recent hearing of the Subcommittee on Space and Aeronautics within the U.S. House of Representatives Committee on Science, Space & Technology focused on cyber threats to civil and commercial space systems. These risks have taken center stage since the public announcement of a malicious Russian attack in February this year on Viasat’s satellite internet user modems, which affected thousands of customers in Ukraine and tens of thousands across Europe.

The hearing was held to provide an opportunity to review the efforts and the overall landscape of cybersecurity for civil and commercial space systems. It covered the existing range of threats, the status of implementation of the Space Policy Directive, the role that the federal government has, whether there is there an agency in charge of space cybersecurity, and deriving what the issues for Congress are. Satellite cybersecurity has gained importance with the emergence of commercial satellites that provide data and information used for navigation, agriculture, technology development, and scientific research.

Following the Viasat incident, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued an alert on strengthening the cybersecurity of satellite communications network providers and customers. The National Security Agency (NSA) also issued a cybersecurity advisory to protect small ground terminals that transmit and receive satellite communications. Furthermore, the Department of Commerce’s NIST has issued guidance on cybersecurity for commercial space systems. 

The U.S. government and Congress have taken steps to address space cybersecurity. For example, in December 2020, the government issued Space Policy Directive-5, ‘Cybersecurity Principles for Space Systems.’ Lawmakers from the U.S. House of Representatives also introduced legislation protecting space systems, especially those supporting critical infrastructure, from cyberattacks that threaten American national security and economic prosperity. 

There were three witnesses at the hearing, including Theresa Suloway, space cybersecurity engineer at the MITRE Corporation, Matthew Scholl, chief of the computer security division at the National Institute of Standards and Technology (NIST) Information Technology Laboratory, and Brandon Bailey, senior project leader for cyber assessments and research department at the Aerospace Corporation.

“We need to make every effort to understand what further actions can be and should be taken to strengthen cybersecurity for civil and commercial space systems, including commercial space systems that provide mission-critical government data and services,” Don Beyer, a Democrat from Virginia and chairman of the Subcommittee on Space and Aeronautics, wrote in a statement last week. “Malicious disruptions to such systems would have significant impacts to critical services, our economy, and the growing $447 billion global space economy, including everything from weather and environmental forecasting to forestry management, communications, space science, and national security,” he added.

“In May 2021, Chairwoman Johnson, Ranking Member Lucas, myself, and Ranking Member Babin requested that Government Accountability Office conduct a review of the cybersecurity risks to the sensitive data associated with NASA’s major projects and spaceflight operations,” Beyer said. “That review is now underway. Other Members of Congress have introduced legislative proposals on space and cybersecurity.” 

“In addition to cyber hacks to ground systems, cyber threats to satellites and their spacecraft, users, and the links between the two could cripple many of the services necessary to modern life in the United States,” ​​Eddie Bernice Johnson, a Democrat from Texas and chairwoman of the House Committee on Science, Space and Technology, wrote in her statement. “Those services include remote sensing and position, navigation, and timing systems that support many sectors of our economy and national security. We need to ensure that we understand this threat and what options we have to mitigate and address it,” she added.

Johnson said that more needs to be done in this area. “There are no universally accepted standards for cybersecurity in space systems. More work is also needed to translate high-level policy and guidance into practical engineering standards that commercial companies can apply to their systems,” she added. 

In her testimony, Suloway said one of the most urgent cybersecurity needs that must be addressed for commercial space is the possibility that one or more satellites could be hijacked to cause a collision in space. “A collision between two commercial satellites or between a commercial satellite and the International Space Station or a national security asset would not only destroy the satellites involved, but the resulting debris would permanently remove that orbit or region from use by any other satellite. This risk requires preemptive, rather than reactive, action,” she added.

Commercial space systems acting as a component of critical infrastructure serving rural and remote locations have the potential to create a single point of failure, Suloway said. “In more populated areas, other terrestrial network links can be used if connectivity via space systems goes down, but critical infrastructure relying on these commercial space services, such as pipelines and electric grid infrastructure, in ‘hard to reach’ locations is especially vulnerable to space failure due to the lack of similar backup systems. Other transportation systems and critical infrastructure, including our nation’s air traffic control system, which depend on our GPS, remote sensing, and communication systems, could be disrupted in similar ways.” 

“The ground segment is also vulnerable to cyber-attack. It is the most easily accessible because it is connected to the terrestrial internet,” according to Suloway. “The cost of entry for an attacker is lowest if they can gain access through traditional means by using the internet. More sophisticated attacks would require additional equipment such as antennas and antennae pointing equipment, which is harder to obtain and maintain. If someone wanted to attack a satellite, it is easier to use the existing infrastructure to connect with the satellite to deliver an exploit,” she added.

In his testimony, NIST’s Scholl wrote that commercial space operations and opportunities continue to grow and provide an engine for our economy and expand our understanding of the world and the universe. “Space operations are, by their very nature, fraught with risks that are not present with traditional Information Technology or Operational Technology Systems. The emerging nature of commercial space technologies gives us an opportunity to address cybersecurity risks early and in abroad, integrated way,” he added. 

“The timely availability of cybersecurity guidance, efforts alongside industry in standards bodies, sharing of cybersecurity threat information, and creation of resilient and recoverable space technologies is a critical part of our support for space missions that contribute to our economy, our security, and our understanding of the universe,” Scholl added.

“Critical need to protect space technology and the need to create a dedicated space technology sector as one of the nation’s critical infrastructure sectors,” wrote Bailey in his testimony to the committee. “The only space cyber policy is SPD-5. This is non-binding and treated mostly as informational. Even with SPD-5 there still are significant gaps in technical cyber-secure solutions, standards, and best practices. Lack of cybersecurity information sharing and research and development are what is preventing advancement of technical cybersecurity solutions for space systems. Many of the efforts within space-cyber are siloed and fragmented,” he added.

Bailey added that the U.S. needs to work towards a global consensus through stronger collaboration among space system manufacturers, suppliers, owners, and operators.

Earlier this year, the U.K. government released its ‘Defence Space Strategy’ that works towards operationalizing the space domain at pace. It sets out the government’s vision for ‘defence’ as a global player in the space domain and expresses how its Ministry of Defence (MOD) will deliver the ‘protect and defend goal’ through space-related capabilities, operations, and partnerships.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.