Will the battle for space happen on the ground?

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Algirde Pipikaite, Lead, Strategic Initiatives, World Economic Forum, Aarti Holla-Maini, Secretary-General, Global Satellite Operators Association (GSOA), Belgium, Bryan Ware, Chief Executive Officer, Next5, USA & Mark Dickinson, Deputy CTO & VP, Space Segment, Inmarsat Global, United Kingdom

• Space services used to be separated from networks on Earth, but this model has changed over the last few years, with the two becoming more and more interdependent.
• Space-based services support essential services such as military, utilities, aviation and emergency communications and therefore get drawn into geopolitical conflicts on Earth.
• This is why there needs to be increased cybersecurity around space-based services as well as regulatory frameworks and collaboration of all stakeholders.

While space activities generate multiple benefits to Earth from supporting the UN SDGs, providing weather forecasting, and innovating to stop climate change, they are also exposed to potential vulnerabilities and security risks that need managing.

Space communication technology will change the lives of millions by enabling connectivity in places that are not accessible by terrestrial broadband connectivity today. Space exploration is projected to create USD 1.2 trillion in retail revenues in 2020-2030. The potential of space-based services has driven an influx of private actors into what was once viewed as a predominantly government-dominated environment.

Traditionally, space and terrestrial systems were largely isolated from each other, each serving a different set of users and requirements. This model has changed in recent years, as systems become more complex with greater interconnections between Earth-Space networks. Future generations of smartphones, for instance, may well have satellite messaging capabilities for emergency communication where there is no terrestrial connectivity.

Digital transformation has also resulted in the establishing of interfaces between systems and, more importantly, across traditional trust boundaries (partners, customers, etc.). Furthermore, adoption of large satellite constellations is driving the number and complexity of ground control and service support infrastructures, thereby increasing the potential attack surface.

Space-based services are strategic, therefore not immune to geopolitical conflicts

Just as space services are central to modern-day life, they also support essential services such as military, utilities, aviation, and emergency communications. This makes them particularly attractive, especially at times of geopolitical unrest, for cyberattacks, the impact of which is unpredictable.

In 2022, we saw that cyberattacks on satellites servicing one country could disrupt critical national infrastructure in another. In February 2022, just as the Russian invasion of Ukraine started, a large number of satellite modems in Ukraine and elsewhere in Europe were subject to a cyberattack and disabled, requiring global operator Viasat to do a hard-reset following which it could continue to deliver vital communication, including to Ukrainian refugees in neighboring Slovakia. In March 2022, SpaceX sent thousands of Starlink satellite internet terminals to Ukraine to provide Ukrainian citizens access to communication.

Historically, the majority of satellites can be thought of as bent pipes in space (meaning that the uplink signal is received, amplified, translated to a downlink frequency, amplified again, and directed toward the earth using a high-gain antenna). They received data from Earth, such as TV signals, amplified them and mirrored them back down to Earth. They are now becoming more complex with the advent of software-defined satellites. Satellites are built to be resilient and robust and can function in isolation from each other. They are connected to private networks which are not per se accessible from the Internet. The arrival of software-defined satellites means that satellites can be reconfigured in space, allowing space-based services to be adjusted in response to changing demand and respond dynamically to threats as they emerge.

With the influx of new market participants, many more satellites are being launched into orbit, notably with large constellations, of 100s or even many 1,000s of satellites. Ignoring ongoing space sustainability discussions, the sheer number of satellites in such networks means that if one satellite is compromised, a new path can be arranged but at the same time, however, potentially opens the door to take advantage of the satellite network due to their widely deployed terrestrial infrastructure and commoditized spacecraft design.

Increased interdependence between satellites and technology on Earth

Satellites are playing a critical role in communications on Earth and are already an integral, albeit invisible, part of communications networks, and systems with dependencies on position and timing information, e.g. GPS. In the future, consumer services will move across terrestrial and space systems as technical standards for integration of NTNs with terrestrial networks are implemented. As an example, mobile phone signals may switch seamlessly from ground-based tower signals to satellites without citizens noticing the transition. These technological changes will increase interdependencies between satellites and technologies on Earth.

Going forward we can be certain that the resilience of critical services on Earth will become ever more entwined with the resilience of satellites in space. Satellite operators do however have experience in cybersecurity. They have long been skilled in hardware and network security and are experienced in serving sectors with strict security requirements such as governments, military, oil & gas, shipping, and finance. In addition, satellite operators increasingly use cybersecurity tools and products to provide enhanced security to key customers and to differentiate themselves and create competitive advantage. Some satellite operators are working on new methods of data encryption such as QKD which are ideally suited to the space environment.

Space-based services may be subject to more cyberattacks

The conflict in Ukraine has nonetheless demonstrated that space has been and will continue to be extremely relevant at times of geopolitical conflict. As these trends are likely to continue, we will see new threat actors, targeting space systems to impact the critical services enabled by satellites. Against this background, how do we ensure that the growing interest in space-based services does not expose society to more cyber vulnerabilities? What can be done to ensure developments of new space technology and services are more secure?

Discussions between the World Economic Forum’s Global Future Councils on Cybersecurity and Space, held in April 2022, suggest that governments, alongside those who operate, use, and profit from space-dependent technologies, should identify critical space-enabled services and should prioritize ensuring their end-to-end cyber resilience.

For better cyber threat management, stakeholders need to work together

Added to this is the complexity introduced by third-party relationships. As satellite-based service infrastructures become more complex and evolve into full end-to-end services, they involve more stakeholders operating different parts of the infrastructure. The supply chain for hardware and software is dependent on multiple component parts, making it difficult to identify responsibility and liability for the ultimate security and resilience of the services supplied. Where do the roles and responsibilities of hardware manufacturers, software developers, satellite manufacturers, operators and commercial users begin and end?

Another aspect is regulatory frameworks that have not been able to keep pace with technology evolution. This is a problem for cyber resilience in all sectors, not just in space. Appropriate regulatory frameworks are part of the solution, but these take time to develop, especially if they are to be internationally harmonized, and action is needed now.

Over the longer-term clear lines of communication to support information sharing prior to, during, and after cyber incidents should be created to complement the work of the Space ISAC (Space Information Sharing and Analysis Center), and to improve the cyber resilience of space-based services that depend on satellites networks. This will require collaboration between governments, satellite manufacturers, operators, software developers and service users. Each has a role to play, including the sharing of lessons and experiences from each domain. As terrestrial and space systems become ever more closely integrated and the distinctions blurred, a collaborative and informed exchange is needed between what has traditionally been seen as separate areas of cyber threat management.