Improving space cybersecurity needs to start by dealing with problems within the tech that supports aerospace infrastructure.
Space cybersecurity has become front-page news since Russia launched the invasion of Ukraine. Nation-state actors and hacktivist groups started targeting satellite infrastructure from the very first day of the conflict, thrusting the issue of satellite cybersecurity forward.
For example, the head of the US Space Force’s Space Operations Command (SpOC), Lieutenant-General Stephen N. Whiting, did not mince his words, admitting that cyber security is the “soft underbelly of these global space networks.”
Meanwhile, SpaceX’s owner, billionaire Elon Musk recently said that his company spends tens of millions of dollars every month on “enhanced security measures for cyberwar defense.”
The space security problem is real, and it is here to stay. Some suggested that the aerospace industry should emulate tech companies and open themselves up to bug-bounty programs developed to reward hackers for exposing software vulnerabilities.
However, not all are convinced that this will make any difference. According to Ang Cui, cybersecurity expert and founder of the cybersecurity firm Red Balloon Security, the space industry’s problems are much more profound than software vulnerabilities.
“The entire aerospace industry needs an actual waking-up moment to realize that they also live in the real world and understand that hackers are interested in space. I don’t think the industry is quite there yet,” Cui explained to Cybernews.
Last time we talked, you said you’re not entirely sure whether bug-bounty programs are the way to go for the space industry. Could you elaborate on that?
Over the last two years, we’ve been looking into the physical devices that make up a lot of the aerospace infrastructure. Not satellites, because it’s hard to get your hands on something that’s literally in space. We looked into a very important but small piece of the actual infrastructure.
Could you do a quick refresher on what makes the infrastructure in the first place?
Sure. For satellite communications to work, you need ground-based control systems as well as terminals that make sense of the communication with the satellites. And, of course, the satellites themselves.
What parts of this infrastructure have you looked into?
First, the ground control. The radio communication gear and the modems are the data-center control systems for aerospace. They’re unlike consumer electronics, and you don’t have a hundred different players. This is very similar to other critical infrastructure markets we’ve looked into. You have about four or five major players that make, let’s call it, 75% of the world’s devices that run the world’s infrastructure.
“The operating systems of the main computers that control the telemetry for some of these satellites were cutting edge in the late ’70s and have never been replaced,”Cui said.
You have about half a dozen of these companies that make up the world’s everything from the parts inside the satellite to the things that control satellites from the ground.
If you think about general-purpose security for consumer devices, the level of security is up to date. Meanwhile, industrial control vendors that make things that control factories are 8-10 years behind general-purpose security. I would say that the aerospace industry – ground-control systems and devices, the peripherals inside satellites – are about 8-10 years behind industrial control in their security.
Are you saying satellite infrastructure is as safe as a laptop made in 2002?
The operating systems of the main computers that control the telemetry for some of these satellites were cutting edge in the late ’70s and have never been replaced.
They have never been replaced because the ground-control system is a major multi-billion-dollar investment. New ground-control systems are not built every time a satellite is launched. It’s quite the opposite. When a company makes a satellite, it must ensure existing ground-control systems support it.
The problem with the satellites is that if you’re building a new satellite, you want to use cutting-edge technology. Typically, satellites have 10-15 years of service life, sometimes a bit more, sometimes less.
That means that ground-control systems need to support crafts we launched 15 years ago, and the devices launched 10 years from now. The ground-control system has to be the lowest common denominator. It must be compatible with everything old and new that’s coming out, which means you never upgrade anything. Instead, the satellites we’re launching now are made to be compatible with the ground-control system.
So we end up with a confluence of legacy systems and modern tech communicating via the same ground-control station?
Yes. We end up with cutting-edge systems relying on, for example, modems that are decades old. There are also user terminals running on code that was probably last updated in the ‘80s, and they’re still working: that’s what keeps the ground-control systems working. Most importantly, they’re compatible with all of these multi-billion dollar installations.
And that’s just the tip of the iceberg. Take modems used in space. Maybe three companies make this expensive equipment, and very few know what it even looks like. Guess how often that gets security updates? Never. Because why on earth would you?
Are you trying to say it’s pointless to launch bug-bounty programs for the space industry?
Let me put it this way: I have a hypothesis. The more important something is to humanity, the more critical it is to the function of our human civilization, the less secure that thing is. And [conversely] the less necessary it is, the safer it becomes.
Take a gaming console: not all that critical for the world to function, yet mostly secure from a cyber point of view. Now think about programmable logic controllers that run nuclear centrifuges at a nuclear power plant. I doubt they’re very cyber-secure. That’s because no one knows about it. Very few stakeholders, even those who operate it, know anything about their security or could have influenced the security somehow.
Those few people who know about such tech have tight relationships with the two or three companies in the world that make that class of device. So, complaints about new features probably go out the window because the sales relationships are also very intricate. Since virtually no one knows about these devices, no one finds vulnerabilities in them.
“The more important something is to humanity, the more critical it is to the function of our human civilization, the less secure that thing is. And [conversely] the less necessary it is, the safer it becomes,”Cui told Cybernews.
Now think about the heart of your ground-control system, the tools that move the mega-dishes. When do you think was the last time anybody looked into their firmware? When was the last time anybody thought: “Hey, that motor control system that moves these dishes the size of a house that we put in when Reagan was president, you think maybe we should upgrade that?” Why would anybody say that? If it turns, it works, don’t touch it.
But guess what: those devices run computers connected to other computers, and they’re no different than any other industrial control systems. We’re talking about tiny computers running humongous motors, tiny processors with code written in 1998 that never had a firmware update.
In that case, is it true that there’s no use in securing those systems?
Not at all. However, I can comfortably say that at this point in space infrastructure, it’s not about finding a little bug, fixing it, and declaring that everything’s OK. If you cared about security, you’d have to rebuild the thing. That involves each of the major vendors, and none of them want to become security companies. They’re focused on making satellites.
I think this is a much larger problem than just fixing the technical bug that wasn’t discovered. The entire aerospace industry needs an actual waking-up moment to realize that they also live in the real world and that hackers are interested in space. I don’t think the industry is quite there yet.
More from Cybernews:
Subscribe to our newsletter