Orbital observations: Enhancing space resilience with real-time cybersecurity
You cannot protect what you cannot see. Gaining real-time visibility into space-system cyberthreats can protect the space ecosystem.
Ryan Roberts
Chris Weggeman
Christin Young
Reilly Blair
Hillary Harlan
The world today relies on thousands of satellites, from GPS navigation and weather monitoring to national security. As we detailed in “Stellar safeguards,” these space systems are becoming more digitally enabled, networked, and interconnected with the cyber domain. They are also being progressively utilized across both government and commercial sectors, making space systems an increasingly crucial component of today’s way of life and a prime target for cyberattacks. As the satellite industry continues its unprecedented growth, with some estimates anticipating hundreds of thousands of satellites in orbit by 2030, the “attack surface” for cyberthreats is expected to increase.1
Enhancing cyber situational awareness is important to help safeguard these vital space systems. Cyber situational awareness involves the ability to perceive, comprehend, and project the status and implications of cyberthreats to space systems in real time.2 Such awareness is important for timely and effective responses to cyber incidents.
Improving space cyber situational awareness should include a multifaceted approach to bolster real-time cyberthreat detection across the space ecosystem. This can include advocating for on-board, real-time cyber detection through dedicated massed or massless cyber-monitoring payloads, while also keeping in mind the important paradigm of size, weight, and power (SWaP trade-offs). Additionally, incorporating artificial intelligence and machine learning (ML) in the decision loop to process data and make decisions “at speed” is important for limiting the impact cyberthreats may pose to space operations.
Furthermore, this approach involves developing and enforcing agile regulatory frameworks, implementing cybersecurity protocols and engineering standards, leveraging financial incentives and enforcement mechanisms to drive compliance, and fostering collaboration and continuous improvement.
The situation with space cyber situational awareness
Cyberattacks are the most common type of attack in the space domain.3 In recent years, nefarious actors and nation-states have used cyberattacks to degrade or destroy satellite communication and navigation capabilities, as seen with the Russian-attributed ViaSat hack in 2022.4 The Space Information Sharing and Analysis Center tracks hundreds of cyberattacks on space systems daily.5 The prevalence of and risk posed by cyberattacks on space systems underscore how critical cybersecurity and corresponding cyber situational awareness are in protecting these critical assets.
Preventing and responding to cyberattacks on space systems requires visibility, or the ability to “see and sense” within the cyberspaces of the systems themselves. Indeed, visibility into the cyber activity and status of a satellite, ground station, or other space segment is essential for effective cybersecurity. In the cyber domain, transparency means equipping five segments (see “Space segments and their definitions”) with the capability to see and sense the cyber terrain to enable ground operators to monitor the cyber status of the space system, regardless of the segment. This is important as all five segments rely on the availability and resiliency of the cyber domain.
Space segments and their definitions
Space: Space assets such as satellites in orbit.
Ground: The ground-based infrastructure critical to the functioning of the space system, such as satellite monitoring and control, ground terminals, and mission operations centers.
User: Equipment enabling use of signals/information from space (for example, GPS receivers, smartphones, satellite communications’ transmit/receive terminals).
Link: The communications networks that connect the other segments, including ground-to-space, space-to-space, and ground-to-ground.
Launch: Components and activities, including launch vehicles, satellite payload interfaces, ground support equipment, launch site infrastructure, and required staff and personnel.
The cybersecurity methods employed for monitoring the ground, user, link, and launch segments will likely be similar to those used for other ground-based information technology systems, but the space segment is expected to require specialized capabilities. A satellite’s orbit can place them outside terrestrial communication paths, creating “blind zones” where humans cannot respond to cyber anomalies. This necessitates automated cybersecurity controls and mitigations, which can be implemented through on-orbit AI-/ML-based solutions. Once detected and classified, AI- or human-developed preplanned responses can be executed at the speed of need—working to minimize impacts and shorten recovery times. For example, if specific anomaly conditions are met, various actions could be enacted by the system, such as placing the vehicle in safe mode, requesting command verification, or activating higher-rate logging.
These capabilities, whether software- or hardware-based, should detect anomalies and potential cyber incidents to provide the right data to drive timely detection, analysis, and response to threats. They should also be able to operate autonomously while out of contact with ground stations and alert operators about suspicious activity or intrusions that occurred. However, ensuring space systems have sufficient cyber situational awareness capabilities and are used in conjunction with other cybersecurity tools is not without challenges.
Why it isn’t the standard (but should be)
Leveraging cyber situational awareness to help defend space systems is compounded by several challenges, including:
Outdated hardware and software: Many government and commercial satellites in orbit, including some GPS satellites, are operating on mission-specific hardware that was designed and built to meet legacy requirements from an era when cybersecurity and adaptable digital architectures were not always seen as mission-critical.6 Thus, they may not have sufficient capabilities and functionality to deliver the necessary cyber situational awareness.
Prioritization of efficiency over security: Designing satellites is an exercise in maximizing efficiency. Balancing mission requirements with design, production, and operation costs often requires removing anything that isn’t mission critical, and—historically—cyber situational awareness capabilities haven’t always been considered mission critical. Rather, some believed that robust encryption and secure communication protocols were sufficient to protect satellites against cyberattacks. That may have been enough in the past, but it no longer is with the emergence of highly capable malicious cyber actors.
Communication limitations: There are typically data-rate constraints, with the communications link being sized to meet the data requirements of the satellite’s mission. This can lead to the satellite being incapable of transmitting both mission data, as well as the necessary quantity of onboard bus traffic that could enable the use of ground-based cyber-monitoring tools to assist an operator with the detection and identification of a cyberattack.
Limited regulatory frameworks, standardization, and collaboration: The implementation and maintenance of effective space cyber situational awareness are complicated further by limited regulatory frameworks, standardization, and collaboration.7 Without adequate regulations or requirements, organizations may not have the incentives to adopt such systems or clarity on which systems are best. This can be especially true in the space environment where payload mass and compute can complicate adding additional hardware. Limited standardized protocols and interfaces makes it difficult to deploy security measures across the industry.8 Furthermore, limited collaboration between industry, government, and other stakeholders can hinder the development of industry best practices and coordinated responses to cyberthreats.9
These constraints, among many others, can make it difficult to implement and maintain effective cybersecurity situational awareness. Without better space cyber situational awareness, it will likely continue to be difficult to detect, respond to, and mitigate cyberthreats in real time, and could place space systems at risk.
Boosting space cybersecurity
Several steps can help make space cyber situational awareness a common practice. They include:
Augmenting space segments with cyber situational awareness systems: Space segments should be augmented by cyber situational awareness systems. While the nature of satellite design tends to focus on maximizing efficiency, cyber situational awareness should be considered a mission critical component. Without it, it can be increasingly difficult to identify and mitigate potential cyberthreats in near real time. As these systems become common across the industry, it becomes possible to develop a space enterprise cyber common operational picture, which could improve detection across thousands of assets, leading to improved resiliency and a significant source of training data for future operations. These systems should be augmented by intuitive dashboards that provide operators with real-time insights into potential threats, system performance, and anomaly detection.
Integrating AI and ML for enhanced data analysis: Integrating modern AI/ML capabilities is crucial to quickly understanding and managing the vast amounts of data produced by space cyber situational awareness systems.10 Operating “at the edge,” these systems would be able to detect anomalous behavior that could bypass traditional heuristics and respond at speeds far greater than a ground operator. It should be noted however that AI/ML implementation requires large amounts of compute; and while graphics processing unit payloads exist, operators still need to consider the SWaP trade-offs mentioned previously.
Making systems updatable and adaptable: Satellites and other space systems should be designed with reprogrammable software-defined functions to allow updates that keep pace with advanced threats as they are discovered. This includes updating a catalog of “fingerprinted” cyberthreats or providing the capability to update detection algorithms or AI/ML models. The ability to adapt to a changing threat environment is critical. However, integrating software updates to enhance cybersecurity capabilities involves careful consideration to ensure that these updates do not inadvertently expose the systems to additional vulnerabilities from malicious actors.
Developing simulation and training programs: To enhance cybersecurity preparedness, it is important to develop comprehensive simulation and training programs.11 These programs should create realistic cyberattack simulation environments that closely mimic space system architectures, providing a practical and immersive training experience. Additionally, offering training modules that cover threat detection, incident response, and recovery procedures can help equip cybersecurity teams with the necessary skills to effectively manage and mitigate cyberattacks. When done correctly, the simulation and training environment completes a feedback loop where processes and technology can be refined for greater mission performance and resilience. More broadly, these types of trainings can enable space programs and mission owners to understand the latest cyberthreats and their impacts to properly prepare and prioritize mission priorities.
Implementing real-time incident response and recovery mechanisms: Implementing AI/ML near real-time incident response and recovery mechanisms involves deploying automated response systems that can quickly isolate affected segments, reroute communications, and restore normal operations.12 Additionally, establishing protocols for coordinated response efforts among multiple organizations is crucial. This approach can minimize downtime and potentially lessen damage caused by cyber incidents, helping to facilitate the continued operation of critical space systems.
Taking action
To enhance the ability to sense and detect cyberthreats in near real time across the space ecosystem, several key actions can be taken, including:
- Explore agile regulatory approaches. Regulatory frameworks can play a crucial role in driving cybersecurity improvements. Governments and international bodies should explore agile regulatory approaches that help encourage space cybersecurity situational awareness measures for all space segments or systems. Agile regulations are key because they are best suited to evolve with technology and industry needs.
- Standardization enables scalability. Standardization is important for scalability and interoperability. Just as the On-Board Diagnostics II port standard in cars helped enable the widespread adoption of diagnostic tools, standardized cybersecurity protocols, and interfaces for satellites can help facilitate the deployment of security measures across the space industry. Standardization can also help reduce costs and complexity, making it more efficient for organizations to implement and maintain cybersecurity solutions.
- Incentivization and enforcement motivate compliance. Incentives and enforcement mechanisms encourage compliance with cybersecurity regulations and standards. Financial incentives, such as tax breaks or grants, can motivate organizations to invest in cybersecurity. At the same time, enforcement mechanisms, such as fines or penalties for noncompliance, can emphasize that organizations take cybersecurity seriously. Procurement requirements that require the inclusion of onboard cyber-monitoring capabilities could also be used to drive uptake and compliance.
- Collaboration and continuous improvement strengthen space cybersecurity. Collaboration between industry, government, and other stakeholders is important for improving cybersecurity across the space ecosystem. Organizations like the Space Information Sharing and Analysis Center can facilitate information-sharing and collaboration, helping to develop industry best practices, norms, standards, and regulatory frameworks. The proliferation of on-orbit cyber situational awareness sensors can provide a valuable data source, with each additional sensor enriching threat visibility, correlation, predictability, and preemptive mitigation. Collaborative efforts can help enhance the overall cybersecurity posture of the space industry, enabling a more coordinated and effective response to cyberthreats. Collaboration between industry stakeholders, policymakers, and regulatory bodies is crucial for fostering a secure and resilient space environment. This includes:
- Regular communication: Establish channels for regular communication and information-sharing;
- Joint exercises: Conduct joint cybersecurity exercises to test and improve response capabilities;
- Policy development: Work together to develop and update cybersecurity policies and regulations; and
- Standardizing the lexicon: Establish and reinforce common terminology to synchronize messaging across industry and collaborative groups.
A more resilient space ecosystem through enhanced cyber situational awareness
The increasing dependency on space systems and the growing number of satellites contribute to the importance of cyber situational awareness in preserving the future of the space industry. By enhancing the ability to sense and detect cyberthreats in near real time, these vital assets can be better protected from malicious actors. Through regulation, standardization, incentivization, enforcement, and collaboration, there can be a more resilient space ecosystem that provides continued benefits of space-based technologies for society.
The future of the space economy—and by extension the modern way of life—often relies on the availability and reliance of the cyber domain that space systems operate in and through. Yet, it’s hard to protect what can’t be seen. Therefore, cyber space situational awareness of the space ecosystem is critical.
