Author: Matthew Heideman, President, Xage Security Government
Cybersecurity needs in space are changing fast. Thousands of new low earth orbit satellites are being launched. Security vulnerabilities in satellite hardware and software are being discovered and published. And the role that space-based infrastructure plays in business and in peoples’ private lives is escalating rapidly.
We are entering a new era of cybersecurity in space that will have wide ranging effects on the increasingly interdependent ecosystem of private companies, government operations, and the defense industrial base (DIB). Here’s a quick summary of what is happening in space cybersecurity, and which agencies and companies are leading the charge.
Secure By Design: The Challenge of Protecting and Defending Legacy and Modern Assets on The Ground and In Space
One of the core challenges in securing space-based infrastructure is the highly distributed nature of the assets. Once a satellite is in orbit, it is difficult or impossible to install new cybersecurity capabilities. This places additional pressure on the cybersecurity measures taken at the ground stations that function as communication hubs and data centers for controlling satellites and capturing the valuable data they generate. Assuring the confidentiality, integrity, and availability of this data is of mission-critical importance. Furthermore, these facilities communicate with a wide range of organizations, using all manner of modern and legacy technologies.
The need for greater cybersecurity of space-based assets and related ground systems was a core topic of discussion for US National Cyber Director Kemba Walden at RSA 2023, as reported by The Register.
“You have the base stations, you have the links from base stations, to the satellites, and then you’ve got the satellites themselves. You also have space innovation in the form of venture capital, and investment in space. Startups get eaten up by larger companies that … end up in critical space systems,” said Walden.
The potential of insecure software making its way into space system infrastructure is not hypothetical. A BlackHat presentation in 2023 outlined the many security flaws in satellites currently being used for research by the European Space Agency and others. The satellites were found to be operating without authentication protocols, and sending unencrypted signals.
Momentum is building to address this lack of security-by-design in space based critical infrastructure. This need is further reinforced in the just-released Final NIST IR 8441, Cybersecurity Framework Profile for Hybrid Satellite Networks (HSN), which aims to help organizations “better understand the attack surface, incorporate security, and achieve greater resilience for space systems that may be leveraged by critical infrastructure owners and operators, the Department of Defense, or other government missions”
The lack of these foundational security elements in the satellites themselves speaks to the need for an cybersecurity mesh overlay approach to securing the entire ecosystem of space infrastructure.
Zero Trust Is The Way Forward and U.S. Space Force is Leading The Way
The United States Department of Defense (DOD) is heavily prioritizing zero trust as a strategy for improving cybersecurity agency-wide. They released their Zero Trust Roadmap in November, 2022, with heavy emphasis on “reducing the attack surface and enabling risk management and effective data-sharing in partnership environments.”
Achieving Zero Trust across the DOD will be a challenge in itself, but space-based infrastructure adds a whole new dimension to the difficulty, due to the highly distributed and decentralized nature of the assets. Ground stations all over the planet, and satellites orbiting in space, are inherently challenging to secure in a unified, resilient, and available way.
The U.S. Space Force is up to the task, leading the way to the Zero Trust future by adopting new technologies to achieve zero trust access management and secure data sharing across the government and its private partners in space and on the ground. It was recently announced that the Space Force will be using Xage Security as a key part of their zero trust strategy.
To learn more about how the Space Force will use Xage to cyber harden current USSF terrestrial systems and achieve zero trust data exchange across the USSF enterprise, read our press release.
Data sharing and public-private collaboration is getting more important and more challenging at the same time
The amount of data being gathered and created in space is growing fast. Satellites are capturing images and telemetry for public, private, and military use. This data has differing levels of sensitivity, and different classification levels, and is being transmitted across constellations of satellites, across networks of varying levels of security, in unprecedented ways.
The need to manage access to this data, and ensure its integrity, is paramount. Securing data is a core pillar of the DoD’s Zero Trust Roadmap. Additionally, cybersecurity for space infrastructure was specifically mentioned in the White House’s National Cybersecurity Strategy, released in March, 2023.
Zero trust secure data exchange for the USSF Enterprise, provided by Xage Security, is one of the key priorities of the recently awarded contract.
Commercial Space Enterprises Should Follow USSF’s Lead in Zero Trust
From ground station operators to companies building satellites, the private sector has just as urgent of a need for zero trust cybersecurity. Space infrastructure is only getting more densely interconnected, and public-private partnerships offer enormous benefits to all parties, but the risks cannot be ignored.
In 2022, a cyberattack related to the Russia-Ukraine conflict impacted a satellite-based global internet provider. The attack not only affected internet access in Ukraine, but took out the remote management and monitoring capabilities of over 5,000 wind turbines in central Europe, as reported by Reuters. This event is emblematic of the deeply interdependent nature of space-based infrastructure and the governments and businesses that depend on it. Limiting the scope of attacks and avoiding collateral damage requires much tighter access control, and the use of Zero Trust principles to prevent attacks from spreading within, and beyond, their target networks.
USSF is taking big steps, and providing a lead for both public and private organizations to follow. Their example can provide a template for the entire industry to move from a conceptual embrace of Zero Trust cybersecurity, toward actual meaningful execution to protect and defend critical infrastructure.
To learn more about how Xage Zero Trust solutions are already securing the intersection of public and private critical infrastructure on the ground and in space, visit our Federal Government Industry page.