Hackers can disable satellites - or turn them into weapons

Off-the-shelf components open a back door for satellites, in addition to the old dangers of taking over the communications. The problem is exacerbated when thousands of tiny satellites orbit the Earth and may do things their operators did not plan for

By William Akuto, Postdoctoral Research Fellow, University of Denver

Last month SpaceX became the operator of the world's largest array of active satellites. As of the end of January, the company had 242 satellites in orbit around Earth with plans to launch 42,000 over the next decade. It is part of its ambitious project to provide internet access worldwide. The race to put satellites in space continues, with Amazon, Britain's OneWeb and other companies eager to put thousands of satellites into orbit in the coming months.

These new satellites have the potential to revolutionize many aspects of everyday life – from bringing Internet access to the far corners of the world to monitoring the environment and improving global navigation systems. Amidst all the enthusiasm, a critical danger slipped by unnoticed: the lack of cyber security standards and regulations for commercial satellites, in the US and around the world. As an academic who studies cyber-conflicts, I am very aware that because of this interest, along with the complex supply chains of satellites and the levels of stakeholders, they are very vulnerable to cyber-attacks.

If hackers take over these satellites, the consequences could be dire. On the easy side of the scale, hackers can simply disable satellites and deny access to their services. Hackers can also disrupt or spoof the signals from the satellites and create chaos in vital infrastructure. This includes electricity networks, water networks and transport systems.

Some of these new satellites have thrusters that allow them to accelerate, decelerate and change direction in space. If hackers take control of these steerable satellites, the results could be dire. The hackers will be able to change the trajectory of the satellite and smash it into other satellites or even into the International Space Station.

Off the shelf components open a back door

The manufacturers of these satellites, especially the small cubesats, use off-the-shelf technologies to keep costs down. The widespread availability of these components means hackers can analyze them to find vulnerabilities. In addition, many components are based on open source technology. The danger here is that hackers can introduce backdoors and other vulnerabilities into the satellites' software.

The highly technical nature of these satellites also means that many manufacturers are involved in the production of the various components. The process of bringing these satellites into space is also complex, and many companies are involved. Even when they are already in space, the organizations that own the satellites often outsource their day-to-day management to other companies. With each additional provider, the vulnerabilities multiply because hackers have many opportunities to penetrate the system.

Hacking into some of these cubesats can be no more complicated than waiting for one to go up and then sending malicious commands through special ground antennas. Hacking into more sophisticated satellites may not be that difficult either.

Satellites are usually controlled from ground stations. These stations run computers with software vulnerabilities that hackers can exploit. If hackers penetrate these computers, they can send malicious commands to the satellites.

History of burglaries

This scenario occurred in 1998 when hackers took over the American-German ROSAT X-ray satellite. They did this by hacking into computers at the Goddard Space Flight Center in Maryland. The hackers then ordered the satellite to point its solar panels directly at the sun. This effectively fried its batteries and rendered the satellite useless. The damaged satellite eventually crashed to Earth in 2011. Hackers can also hijack satellites for ransom, as happened in 1999 when hackers took over the British SkyNet satellites.

Over the years the threat of cyber attacks on satellites has worsened. In 2008 hackers, possibly from China, apparently took full control of two NASA satellites, one for about two minutes and the other for about nine minutes. In 2018, another group of state-backed Chinese hackers began a sophisticated hacking attack targeting satellite operators and Defense Department contractors. Groups of Iranian hackers also tried to carry out similar attacks.

Although the US Department of Defense and the National Security Agency (NSA) have been working to address cyber security in space, the pace has been slow. There are currently no cyber security standards for satellites and there is no supervisory body that regulates and guarantees their cyber security. Even if it were possible to develop common standards, there are no mechanisms to enforce them. This means that the responsibility for the cyber security of satellites rests with each of the companies that manufacture and operate them.

Market forces work against cyber security in space

As they compete to be the dominant satellite operator, SpaceX and competing companies are under increasing pressure to cut costs. There is also pressure to speed up development and production. This situation tempts the companies to cut corners in areas such as cyber security that are secondary to actually bringing these satellites into space.

Even for companies that give high priority to cyber security, the costs associated with ensuring the security of each of the components can be a deterrent. This problem is even more acute in low-cost space missions, where the cost of ensuring cyber security can exceed the cost of the satellite itself.

To complicate matters, the complex supply chain of these satellites and the many parties involved in managing them mean that it is often unclear who bears responsibility and liability for cyber breaches. This lack of clarity has caused complacency and hindered efforts to secure these important systems.

An arrangement is needed

Analysts have begun calling for strong government involvement in the development and regulation of cybersecurity standards for satellites and other assets in space. Congress can act to adopt a comprehensive regulatory framework for the commercial space sector. For example, there could be laws requiring satellite manufacturers to develop a common cyber security architecture.

Congress can also require the reporting of all cyber breaches involving satellites. There should also be clarity about which assets in space are considered critical to prioritize cyber security activities. Clear legal guidelines on who bears responsibility for cyber-attacks on satellites will also go a long way in ensuring that those responsible take the necessary measures to secure these systems.
Given the traditionally slow pace of legislation in Congress, a multi-stakeholder approach that includes public-private collaboration to ensure cybersecurity standards may be warranted. Whatever steps governments and industry take, it is imperative to act now. It would be a big mistake to wait until hackers take over a commercial satellite and use it to threaten human life and property—here on Earth or in space—before we address this problem.

For an article in The Conversation

More of the topic in Hayadan:

•  Cyber ​​protection of space assets is a growing field. More and more satellite operators became aware of the risks
• The connection between cyber threats and damage to space is very direct
• Trump announced the establishment of a space arm separate from the Air Force
• Popular Science/Combat Systems - The Next Generation. Part I