3.2 billion in damage caused by MyDoom - the most expensive virus of all time
© ESA-P . Carril or war ; or holding a satellite to ransom by taking over its control systems . A hacker may attack a system for no particular reason other than a sense of achievement . Meanwhile , the pace of technological change in cyberspace , including its space components , makes development of countermeasures difficult .
3
What type of attacks happen in the space environment ?
There are many scenarios to be considered and attacks are limited only by imagination . Potential attacks may include : jamming or spoofing GNSS signals ; attacks on communications systems to reduce bandwidth ; corruption of data stored in ground-based servers ; attacks on a control system causing the satellite to cease functioning or even causing it to de-orbit . There is also a potential scenario from more sophisticated threats , such as a contrived collision between satellites .
4
Is this danger theoretical ?
One of the problems in cyber security is the reluctance of organisations to share information about attacks and some attacks may go completely undetected . There are a few documented examples of cyber-attacks : at least two US environment-monitoring satellites suffered interference four or more times in 2007 and 2008 . A US Geological Survey managed Landsat-7 EO satellite experienced 12 or more minutes of interference in October 2007 and July 2008 ; a NASA-managed Terra AM-1 EO satellite suffered similar interference for two minutes or more in June 2008 , and at least nine minutes in October 2008 .
5
Surely the space industry is prepared for cyber threats ?
In part , yes . The more complex and costly systems are designed to be resilient against many forms of threat , with appropriate amounts of project costs being spent on making component parts resilient , and this includes cyber . However , the cost-balance equation of building in cyber resilience becomes more difficult with lower value space
One of the problems in cybersecurity is the reluctance of organisations to share information about attacks
assets as cyber resilience may become disproportionately expensive , reducing commercial advantage . Furthermore , the supply chain for space systems is internationalised , with component parts sourced globally to varying building standards . Therefore , software may not be of the standard required for vital systems .
6 A solution ?
The nature of cyberspace means that a linear defence – an electronic protective shield that protects every system – will always be ineffective given that determined threats will always achieve their aims if the rewards are sufficient . The space supply chain needs to concentrate on defence in depth , which includes the ability to judge the risks involved in cyberspace against investment to reduce the risk of harm . This risk management ( rather than risk elimination ) approach will make sure the right amount of resource is deployed against cyber threats , whether an enterprise is designing and building a satellite , controlling it , or using its data .
7
Do we need more than technological countermeasures ?
Developing technological countermeasures is important but only part of the solution . The management of risk requires knowledge of a variety of factors , many we have discussed here , such as the nature of the threats , the vulnerabilities that the threats will seek to exploit , and so on . To result in a uniform and sector-specific risk management regime this essential knowledge needs to reach across all parts of the supply chain , and within every enterprise in the supply chain , which implies an instinct for cyber security from CEO down to individual employee . The development of this knowledge will have a basis in education , shared awareness , inclusiveness and , once developed , would represent a cyber security culture across the sector .
8
Should this be a national initiative ?
That would be a good place to start , but the space supply chain is globalised , and the management of satellites are linked globally , and represented by an internationally networked organisation of systems . A fully developed response regime would have to be international , which would imply some form of treaty agreed between nations , however , experience suggests that developing these agreements can take a very long time . Meanwhile cyber threats , which are not burdened by bureaucracy , become more potent .
An alternative approach would be to move things forward from within the supply chain itself , replicating other sectors such as financial services . Nonregulated approaches to cyber security have a number of advantages , particularly in the essential ingredients of pace and agility in developing responses . While governments have a role to play in cyber security , particularly in identifying strategic goals and providing base level funding to resource the response , the supply chain has a major role to play in protecting itself , and the systems on which modern society is becoming dependent . ■
David Livingstone is a Markets Adviser to the Satellite Applications Catapult sa . catapult . org . uk David is also an Associate Fellow at Chatham House . His recent report ‘ Space , the Final Frontier for Cybersecurity ’ can be found on the Chatham House website at : chathamhouse . org / publication / spacefinal-frontier-cybersecurity
spring 2017 | UKSPA breakthrough | 31