SpaceX's Falcon 9 rocket launches the Telstar 19V telecommunications satellite into orbit on July 22. Air Force photo by A1C Dalton Williams.
Satellite industry executives plan to form a government-backed clearinghouse to share real time information about cybersecurity threats to space assets — amid growing concern about software vulnerabilities in commercial satellites used by both civilian and military customers.
The Space Information Sharing and Analysis Center (Space-ISAC) would join ISACs in 24 other vital national industries in the National Council of ISACs, a public-private panel led by the Department of Homeland Security to promote cooperation in cyber defense.
Fred Gaudlip, director of space control at Kratos Defense and Security Solutions, is helping to lead the effort. “It’s at a very early stage,” he told Air Force Magazine after an impromptu announcement about the initiative at the CyberSat conference in Virginia Nov. 15.
The Space-ISAC, like its 24 brethren in sectors like financial services and telecommunications, will provide a forum for competing companies to share real-time information on a non-attributable basis about new cyberattacks and vulnerabilities — and also get rapidly declassified cyber threat intelligence from government agencies.
Although there are no publicly known incidents of satellite hacking, the announcement highlights growing concern about software vulnerabilities in satellites and ground stations at a time when the lines between military and civilian infrastructure are increasingly blurred.
“It will be an industry effort,” Gaudlip said, “but we’re hoping it will include [sharing information about threats to] products used by the military and the intelligence community.”
Howard Marshall, director of cyber threat intelligence at Accenture Security, said the US military depends on civilian satellite infrastructure for bandwidth, imagery and other services and shares a common supply chain.
The Pentagon and major defense contractors may be able to protect their digital assets, but smaller companies are more vulnerable. “As you go down that value chain, cybersecurity falls further and further,” said Marshall, a former FBI cyber official.
Chris Inacio, a software engineer from the cybersecurity CERT Division at Carnegie-Mellon University’s Software Engineering Institute, said satellite are “exquisitely engineered” to survive the super-harsh environment of space, but are less resilient in cybersecurity terms.
“There’s no reset button,” he said, and the capacity to update satellite software is very limited. For hackers, it offers the ultimate prize — the ability to remain undetected inside the system for long periods of time.
“Once you’re there, you’re in,” he said.
Historically, engineers monitoring satellites were “not necessarily looking at anomalies with regard to cybersecurity.” Instead, they would typically “log it and move on,” Inacio said. “Cyber isn’t really in their vocabulary.”
“Bob Gourley, former chief technology officer at the Defense Intelligence Agency, said the risks are high: “We are setting ourselves up for a fall.” The satellites the U.S. relies on “have [software] vulnerabilities, they fly over hostile territory, they have ground stations in countries that don’t have good rule of law.”
Satellites are also essential critical infrastructure. “Key sectors of our economy rely on satellites to move data to remote places,” Gourley said. “It’s not just TV, it’s mining, fisheries, agriculture, oil and gas.”