A recent article from Via Satellite states commercial satellite companies are increasingly being targeted by regimes as part of geopolitical conflicts. The state-sponsored adversaries behind these attacks are very advanced, have access to large amounts of money and are extremely capable. Satellite operators around the world must come to terms with the fact that, at some point they will face exposure, nothing is invulnerable, even highly segmented military programs may only have the illusion of boundary security. Even more troublingly, startups and existing commercial companies are under an increasing pressure to reduce costs and achieve reasonable consumer-level pricing, with this pressure non-functional requirements such as security are easily overlooked or cut short. Operators must begin to accept these facts and then respond and evolve with the changing landscape in order to stay secure.
Interestingly cyber-attacks are growing not only due to the increasing capabilities of attackers and the growing surface area of the networks, but as a less confrontational and risky attack on a country. A kinetic attack on a country’s satellites is relatively traceable and could be seen as an act of war drawing political ramifications and major condemnation. Whereas a cyber-attack is fairly difficult to definitively pin to a specific country or group and makes it possible for countries to distance themselves and claim no affiliation with cyber attacks of another country’s satellites. These attacks can absolutely have life and safety impact in the real world, however their current difficulty of attribution and the lack of up-to-date and coherent shared policy on these types of attacks place them in a different category than direct, physical-world aggression. In the near future more thought and policy needs to be invested along these lines based on the criticality and impact space systems can now have on nearly every resource humans rely on for day-to-day life.
In the article Charles Beames, chairman of York Space Systems and SpiderOak Mission Systems, claims that you cannot avoid compromise forever, eventually your system will be compromised. The implications of this statement and the impact it has on system architecture is very broad and in a lot of cases far beyond the security level on which many systems operate today. One way to operate with the expectation of compromise and limit the blast radius is zero-trust architecture. While this may end up being the right approach, I find this an interesting implication for the space sector moving forward, historically zero-trust architecture has been a discussion topic, but is still fairly early on in development. While we have gotten pretty good at securing IT systems, a major component and entry point to space system, and have started to implement zero-trust architectures, the complexities and resource limitations as well as the hardware vectors of space systems still have significant work and milestones to overcome before they’re ready to be considered zero-trust. I believe there is still a lot of money and research necessary to further the development of zero-trust systems in space.