When Rockets Fail: Cyber Risks From the Grounding of Falcon 9


On July 11th, 2024, SpaceX’s Falcon 9 rocket suffered an engine failure midflight, causing the loss of 20 Starlink satellites and prompting an investigation by the Federal Aviation Administration (FAA). This in-flight failure was the first major Falcon 9 failure since 2015, breaking an impressive record of successful flights the company had recently experienced. While the loss of 20 Starlink satellites represents a small setback for SpaceX, the larger challenge for the company and all stakeholders comes from the grounding of the Falcon 9 fleet of launch vehicles.

The Falcon 9 has established itself as a true workhorse in the space launch industry. With the capability of launching 22,800 kg to Low Earth Orbit (LEO) and 8,300 kg to a Geostationary Transfer Orbit (GTO), it has launched 352 times since its first launch in 2010. Of these, a remarkable 284 have been re-launches, where large or full portions of the rocket body from a previous launch are reused, a capability that has revolutionized the launch industry and cut the costs of launches. In 2023 alone, Falcon 9 accounted for nearly 44% of the 223 orbital launches worldwide. By 2024, it had already achieved 68 successful launches, averaging nearly one launch every three days, before the most recent failure.

Though the grounding of Falcon 9 is damaging to SpaceX’s reputation and finances, the loss of the rocket in the near term may have farther-reaching impacts than money and prestige alone. Because the rocket has taken such a dominant role in the launching of satellites, its loss puts many commercial and defense satellites at risk of launch delays. These delays could affect necessary upgrades to constellations as well as new systems, making them unavailable for longer than expected. Satellite systems that were expecting updated hardware to support more secure missions will now have to wait until the launch freeze is lifted to reschedule their missions. Senior leaders at the U.S. Space Command have expressed confidence in SpaceX regarding the current launch failure as they plan to launch many more satellites with the company in the months and years ahead. Although the delay may be short, as SpaceX is already petitioning the FAA to allow it to launch again, it highlights an over-reliance of the space industry on one launch partner.

The over-reliance of U.S. Space Command, other government agencies, and companies on SpaceX is putting all at risk for future missions. The concerns caused by an investigation due to an in-flight failure would likely pale in comparison to the delays and concerns that may mount if a coordinated and successful cyber-attack were launched against the SpaceX launch segment. If an adversary were able to gain access to SpaceX computer systems or launch data, it would likely result in another grounding of the launch fleet until a thorough cyber investigation had concluded. Because SpaceX is known for quickly iterating through designs, they may have placed more emphasis on physical hardware optimization and missed vulnerabilities in the operating systems of the launch vehicles. Since these rockets are reused, they are at even greater risk, as a threat actor could have an opportunity to perform reconnaissance and gain initial access in early flights before performing lateral movements into satellites in the payload bay or destruction of the rocket itself. If reconnaissance of the Falcon 9 launch system showed that the rocket and payload computer interfaces were not segregated enough but rather shared resources or access points, this could be a significant exploit used by a threat actor.

Further, regardless of the launch provider, there is a tendency for delays in launches to pile up as weather conditions or hardware issues push launch windows to later dates. This may leave the hosted satellites vulnerable to cyber threats as they are not being operated in the environment for which they were designed. While on a launch pad, they are likely connected to the ground through an umbilical system, providing 24/7 access to the computer systems for persistent actors. Their computer systems are also in a vulnerable state due to being in a non-operating configuration.

Although SpaceX has proven a valuable partner for dozens of government agencies and companies, the over-reliance on the Falcon 9 launch system adds risks to space operations. It is important that an extensive network of launch partners is used to provide for a primary, alternate, contingency, and emergency (PACE) launch system rather than being grounded indefinitely if one experiences unforeseen problems. Diversifying launch providers and developing robust contingency plans are crucial steps to ensure the resilience and security of space missions in the face of both physical and cyber threats.


https://www.satellitetoday.com/launch/2024/07/12/falcon-9-suffers-rare-engine-failure-losing-starlink-satellites

https://www.spacex.com/vehicles/falcon-9/