The commercial satellite boom is leaving space vulnerable to hackers

Humanity’s imagination turned toward the heavens this month as the James Webb Space Telescope revealed images of distant galaxies.

But John Crassidis, who worked on initial designs for the telescope at NASA during the 1990s, is focused on something closer to home: securing the thousands of human-made satellites orbiting the Earth — many of which are now controlled by the private sector. And Crassidis, now the director of the Center for Space Cyber Strategy and Cyber Security at the University of Buffalo, is waiting for one of them to be wiped out by a cyberattack.

“I don’t think it’s a question of if, I think it’s a question of when,” he told The Record.

He’s not the only one who is worried: U.S. lawmakers and other researchers are seeking solutions for securing our increasingly crowded skies. 

“We need to make every effort to understand what further actions can be and should be taken to strengthen cybersecurity for civil and commercial space systems, including commercial space systems that provide mission-critical government data and services,“ said Subcommittee on Space and Aeronautics Chairman Rep. Don Beyer (D-VA) in a Thursday hearing. 

As more nations and private entities have the capacity to launch spacecraft into orbit, the number of satellites surrounding the earth has skyrocketed up to 7,895, according to data from the United Nations Office for Outer Space Affairs. 

Many are private communications satellites now being used to provide internet access that can be a lifeline to isolated areas or when local infrastructure is disrupted in conflict. 

However, those lifelines can still be vulnerable to cyberattacks — a problem highlighted by a cyberattack that disrupted satellite internet provider Viasat during the invasion of Ukraine. The U.S. and European allies attributed that attack to Russia. 

“For commercial vendors, they are driven by the consumers of the services that are being used — so they may not be as willing to pay for security as a [Defense Department] or civil agency would because they are required to do so,” Theresa Suloway, Space Cybersecurity Engineer at MITRE Corporation, testified. 

But even while some U.S. agencies work to provide guidance for how to secure commercial satellites, many remain vulnerable to attacks that could interfere with communications capabilities on Earth or put them on a crash course with other space objects. 

Such an attack could have long-term consequences for humanity’s navigation of local space. 

“A collision between satellites would not only destroy the satellites involved, but the resulting debris would permanently remove that orbit or region from use by any other satellite,” said Suloway. “This risk requires pre-emptive rather than reactive action.” 

Even without such attacks, space is already getting crowded with debris. NASA reported last year that it’s tracking more than 27,000 pieces of space junk that are already creating challenges for spaceflight and likely to cascade — a pollution problem known as “Kessler Syndrome” after NASA scientist Donald Kessler who raised concerns about the risks in the 1970s.

The final frontier for cybersecurity

Protecting a satellite involves securing both the object in orbit as well as the ground control station used to communicate with it. The ground stations are generally easier targets for digital attackers, but both can be vulnerable, Suloway testified to the space and aeronautics subcommittee. 

For example, satellites rely on solar panels that must be carefully positioned to stay powered — so losing control of the systems that angle them may cause them to be knocked permanently offline in a matter of days, according to Crassidis.

“It doesn’t take too much to hack into a satellite, turn it — and if we can’t get control back, it’s dead,” he said. “The power is very limited on satellites.” 

Cyberattacks on satellites are thought to be rare, but they’ve happened before.

For example, Beyer noted in his opening remarks that the U.S.-China Economic Security and Review Commission previously reported on hacks targeting U.S. government satellites, including an incident where a cyberattacker "achieved all steps required to command [a NASA earth observation satellite], but did not issue commands."

Crassidis is especially concerned that channels used to transmit commands to commercial satellites may be known and open. 

“The communication bands are pretty standard bands,” Crassidis said. 

In her testimony Thursday, Suloway said securing those channels is an important step towards protecting the commercial space sector — including with encryption modules that are able to be upgraded to quantum algorithms.

“Adding encryption to the groundspace link would mitigate some of the vulnerabilities by making it harder for malicious sources to send commands to the satellites,” she said. 

The Federal Communications Commission (FCC) previously considered including encryption requirements as part of regulations related to commercial spacecraft in 2020, but didn’t. 

“It’s a big concern and the FCC keeps punting,” said Crassidis. 

But it’s not the only concern about digitally securing satellites. 

“Monitoring and situational awareness need to be built in now as part of the fabric of commercial space,” Suloway said, including best practices for digitally securing ground stations as well as satellites.

Developing guides that can lower the entry for using commercially available cybersecurity products can help the commercial space sector improve security without forcing them to do their own experimentation, she added.

Suloway testified in favor of incentivizing commercial sector information-sharing through voluntary collaborations, rather than regulatory approaches to getting the private sector on board — in part, she said, out of concerns that commercial space companies would choose to launch from other parts of the world where they did not have to comply. This might risk the U.S. losing out on a slice of a market that the Space Foundation reports attracted $224 billion in revenue last year. 

Much of the U.S. government’s recent policy moves follow this public-private partnership approach. In 2020, the Trump administration issued Space Policy Directive-5, which ordered U.S. government agencies to “further define best practices, establish cybersecurity informed norms, and promote improved cybersecurity behaviors throughout the Nation’s industrial base for space systems.” 

The next year, the Cybersecurity and Infrastructure Security Agency (CISA) announced the creation of a Space Systems Critical Infrastructure Working Group and the National Institute of Standards and Technology (NIST) issued the first draft of new cybersecurity guidance for commercial satellite operators. 

Following the Viasat attack, CISA and the FBI issued an advisory, while the National Security Agency issued new guidance on protecting satellite internet systems and lawmakers introduced legislation about studying how to prevent such attacks. 

However, these efforts represent best practices — not rules that the government can compel companies to follow. And with more satellites going up every year, the threat of attacks is only on the rise. 

“Right now in space, it’s the wild, wild west – it’s kind of scary when you think about it,” Crassidis said.