The Next Big Hack Could Come From the Stars
(Bloomberg Opinion) -- For decades, IT administrators have waged an endless war to protect their systems from hackers. That struggle started half a century ago with audio tapes and floppy discs the primary weapon, before faster wired and mobile communications allowed an adversary to breach a target’s network to steal credit card information or shut down oil pipelines.
Take that battle 20,000 kilometers (12,000 miles) into space where satellites roam and you have the final frontier of cybersecurity. And with it come the same vulnerabilities, poor digital hygiene, and human errors that make land-based systems open for attack. The problem is that it’s a whole lot harder to flick a switch or turn off a computer when you can’t take a casual walk down to the server room.
Among the mistakes are satellite systems lacking two-factor authentication — using two separate methods of logging in — or not following the principle of least privilege, whereby individual users are given the lowest levels of system access necessary. Many send their data unencrypted, while there’s a lack of standards and regulations to ensure proper security for orbiting hardware.
But perhaps the biggest cybersecurity sin possible, one still committed in the realm of satellite systems, is failing to keep operational technology (OT) and informational technology (IT) systems separate. Security administrators have understood for years that a well-designed structure ensures that networks which handle mundane tasks like email and payroll data are fully isolated from computers that run infrastructure such as air-traffic control, satellites, or oil pipelines.
“The situation is worse than it’s ever been in terms of OT and IT convergence,” Bryan Ware, the former director of cybersecurity for the Cybersecurity and Infrastructure Security Agency, told a recent U.S. government conference. “This is the way, outside of space, that Colonial Pipeline incidents are successful,” said Ware, who’s now the founder and chief executive officer of technology consultancy Next 5 Inc.
That ransomware attack in April shut more than 5,000 miles of oil pipeline, cutting off gasoline supply across eastern U.S. Investigators later found a number of examples of poor security practices, including the re-use of passwords and lack of two-factor authentication, which allowed perpetrators to access the network and plant malicious software.
“As space becomes more important, there becomes unfortunately even greater incentives for malicious actors to disrupt, deny or alter our space-based assets,” Bob Kolasky, head of the Department of Homeland Security’s National Risk Management Center, told the same conference organized by the National Institute of Standards and Technology. “With space, whatever you put in orbit is what you must live with. Systems must be designed so that they can address threats and hazards throughout their lifespan.”
What makes satellites and their associated land-based infrastructure more vulnerable is that the data they transmit can be easily accessed by anyone on Earth with $300 worth of TV reception equipment, allowing you to eavesdrop on unencrypted financial data or download information from Russian and American weather satellites in real time. A nefarious actor with its own satellite could even cause interference or block the signal from these orbiting stations. But among the scariest of scenarios would be for an adversary to break into the control systems of a satellite, redirect its movement or even crash it into another satellite or the planet.
That may have already happened. According to one account, a breach at the Goddard Space Flight Center in Washington, D.C., in 1998 led to a U.S.-German satellite called ROSAT being overtaken and turned toward the sun, damaging the ultraviolet filter on its image sensors. This allegation has been denied, yet whether real or apocryphal the incident (the filter was indeed destroyed by the sun) shows the challenges of repairing hardware 360 miles above the earth’s surface or even investigating the cause of the malfunction.
The U.S. government has woken up to the threat and now takes a much more pro-active role in tackling space security. NIST has drafted a set of guidelines for securing space operations, while the Air Force, Space Force and Defense Digital Service last year invited teams from around the world to come “hack a sat” as a way of showing off their skills and demonstrating where the U.S. military may be vulnerable.
Their final task was to regain access to a hacked real satellite (sitting safely on earth) and restore operations. The winning team included staff from Raytheon Intelligence & Space, the cyber division of aerospace and defense supplier Raytheon Technologies Corp.
But space risk isn’t limited to military or government systems. The advent of commercial operators such as Elon Musk’s SpaceX, Blue Origin LLC, and Orbital Sciences Corp., the entry of more nations into the space race — including China and India — and the development of lighter, cheaper satellites means the number of objects flying overhead will continue to rise.
In fact, half of the more than 4,000 operational satellites are for commercial rather than government or military use, and 94% of those launched last year were categorized as small, meaning less than 600 kilograms. One likely trend is for companies to deploy satellites for their own use as part of a global virtual private network, allowing them to bypass telecom operators and even government curbs.
And just as a greater number of internet-connected computers increased the number of hacks on land, so too comes the inevitability that more networks in orbit will be breached either directly or through the ground stations used to track and communicate with them.
“What that’s going to mean is a proliferation of cybertech to protect those networks,” Chuck Beames, chairman of York Space Systems LLC, told the NIST conference. While companies will rush to cash in on this new goldrush in space, 30 years of internet history shows us that businesses and governments may not truly take security seriously until a massive hack occurs and satellites are breached or lost.
Beames, a former space and intelligence officer in the U.S. Air Force, likens the current rapid pace of growth in the satellites industry to the U.S. program that landed the first humans on the moon. “At least in the Apollo era we knew we were going to the moon,” he said. “Here, we really don’t know; here it is more of a wild, wild west than ever.”
Orbital was acquired by Northrop Grumman Innovation Systems Inc. in 2018.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
Tim Culpan is a Bloomberg Opinion columnist covering technology. He previously covered technology for Bloomberg News.
©2021 Bloomberg L.P.