In 2022, the Satellite Cybersecurity Act was introduced in the United States Senate. The bill would direct the Cybersecurity and Infrastructure Security Agency (CISA) to outline, consolidate, and clarify cybersecurity recommendations for satellite operators. This legislation follows the recent Cyber Incident Reporting for Critical Infrastructure Act and the larger trend of heightened focus on critical infrastructure cybersecurity. The Satellite Cybersecurity Act is unique, however, as it reflects the growing importance satellite networks play in modern society generally and critical infrastructure specifically.
For many years, satellite usage was largely limited to communication and GPS services. In the 1990s there was a series of projects designed to popularize and diversify satellite usage, but each failed to gain sufficient market traction. The lack of success stemmed directly from high manufacturing costs and technological immaturity. Within the past five years, however, many of these inefficiencies have fallen dramatically. Advances in manufacturing, technology and design have paired with decreases in deployment costs to dramatically increase interest in satellite solutions. In 2015, there were about 1,300 deployed satellites globally. In 2020, that number had more than doubled. This trend of rapid growth is not expected to decrease. Furthermore, a significant amount of this growth comes from the emerging satellite internet market. These projects, such as SpaceX’s starlink, are increasing the number and types of enterprises utilizing satellite supported connectivity. This in turn is creating new satellite dependencies in established markets.
One such area is the operational technology landscape inside critical infrastructure. The Industrial Internet of Things, OT/IT convergence, and Industry 4.0 are all interrelated trends shaping the future of critical infrastructure. Each deals with the increasing need for connectivity and integration of network architectures, and in many cases, satellite services offer the best connectivity solution. Of course, as satellites play a larger role within such systems, they also bring a new threat vector for malicious actors to exploit. This concern was highlighted in the Senate press release concerning the Satellite Cybersecurity Act. The statement recognized industrial control systems as “heavily reliant on commercial satellites” and noted this as an important vulnerability arising for critical infrastructure. The same statement noted attacks taking place on government satellite systems and the anticipation of similar attacks targeting commercial networks.
Indeed, a coordinated attack on a commercial satellite network was already seen in the winter of 2022. Just prior to the Russian invasion of Ukraine, the Russian military launched a cyberattack on a satellite network owned by Viasat (a United States owned commercial network). The intention of the attack was to degrade Ukrainian communication systems which utilized Viasat services. Simultaneously, however, the incident disabled 5,800 German wind turbines. The attack was facilitated through a malicious update propagated through user terminals designed to receive signals from the satellites. This example is important, as it demonstrates the ease with which industrial control systems can be negatively impacted – even as collateral damage. At the same time, auditing software inventories is already an established best practice when it comes to more traditional pieces of operational technology. The challenge will be how stakeholders can properly adapt and apply these principles to this new set of technologies and network architectures.
The Satellite Cybersecurity Act aims to mitigate disruptions like these by beginning this work. It will do this by drafting “voluntary cybersecurity recommendations designed to assist in the development, maintenance, and operation of commercial satellite systems.” Among these recommendations will be guidance concerning risk-based monitoring, retention and recovery of control, and protection against unauthorized access. As stated, these standards are likely to be voluntary in nature, but there may come a time for direct regulation of satellite operations in the not so distant future.
In the meantime, satellite operators and those integrating satellite services within their larger network architecture can benefit from solidifying their security stance and implementing additional security safeguards where needed. A rigorous review would include:
Investigating the extent to which critical services utilize satellite functionality (directly or indirectly) will be beneficial in creating a more complete vulnerability picture. Satellite systems are here to stay – so understanding ways of integrating celestial and terrestrial equipment while maintaining robust security will continue to be important in the 21st century and beyond.