In recent news, the German Federal Office for Information Security (BSI) has released a document detailing an IT baseline or reference checklist for protecting space infrastructure. This goes as a strategy to draw attention to the aging security of space technology.
Better to make the first move before threat actors begin snowballing a trend aimed at attacking satellites.
Better Late Than Never
The document is the culmination of a year of research conducted by Airbus Defense and Space, the German Space Agency located at the German Aerospace Center (DLR), accompanied by BSI and other collaborating agencies.
The goal of the IT baseline defined in the document focuses on minimum recommendations for applying a security concept to be implemented by space actors. Think about it. There are somewhere around 2,000 functioning satellites in orbit, with 3,000 dead satellites floating around up there.
The document details that there are not any current regulations for governing or implementing security practices for satellites. This also means that a security standard is virtually non-existent for governing or maintaining the security of space satellites during their lifetime. The only exception is that the company would be responsible for maintaining it if, that even happens.
It categorizes essential protection requirements of various satellite missions ranging from "normal" to "very high" and aims to propose implemented information security measures from manufacture through to the operation of the satellites themselves.
The risk designations correspond to damage that is considered manageable and able to be mitigated. "High" is considered high-consequence damage that "can significantly limit the operation of the satellite system," whereas "very high" means that a cyberattack could disable and "reach an existentially threatening, catastrophic extent for the operator or the manufacturer."
Security, in the general sense, has been left as an afterthought during its manufacture, as opposed to implementing security by design. Again, companies have always been responsible for maintaining the integrity of the space infrastructure.
But if threat actors are not actively focused on satellites, there is probably little concern for maintaining up-to-date security measures. However, this is not the mindset being pathed by the BSI. The document calls for satellite manufacturers to implement security at the satellite’s core.
If hackers turned their gaze toward the stars, then the recommendations proposed by this concerted initiative would ostensibly evolve into a government mandate. This is because once threat actors popularize an attack vector, it snowballs into a much larger threat than the threat initially created. Word of mouth coupled with social media spreads faster than wildfire.
The details in the document are exhaustive. But while the information serves as a minimum security checklist, it will remain at the discretion of manufacturers and the companies that maintain them to adopt the formulas into some semblance of a security policy.
It encompasses phases of the satellite lifecycle such as design, the testing element, transport, commissioning satellite operation, as well as decommissioning. Not only that, but it also covers networks and applications designed to support the space infrastructure, including the level of the subnet.
Interestingly, the European Space Agency (ESA) posted a challenge to hackers of all hats to participate in trying to attack its OPS-SAT spacecraft within a controlled environment. The impetus behind it is to analyze and better understand vulnerabilities within OPS-SAT infrastructure.
What Kind of Operating Systems Do Satellites Use?
I was a teenager in the 1990s, fascinated by hacking through an unfettered imagination. I had just watched the 1995 film Hackers and wondered if hackers could really capsize an oil fleet with a computer virus.
Many modern threat actors are focused on financial gain through sophisticated means. But back then, I just wanted to hack the 3,685-square-foot ABC Supersign in Times Square, New York.
That is until every hacker with imagination was daydreaming about hacking space satellites. The closest I got to hacking satellites was breaking into a high-performance broadband satellite router in Nigeria, through weak remote desktop protocol access controls.
Still, the discussion among hackers continues today. Why? In my opinion, it is because space is largely still an unexplored frontier by hackers, and we truly do not yet know the scope of what we could achieve from hacking space tech.
There are a variety of operating systems floating around within space tech out there such as the open-source eCos (The Embedded Configurable Operating System). VxWorks is rather popular and is used by both academia and industry. Even the Mars rovers utilize this operating system.
What is interesting is NASA and SpaceX use Linux at their ground stations. NASA also uses Linux for equipment that maintains an orbiting surface, which includes its avionics systems, and some computers still operate Unix.
In 2020, SpaceX software engineers announced that it launched 32,000 Linux computers into space for Starlink internet access. This means that every SpaceX monthly launch of 60 internet-broadcasting Starlink satellites carried a total of 4,000 stripped-back Linux computers.
Lastly, it is good that BSI and cooperating space agencies are planning ahead. The time will come when hackers begin to explore bigger targets. Since most threat actors I have observed posture their hacks for bragging rights, I have yet to see someone boast about hacking actual satellites and their claims be true.
Let’s hope that day does not arrive for a long time.
An article by