To a Sustainable, Secure and Safe Space Environment Reflections about the Establishment of a Cyber-Security Policy
Space-based systems play an important role in our daily lives and businesses. Telecommunications, weather forecasting, financial services, positioning applications and television are just a few of the thousands of services that heavily rely on space-based systems.
As space-based systems are vulnerable to various threats, protecting these systems requires us to pay attention to (a) the space segment, (b) the ground, or control segment that is used to upload data to the satellites, to control the satellites’ orbit and performance and its associated ground communications network, and (c) the user segment that consists of any device allowing either to access services. This protection shall consider all phases of the overall mission lifecycle e.g. design, manufacturing, operations including launch phase and disposal phase.
For many years, Space Agencies and commercial operators worldwide have considered themselves to be potential targets of cyber-attacks in the same way as any other user of cyberspace is. However, this view (as demonstrated by serious security incidents briefly described in available open literature[i]) is now changing and the space community is becoming more and more aware of the fact that the cyber-security of space systems should be conceived not only in terms of fighting traditional cyber-threats which are vectored through space systems, but also in terms of security, protection and reliability of space technologies and systems themselves, as potential targets of cyber-threats. The European Space Agency (ESA) is no exception in this picture. The Agency as an Institution is a target and cyber threats are common in ESA. The most common are viruses, Trojans and worms are distributed by amateur hackers. However, some are more serious, sometimes targeted, security attacks. As a matter of fact, ESA’s role in programmes such as Galileo, Copernicus and SSA, has generated interest in a more professional hacker community, seeking to obtain sensitive information. A further threat to ESA is the potential infiltration of critical infrastructures with software that can take over control of the facilities. Many systems are vulnerable as they are not provided with the most recent security patches, or because the employ weak passwords. Once in a system, the attackers hop to others on the same network looking for other similar vulnerabilities. Alternatively, hackers exploit the users of the systems to gain control, for example by sending email that installs keylogging software or as part of “phishing” attacks. In all of these cases, a lack of awareness from the owners and users creates conditions that hackers can exploit.
All security incidents in ESA are carefully followed up as, in some cases, the impact may be a big one (e.g. loss of productivity or loss of reputation). Continuous watch and liaison by ESACERT, Projects, and Security Office allows fast reaction and continuous monitoring of the potential threats. Within this contested and aggressive cyber-environment, the European Space Agency’s specific Mission adds the complexity of operating infrastructures located so far in the solar system that the electromagnetic pulses need to travel in some cases for over one hour to reach them from the control centre based Earth (e.g. the Huygens spacecraft landed on Titan, one of Saturn’s moons). Obviously, in this context, ESA has the very specific need and obligation to protect also the European taxpayer’s investments based in space (and sometimes in deep-space) from cyber menaces, both of operational nature, or hidden and latent in the on-board components of the spacecraft.
The European Institutional response to cyber-threats is progressively becoming more visible and efficient in stimulating awareness within the communities involved in the protection and development of critical infrastructures. With the objective of ensuring a safe and secure environment for its institutional missions, the European Space Agency led two parallel in-depth technical studies[ii] supporting the establishment of recommendations and of a policy through which ESA missions can define their own specific cyber-security requirements in order to guarantee reaching their mission-specific objectives and consequently, protecting the image and the interests of the Agency in relation to the external world.
Similarly to the approach followed in the development of the Space Situational Awareness (SSA) concept, if necessary and appropriate, already existing inter-institutional cooperation between ESA, the European Commission (EC) and the European Defence Agency (EDA) could even be extended to include deliberation and/or other activities to enhance the cyber-security of the European institutional and commercial space missions. This would take stock of the EU Critical Infrastructure Protection Programme, the Code of Conduct for Outer Space Activities, the recent EU Cyber-Security Strategy, and the EC/ESA/EDA Joint Task Force on Critical Space Technologies for European Strategic Non-Dependence.
Hence, the key is collaboration: the ESA, the European and International Institutions, national space agencies worldwide as well as commercial space entities share the same concerns! More coordination efforts among these entities are necessary.
Think-tanks and respected international fora world-wide (e.g. the International Astronautical Federation, the European Space Policy Institute, Secure World Foundation, the UN Institute for Disarmament, etc.) should be instrumental in facilitating the dialogue among the stakeholders and international partners, raising the level of awareness about the blurring legal distinctions defining the outer space and cyberspace, and paving the way to the development of a governance paradigm needed to guarantee a sustainable use of outer space in an ever more contested, congested and competitive cyber-security environment.
[i] L. del Monte, “TOWARDS A CYBER-SECURITY POLICY FOR A SUSTAINABLE, SECURE AND SAFE SPACE ENVIRONMENT”, IAC-13,E3.4,8x16989 – Beijing 2013
[ii] “Study on the cyber-security risks of space missions and associated mitigation measures under the contract” performed respectively by Thales Communications & Security and performed with the support of Thales Alenia Space France, and by GMV of Spain.