A distributed denial-of-service (DDoS) attack this week disabled electronic door locks across a major lunar settlement, trapping dozens of people indoors and locking out many more in lethal cold. The threat actor behind the attack is believed responsible for also commandeering a swarm of decades-old CubeSats last year and attempting to use them to trigger a chain reaction of potentially devastating satellite crashes.
Neither "incident" has happened, of course. Yet. But they well could, sometime in the not-too-distant future, and now is the time to start thinking about and planning for them.
That's the takeaway from a new US National Science Foundation (NSF)-funded study on Outer Space Cyberattacks by researchers at the California Polytechnic State University (Cal Poly). The 95-page report examines a confluence of potential drivers for a new frontier in cyberattacks over the next several decades as countries — and private industry — jostle for dominance and influence in outer space.
A Taxonomy for Space Cybersecurity
The report first and foremost offers a taxonomy for space cybersecurity that researchers can use to spin up virtually millions of novel cyber-enabled attack scenarios involving launch and ground infrastructure, satellites, space stations, satellite phones and terminals, and communications links from ground to space.
The theoretical lunar door lock attack and CubeSat swarm hijack are two among 42 scenarios that the authors provide as a sampling of how researchers can use the taxonomy to conjure up all the different ways in which cyberattacks could unfold in space. Other examples include injecting fake data related to extraterrestrial life in a deep space mission to trigger an unmerited, costly, and time consuming response; or contaminating critical food supplies to an outer space encampment by attacking systems controlling those supplies.
The taxonomy itself is presented in the form of a matrix called ICARUS (which stands for "Imagining Cyberattacks to Anticipate Risks Unique to Space"). The matrix lists all the major variables that constitute a cyberattack and organize them by attack vector, type of exploits, potential threat actor motivations, victims, and the various space capabilities that an attack could compromise. By selecting a variable from two or more of these categories, researchers can create more than 4 million novel scenarios for cyberattacks in outer space, according to the researchers.
"There are several reasons to think that cyberattacks will be the dominant form of conflict in space," says Patrick Lin, lead author of the report and director of Cal Poly's Ethics + Emerging Sciences Group.
Yet, most discussions — the unclassified ones at least — that involve cyber threats in space rarely tend to go beyond some generic scenarios of satellite hacking or jamming, signal spoofing, or disabling GPS communications, Lin says.
Partly, that's because all reported incidents of cyberattacks against space targets so far have only involved one of these components. The most recent example is Russia's February 2022 attack on US communications company Viasat that disrupted satellite connectivity to tens of thousands of customers across Europe. The other is an increasingly dangerous failure to consider or acknowledge all the different attack surfaces that are opening up as government and private sector organizations rush to deploy myriad new technologies in space — from giant spaceships to tiny CubeSats for scientific research.
A Failure to Imagine Space Attacks
"Since failing to imagine a full range of threats can be disastrous for any security planning, we need more than the usual scenarios that are typically considered in space-cybersecurity discussions," Lin says. "Our ICARUS matrix fills that 'imagineering' gap."
Lin and the other authors of the report — Keith Abney, Bruce DeBruhl, Kira Abercromby, Henry Danielson, and Ryan Jenkins — identified several factors as increasing the potential for outer space-related cyberattacks over the next several years and decades.
Among them is the rapid congestion of outer space in recent years as the result of nations and private companies racing to deploy space technologies; the remoteness of space; and technological complexity.
As the report notes, the number of registered objects in space — most of which are satellites — have been climbing at an astonishing pace recently after holding steady at around 150 new objects per year between 1965 and 2012. In the last two years that number stood at 2,600 new objects on average each year.
The remoteness — and vastness of space — also makes it more challenging for stakeholders — both government and private — to address vulnerabilities in space technologies. There are numerous objects that were deployed into space long before cybersecurity became a mainstream concern that could become targets for attacks.
"And, as crazy as it sounds, satellites are still being launched today with no cybersecurity, such as CubeSats that are popular with university labs and others for their inexpensive cost to build and launch," the report noted. "They typically have neither the onboard room to squeeze in cybersecurity components nor the budget for it anyway."
Space Junk, Technological Complexity & More
Exacerbating the situation is the growing complexity of space systems — which are often still prototypes at deployment — and the relative lack of attempts to understand or study cyber-exploitable vulnerabilities in them. There's a general lack of public information around potential cyber issues in space technologies as well — and space supply chain in general — sometimes because of technological novelty, or because of security classification reasons or because of a manufacturer's unwillingness to disclose details.
Interestingly, the self-interest among stakeholders to avoid contributing to the growing problem of space debris could ironically force adversaries to avoid kinetic conflict in outer space and use cyber means as a way to settle scores. There are currently some 35,000 pieces of trackable space junk and more than 1 million smaller bits — and no one really wants to increase that volume by crashing or blowing up other space objects, the report noted.
Lin and his colleagues also identified unclear legal regimes and the potentially high visibility and impact of cyberattacks on space assets as also potentially driving adversary interest in future.
"Assessing capabilities in cybersecurity is never easy, and it’s even worse for the space domain because of the inherent national-security concerns that may classify much of that information," Lin says. "Space cybersecurity is shrouded in mystery from the start, which isn't surprising since space launches started as military missions."
But security by obscurity will not be an option for long, he says. Already researchers have begun looking for vulnerabilities in space technologies he says pointing to several teams that successfully hacked a 3U CubeSat at DEFCON last year "Cybersecurity is benefitted when more researchers can focus on a problem, but the classification of technical details and the lack of general awareness about space cybersecurity are preventing more cybersecurity practitioners from engaging with the problem here."
Lin says there are several key audiences for the report with space cybersecurity professionals — both technical and policy-related — being the prime ones: "Even if they understand the drivers of the problem — and it's critical to understand a problem in order to solve it — security planners can always use help in anticipating novel threats."
Second, the report also seeks to raise awareness of the problem with researchers from other disciplines, especially non-technical ones like the social sciences and humanities, Lin says. And third, "we also want to raise awareness with the broader public becausewe're all stakeholdershere by virtue of being possible victims," he adds.
