The next big hack could come from the stars

Take that fight to 20,000 kilometers (12,000 miles) of space where satellites roam and you have the ultimate frontier of cyber security. And with it come the same vulnerabilities, poor digital hygiene, and human errors that leave land-based systems open to attack. The problem is that it’s much harder to flick a switch or shut down a computer when you can’t casually walk into the server room.

Among the faults are satellite systems lacking two-factor authentication – using two different methods of logging in – or not following the principle of least privilege, giving individual users the lowest levels of required system access. Huh. Many people send their data unencrypted, while the standards and regulations to ensure proper security for the hardware orbiting it are lacking.

But perhaps the biggest cyber security sin, still committed within the realm of satellite systems, is the failure to keep operational technology (OT) and information technology (IT) systems separate. Security administrators have understood for years that a well-designed infrastructure ensures that networks that handle mundane tasks like email and payroll data are completely isolated from computers that handle air-traffic control, satellites, or oil. infrastructure such as pipelines.

“The situation is worse than ever in terms of OT and IT convergence,” Brian Ware, former director of cyber security for the Cyber ​​Security and Infrastructure Security Agency, told a recent US government conference call. “It’s the way, out of space, that the Colonial Pipeline events succeed,” said Ware, who is now the founder and CEO of technology consulting company Next5 Inc.

A ransomware attack in April shut down more than 5,000 miles of oil pipeline, cutting off gasoline supplies in eastern US investigators later found several examples of poor security practices, including password reuse and two-factor authentication. Shortcomings were included, which allowed criminals to access the network and install malicious software.

Bob Kolasky, head of the Department of Homeland Security’s National Center for Risk Management, said at the same conference, “As space becomes more important, it is unfortunate for malicious actors to intercept, deny or replace our space-based assets.” There’s even more encouragement.” National Institute of Standards and Technology. “With space, everything you put in orbit is what you must live with. Systems must be designed so that they can address the dangers and hazards throughout their lifetime.”

What makes satellites and their associated land-based infrastructure even more vulnerable is that the data they transmit can be easily accessed by anyone on Earth with $300 worth of TV reception equipment, allowing you to access the data unencrypted. Can monitor financial data or download information from Russian and US weather. satellite in real time. A nefarious actor with its own satellite may also interfere with or block the signal from these orbiting stations. But the most catastrophic scenarios would be for an adversary to break into a satellite’s control system, redirect its motion, or even crash into another satellite or planet.

It may be that this has already happened. According to one account, in 1998 a breach at the Goddard Space Flight Center in Washington, DC caused a US-German satellite called ROSAT to overtake and turn toward the Sun, damaging the ultraviolet filter on its image sensor. This allegation has been refuted, yet the actual or apocryphal event (the filter was actually destroyed by the Sun) 360 miles above Earth’s surface represents the challenges of repairing hardware or investigating the cause of the malfunction.

The US government has woken up to the threat and is now taking a more active role in dealing with space security. NIST has created a set of guidelines for securing space operations, while the Air Force, Space Force and Defense Digital Service last year introduced “Hack a SAT” to teams around the world as a way to show off their skills and demonstrate their skills. “Invited to come. The US military may be weak.

Their ultimate task was to gain access to the hacked real satellite (sitting securely on Earth) and restore operations. The winning team included employees from Raytheon Intelligence & Space, the cyber division of aerospace, and defense supplier Raytheon Technologies Corp.

But space risk is not limited to military or government systems. The advent of commercial operators such as Elon Musk’s SpaceX, Blue Origin LLC, and Orbital Sciences Corp., (1) the entry of more countries including China and India in the space race — and the development of lighter, cheaper satellites means the numbers fly upwards. Goods will continue to grow.

In fact, half of the more than 4,000 operational satellites are for commercial use rather than government or military use, and 94% launched last year were classified as small, meaning less than 600 kilograms. One possible trend is that companies deploy satellites for their own use as part of global virtual private networks, allowing them to bypass telecom operators and even government restrictions.

And just as the number of Internet-connected computers increased the number of hacks on the ground, so did the inevitable that more networks in orbit would be breached, either directly or through ground stations that track and communicate with them. Used to do

“This means the proliferation of cybertech to protect those networks,” Chuck Beams, president of York Space Systems LLC, said at the NIST conference. While companies will rush to capitalize on this new goldrush in space, 30 years of internet history shows us that businesses and governments can’t really take security seriously until a massive hack happens and satellites breached. Or don’t get lost.

Beams, a former space and intelligence officer in the US Air Force, likens the current rapid pace of development in the satellite industry to the US program that landed the first humans on the Moon. “At least in the Apollo era we knew we were going to the moon,” he said. “Here, we don’t really know; here it’s more wild, wild west than ever.”

(1) Orbital was acquired by Northrop Grumman Innovation Systems Inc. in 2018.

This story has been published without modification in text from a wire agency feed. Only the title has been changed.