Space for Cyber Security...in Space?
01 April 2019
A sector changing at lightspeed
The space industry is experiencing unprecedented attention. It is characterised by a complex interaction of products and services, customer types and potential applications that vary by geography, technology used and position in the value chain. Traditionally the industry is described as being made up of discrete segments: ‘manufacturing’, ‘operations’, and downstream ‘applications’. However, across these areas, the market is being disrupted by emerging trends:
- Launch is getting cheaper.
- Satellites are getting smaller and more capable.
- Venture capitalist funded private sector companies are entering the space market.
- New applications and services are driving the commercial market for connectivity.
- Civil space spending is increasing.
If the sector is to realise the government’s aspiration of taking 10% of the global market by 2030, the foundations must be safe, secure and sustainable - and therefore address cyber security.
Growth in the industry will drive growth in cyber attacks
While the use of large GEO satellites will always remain, the development of multi use small form factor satellites in larger constellations is driving commercial growth in the space industry. The demand is for bespoke products and services (or additional aspects to existing services) from a growing civil customer segment. From a cyber security perspective this will result in a larger attack surface both in the space and ground segments and demonstrate a growing need to assure the security of the integrated network, the manufacturing supply chain and the information transmission, analysis and storage. Regulators, public and private space organisations are seeking to address these challenges in order to realise the maximum business benefit - as only through implementing security and privacy by design, and assuring for safety and security, will space enterprises obtain and sustain customer confidence in this growing market.
An established threat
The Centre for the Protection of National Infrastructure (CPNI) judges that critical national infrastructure (CNI) sectors represent core strategic interests for foreign intelligence services. Many CNI sectors, of which space is one, are bringing their operational technology and control systems online to ease monitoring and management, which is increasing the digital attack surface for these foreign intelligence services to exploit. Combining this intent with the commoditisation of hacking tools, made available to non nation state adversaries, increases the threat of digital interference to the space sector even further. With a relatively segmented value chain, the sector would benefit from more consolidated threat intelligence. This will help the ‘manufacturing’, ‘operations’ and ‘applications’ segments to quantify risk and enhance the resilience of services.
The space sector was designated a CNI in 2015 and the UK Space Agency is on a journey to understand the scope of its obligations in this context; not least of which is understanding and improving security across the sector. Longer term, we see a future where effective security licensing processes are matched by the agency assuming, in role if not in name, the function of a Network and Information Systems (NIS) Competent Authority. In order to achieve this, the sector is seeking to understand the existing situation from a network point of view, crucially where the dependencies lie. For commercial organisations, knowledge of these cyber dependencies will enable business resilience. Similarly, space enterprises are now realising the benefit of considering the safety, privacy, and liability consequences of cyber hazards, so that they can differentiate themselves in a competitive market and increase the chances of successfully introducing new services or capabilities as regulation increases.
Future investment case
The next Strategic Security and Defence Review is likely to be in 2020 and the next National Cyber Security Strategy is due to be released in 2021. Prior to publication, all CNI sectors remain on a pathway to increase security maturity, not least because they are all interconnected. For example, much of the national CNI relies on uninterrupted electricity generation, which itself relies on the GPS timing signal for uninterrupted distribution as the load varies. The key dependency is information and the means by which it is collected, transmitted, analysed and stored. In advance of the next iteration of these government capstone documents, space sector organisations would benefit from a more evolved understanding of information security and how their cyber maturity benchmarks against others in their sector and across other CNIs. It is on this issue that the space sector must welcome the private sector more readily. In so doing, experience of other CNIs, financial institutions and private businesses who have wrestled with similar challenges, can be brought to bear, setting the conditions for safe, secure and sustainable growth.