A few months ago, the European Space Policy Institute (ESPI) published a report titled ‘The war in Ukraine from a space cybersecurity perspective‘. This publication was followed last week by a special webinar on this topic, the recording of which was published a few days ago. This article summarises some of the main conclusions of the report and expert discussion in the webinar, in the context of our series on space for Ukraine.
Please refer to the full ESPI report for a detailed analysis of the KA-SAT cyberattack, its policy implications and important lessons learned for the public and commercial space sector. A short summary follows below:
Russian cyberattack on satellite infrastructure
On February 24th 2022, Russia invaded Ukraine by launching a series of attacks against Kyiv as well as several cities located at the border of Russia and Belarus. Concurrently, Russia conducted a cyberattack against ViaSat’s KA-SAT GEO satellite network, which was used by the Ukrainian army, thereby providing a concrete example of the use of cyber operations in complementarity with conventional military operations on land, sea, and air.
In the space community, the KA-SAT cyberattack raised a broader debate regarding the cybersecurity of space systems and the protection of critical infrastructures.
Indeed, the digitization of space systems, the increasing relevance and criticality of space systems in military operations, and the growing integration of satellites into the digital infrastructure make them more vulnerable to cyber threats.
The KA-SAT cyberattack and the war in Ukraine raise many outstanding questions regarding the cybersecurity of the space infrastructure from an industrial, political, legal, and military perspective.
The KA-SAT cyberattack may be considered as a good illustration of the current state of cybersecurity in the commercial space sector as well as a representative case of the evolution of the militarization of outer space through cyber means, enabling to highlight key trends and lessons to learn.
Lessons to learn from the KA-SAT cyberattack and the war in Ukraine
The Russian cyberattack on the Viasat satellite infrastructure is an important wake-up call for the satellite industry, and contains several important cybersecurity lessons to learn. These lessons can be divided into direct lessons for the satellite industry, and broader lessons for (space) policy makers.
“There are only two types of companies – those that were hacked, and those that will be”Federal Bureau of Investigation (FBI)
Direct lessons to learn from the KA-SAT cyberattack
- Commercial space systems are easy targets for cyberattacks during armed conflicts
- There are endless vulnerabilities on the commercial space infrastructure
- Commercial actors inherit the threat models of their clients
- Segregation between civilian and military customers is essential
- Military systems should not be considered based on their ownership, but on their use
Broader cyber lessons to learn from the war in Ukraine
- The lack of sovereign space capabilities creates a dependence and strategic autonomy issue
- The lack of space capabilities also creates a cybersecurity issue in armed conflict
- Rerouting internet traffic strategies make satellites essential in armed conflicts
Protecting the European space infrastructure
Based on the lessons learnt from the KA-SAT cyberattack and acknowledging the current state of affairs in the cybersecurity of the space sector, some policy and legal reflections for the cybersecurity of the European space infrastructure can be outlined.
Updating a scattered legal and policy framework
At the European level, the cybersecurity of space systems was rather overlooked in EU policies and regulations, although this is gradually changing. At the end of 2022, the EU NIS2 Directive was adopted, which now considers space as a critical infrastructure and outlines cybersecurity obligations for operators.
New security stakes for EU flagship programmes
The KA-SAT case demonstrates the importance of better protecting space systems against cyber threats. Cybersecurity and sovereignty objectives have already been identified by the European Commission in its proposition for an EU secure connectivity initiative, which are particularly relevant in the context of an evolving threat landscape.
Developing an integrated approach to space cybersecurity
The extension of the attack surface and the evolution of the threat landscape call for a holistic approach to cybersecurity. Space cybersecurity should not solely rely on one countermeasure but rather on a broad set of measures, ranging from ‘zero trust architecture’ to encryption, hardening of encryption keys, redundancy and substitution, among other technical solutions.
Space cybersecurity lessons for the commercial satellite industry
During the webinar, ESPI expert and moderator Clemence Poirier added important insights about the increasing role of new, commercial satellite operators in (military) satellite communication:
“It’s important to understand that the space supply chain is becoming more vulnerable because of new space. According to James Pavur from the University of Oxford, new space companies are way more communicative than traditional space actors. They share more information about their systems to their supply chain, their contracts, and their employees.
While this seems innocent and great to provide visibility to the space sector, this also may give critical information to malicious actors to launch an attack. This raises a case and an issue to better protect space systems from the beginning of the life cycle to the decommission of satellites.”
You can access the full recording of this webinar here.
Read more about space for Ukraine
You can read more on the role of space in the war in Ukraine on our special topic page here.