The universe is getting smaller, and space cybersecurity is keeping up. On May 30, 2020, nearly a decade after the Space Shuttle program ended, people witnessed a first: a vehicle built as part of a public-private partnership (between SpaceX and NASA) took off into space. This development was transformational because it brought the world one step closer to commercial space travel. We now have proof of concept that space travel, once reserved for powerful nation-states, is something that can be achieved, albeit with a lot of assistance right now, by a commercial company.

How safe space travel may be for everyday people is yet to be seen, but it’s an exciting time because we can actually start talking space travel, space tourism and space mining.

But space travel is not cheap, and safety is not a joke. The risks that come with space travel mean you do not play games when it comes to redundant and backup options. When making these huge investments, you cannot afford to go bust or risk lives. That means as people make efforts to go more often and deeper into outer space, cybersecurity becomes a real issue that must be addressed.

Why? Well, think “E.T. phone home” as a start. If you want space travel safety, you have to be able to communicate.

Space and Cybersecurity

On Sept. 4, 2020, the White House issued the Memorandum on Space Policy Directive-5 — Cybersecurity Principles for Space Systems. Section 4, Principles is a worthwhile read for cybersecurity experts. Here is a brief overview of that section:

  • Space systems and their supporting infrastructure, including software, should be developed and operated using risk-based, cybersecurity-informed engineering.
  • Owners and operators should develop and implement cybersecurity plans for their space systems.
  • Protect against unwanted access to critical space vehicle functions.
  • Include physical protection measures designed to reduce the risks of a space vehicle’s command, control and telemetry receiver systems.
  • Protect against communications jamming and spoofing.
  • Protect ground systems, operational systems and data processing systems.
  • Adopt appropriate cybersecurity hygiene practices, physical security for automated information systems and intrusion detection methodologies for system elements.
  • Manage supply chain risks that affect the cybersecurity of space systems through tracking manufactured products.
  • Space system owners and operators should collaborate to promote the development of best practices.
  • Security measures should be designed to be effective while permitting space system owners and operators to manage risk tolerances and minimize undue burden. These must be consistent with specific mission requirements, United States national security and national critical functions, space vehicle size, mission duration, maneuverability and any applicable orbital regimes.

For any cybersecurity policy wonk, this is pretty much a dream-come-true list of security principles.  But, don’t we try to apply those same principles down here on planet Terra? Yes, we do. Emphasis on the word try.

Today’s World is Guided by Space Research

Unlike the internet, which is inherently vulnerable by design, there is an opportunity in space to build a uniquely secure means of communication that could not only reduce the dangers of research, but also could alter even land-based communications and way of life. For example, Space Policy Directive-5 gives us plenty of examples of how space research helps with homeland security. We rely on space systems for a lot of things we take for granted in our daily lives:

  • Global connections
  • Position, navigation and timing
  • Scientific research
  • Exploration
  • Weather tracking
  • National defense

The fact that the use of the NIST Cybersecurity Framework is now ‘baked in’ to space projects is a welcomed development. But, there is something more intriguing going on with Space Policy Directive-5 and all the Space Policy Directives. Security-by-design principles are a driving force in their creation.

Building Trustworthy Space Cybersecurity Systems

If you haven’t heard of security-by-design, think about it like this. In its crudest form, it means to break while you build so you can fix and strengthen the weak spots. If you do this correctly and go above and beyond, you not only strengthen your system, you also build antifragility into your system. Nassim Nicholas Taleb, who coined the term antifragile, says this means the project doesn’t merely withstand a shock, but improves because of it.

That’s the chance we have with space systems that we don’t have with the internet. In fact, the internet is the exact opposite of being antifragile because we keep building on its inherent risks, making it more complex and, in turn, more fragile.

Guidelines and Best Practices

If you’re looking for guidance on how to employ security-by-design principles, one of the best resources is NIST Special Publication 800-160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.

NIST SP 800-160 is great for future space communication system designs and for those who have the luxury to build their IT systems from scratch. It draws on a wide variety of standards and principles from the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC) and the Institute of Electrical and Electronics Engineers (IEEE).

“Infus[ing] systems security engineering methods, practices and techniques into those systems and software engineering activities,” NIST SP 800-160 allows you to better understand cybersecurity needs and plan for them well.

Security for Telecommunications Networks at the Speed of Light

Let’s take a look at a specific type of project that illustrates the way space cybersecurity professionals can apply to projects on Earth. Here on the ground, we’re getting all excited about 5G, as we should be. But something else exciting is happening when it comes to satellite security: quantum communications. Leaving aside for a moment that we are still early into quantum communications development, or more accurately, quantum key distribution (QKD), QKD in theory — at least in space — should be easier to achieve.

Let’s start with some background, without getting technical. QKD is great when it comes to encryption because a user can identify right away if a message has been tampered with. In theory, QKD is unbreakable, because subatomic particles (photons) act in a very peculiar way. Mess with those particles and the message is no longer secure.

That’s awesome, right? How come we don’t use QKD all the time?

The Problem with Quantum Keys

It’s just not practical. QKD data transfer over long distances and into today’s network is just not feasible on a mass scale. We’re talking distances of a few kilometers only in some cases. But when you add space and satellites into the equation, the metrics change a lot.

Why is that? Well, because of the nature of space and the nature of physics. Ground-based quantum signals suffer from something called rate of absorption. If we are to keep this simple and not go completely down the entanglement-based quantum cryptography rabbit hole, think of it like this: the photons can’t travel that far without becoming compromised in some form or another, which means you have to add repeaters along the way. And that’s not a great idea, at least with current-day systems. You’re going to need a whole bunch of repeaters, which could each be attacked.

So, why is this different when it comes to space cybersecurity?

That rate-of-absorption problem pretty much goes away, because the signals are traveling through empty space. Instead of having capabilities over a few kilometers only, suddenly you can have secure communications linked over a much greater distance, like say 1,000 kilometers.

In other words, when traveling through empty space, you don’t really need to worry about going through the different barriers you would find here on Earth. And, because of good ole’ physics, we are living in a completely different domain with a different set of rules. That’s what makes space projects so exciting. Our engineers will not be bound by the same rules of ground-based communications, meaning that we can employ the lessons learned down here up there, as well.

Why Securing Space Data Matters

Some of the reasons why we should be serious about space cybersecurity are obvious, such as keeping ground-based systems running and addressing national defense concerns. But to be more forward thinking, you need to be a bit more ambitious in your outlook. Space travel provides an entirely new domain to be scouted out. Just like the explorers of ancient and classical times, who traveled to find new worlds across the continents and oceans, we are entering the dawn of a new era.

Along with the thirst for knowledge that drove people out into the vast oceans or through rough terrain, there was something else that was driving them, too. Think for a moment about the Silk Road and other routes that unified Europe and Asia. The driving force behind them was trade and commerce, namely the spice trade between Europe, North Africa and Asia.

We open ourselves to an entirely new universe of possibilities if we can start exploring a territory we haven’t before. The possibilities are transformative. But if we are to take advantage of this new domain, we need to have a way to realize a return on investment. That’s why both land-based cybersecurity resilience and secure space-based communications matter.

Poor cybersecurity practices will sink the ship, both here on Earth and in space. Poor land-based cybersecurity will result in your standard issues: loss of intellectual property, disruption of operations and compromised devices. Meanwhile, poor space cybersecurity could result in multi-billion dollar losses in one shot because your vehicle is sent off course.

The Excitement of a New Era

We should be excited about this new chapter in space cybersecurity, travel and communications. There are so many lessons we can apply, whether they relate to redundancy, vulnerabilities, encryption or even artificial intelligence. The breakthroughs will not only bring space travel into a new era, but also will change how we send messages here.

We have the chance to build a secure system, correctly, using security-by-design principles. If we are successful, now, at the beginning, we will be able to invest our valuable resources more wisely in the future.

More from Intelligence & Analytics

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today