Germany’s security guidance for satellites would be a good model for broader cyber standards for the entire space industry as it grows and introduces commercial software, according to European satellite experts and the German government.
The German agency that recently put out the guidance, the Federal Office for Information Security, is seeking to make it the basis for European or international cybersecurity standards related to the space industry. Space missions often involve vendors and expertise from various countries, making common standards crucial, according to space researchers and satellite companies.
“In Europe we need sort of a consensus for many countries,” said Frank Schubert, head of cyber programs in Germany for
defense and space unit, which contributed to the guidelines. The document lays out minimum cyber measures to help satellite companies ensure their supply chains address specific vulnerabilities, and businesses would benefit from having common terms they can refer to with partners and suppliers in other countries, he said.
The German guidelines list measures to protect satellites during different phases, such as when they are being transported and tested, and when they are in orbit.
The vulnerability of satellites was illustrated by a cyberattack on satellite-communications company
on Feb. 24, the day Russia invaded Ukraine. The attack brought down internet connections for thousands of Europeans and remote-monitoring systems for German wind farms.
The attackers had targeted modems and other equipment in Ukraine that were serviced by a Viasat satellite, the company said at the time. In March, the U.S. Cybersecurity and Infrastructure Security Agency circulated a warning about threats to satellites. In May, the U.S., U.K. and European Union blamed Russia for the Viasat incident. Russia has consistently denied launching cyberattacks.
founder of Space Exploration Technologies Corp., tweeted in May that SpaceX’s Starlink satellites had so far resisted Russian hacking attempts, “but they’re ramping up their efforts.”
Government space agencies from countries including the U.S., Japan, China, Canada, Germany, and Italy discuss cybersecurity through the nonprofit Consultative Committee for Space Data Systems. Another member of the group is the European Space Agency, which falls outside the EU system and includes non-EU countries such as Switzerland and Norway.
The committee has discussed how to protect satellites that might stay in orbit for 10 years or so, should post-quantum computers emerge that can break today’s level of encryption, said Daniel Fischer, head of applications and robotics in the European Space Agency’s data-systems unit.
The European agency is researching potential post-quantum encryption technologies, he said, and is monitoring an international competition held by the U.S. National Institute of Standards and Technology that is aimed at identifying secure cryptographic algorithms. “It’s still a crystal ball, but we have intelligent guesses,” he said.
Satellites provide internet connectivity, media broadcasts, scientific data and navigation services, among other things. The global space economy is valued at an estimated $469 billion, driven mostly by commercial space services, products and infrastructure, according a report published last month by the Space Foundation, a Colorado-based nonprofit.
“No one nation can do this on their own because everything is super interconnected when you go to space,” said Erin Miller, executive director of the Space Information Sharing and Analysis Center, another nonprofit based in Colorado. The group facilitates information exchange about cyber threats among its members, which include companies based around the world.
Cyber threats are evolving as the satellite industry becomes more commercial, with companies sending satellites into space for shorter periods and using components that are cheaper than they were in the past.
Issuing system upgrades and applying security patches to satellites already in orbit is a particular risk, said Stefan Langhammer, head of the information and cybersecurity unit at
OHB Digital Connect GmbH, a German satellite manufacturer, which contributed to the German guidelines.
Companies need guidance on patching, upgrading and changing features after a satellite is launched, Mr. Langhammer said. Issuing system and security upgrades comes with risks, especially for satellites that remain in orbit for several years. “We can’t make mistakes. If the update doesn’t work then we can’t send anybody to the satellite and press the reset button,” he said.
In the coming years, experts expect more commercial technology to become available, potentially using more off-the-shelf internet-connected components. That raises the risks of cyberattacks, because hackers could potentially launch ransomware attacks that could affect a large group of satellites that work together as a system, said Brandon Bailey, a senior cybersecurity project manager at the California-based nonprofit Aerospace Corporation.
“The more commercialization happens, it’d be good to have information on what threats are out there and what protections could help mitigate those,” Mr. Bailey said.
Write to Catherine Stupp at Catherine.Stupp@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8