Posted 13 May 2022 in Blog, Security, Space.

On 4 May 2022, we held our eighth RHEA Talk webinar, which looked at Security in Space with speakers from the agencies responsible for the operation and management of systems and services that businesses and individuals rely on every day. Hosted by John Bone, RHEA’s Chief Commercial Officer, our panel included:

  • Massimo Mercati, Head of ESA’s Security Office
  • Stefano Iannitti, Head of Security at the European Union Agency for the Space Programme (EUSPA)
  • Douglas Wiemer, RHEA Chief Technology Officer – Cyber

Watch the complete webinar (1 hour).

Space is more than a technology challenge – it is now essential in our daily lives for navigation, communication, science, weather forecasting, and more. But as our reliance on space has increased, cyber threats have accelerated at an alarming rate. This RHEA Talk session provided an insight into how the space sector is adapting to protect every element of a space mission against cyberattacks. In these excerpts from the webinar, you can discover:

  • Why security in space is important
  • What the cyber threats are in the space sector
  • How agencies are managing the security-related challenges they face
  • What the threats are likely to be over the next 10 years.

Why is security in space important?

Doug: Space is becoming critically important to our society, economy and our national security and sovereignty – space data and space-enabled communications are central to our everyday lives and are growing importance every year. This is witnessed by the huge growth in satellite launches; in the decade up to 2018, for example, there were around 2,300 launches, but since 2019 there have been up to 1,000 launches every year.

Increases in the value of space and private investments in space both create a corresponding increase in the threat levels for space systems. Where there is potential for financial gain, you will find cybercrime. In addition, the war in Ukraine has demonstrated the increased overall threat at nation state level – it has put space systems in the crosshairs of cyber conflict. As a result, both nation states and commercial industry will be affected by the way we approach cybersecurity for space.

Security has been a core function of EUSPA since the original agency was first set up as the European GNSS Supervisory Authority in 2004, and that continued when it became the European GNSS Agency (GSA). The Agency is at the heart of the protection of end-user assets. When it comes to protecting an operational system, only the operator – those people who are ‘hands on’ the system – can protect the system in real time.

Stefano Iannitti, Head of Security at the European Union Agency for the Space Programme (EUSPA)

What are the cyber threats in the space sector and how are they different?

Stefano: Space assets have become essential, in particular in support of critical applications and operations such as humanitarian and environmental disasters – they are important when the safety of people is at stake. Think about Copernicus, which provides Earth observation for several fields of application, or Galileo, which provides satellite navigation worldwide: they are used everywhere. These space assets therefore have to be protected.

Threats to these space assets have increased a lot, from kinetic attacks to cyberattacks, and then hybrid attacks add complexity to the picture.

Doug: Ground systems are already targets, but as we look towards the future, we will start to see an evolution of these attacks moving directly into space. As the congestion in space grows and satellites become closer and closer together, you are going to see more effects caused by radio frequency interference, for example. Also, there’s the potential for active use of kinetic attacks in space, making this a hybrid threat.

We are going to have to look at the whole convergence of IT and OT, and also the culture behind critical infrastructure, operations, technologies and information technology, and the governance mechanisms in place to bring these two worlds together.

Massimo Mercati of the European Space AgencySecurity in the space context is a real challenge. There is a strong will in Europe to have a holistic vision in security and cybersecurity. What we are developing in ESA, together with industry and in synergy with the European Commission, represents the first node in an important network to share information, capabilities and expertise for Europe.

Massimo Mercati, Head of ESA’s Security Office

How do you manage the critical security challenges in the programmes you manage?

Stefano: The Agency has been set up to cover the whole lifecycle of security. It supports the definition of security governance at the beginning, such as in design and the definitions of roles and responsibilities of different actors. Then there is the implementation phase and ensuring secure operations, including security accreditation. It helps to have an integrated approach and it is also an opportunity to exploit synergies between the different components to improve and increase the resilience of the systems we are responsible for.

Security is both a pillar and an enabler of the Space Programme. We asked ourselves how we could ensure security by design efficiently, considering our experience with Galileo. This has led to an evolution in the organizational structure of the Agency – you will now see several departments with ‘security’ in their name and the departments that work directly on the various programmes have security people embedded within them. We call them ‘security evangelists’ because they have the role of not only coordinating technical work related to security, but also making sure awareness of security is spread inside the Agency.

Find out more about how space services are being kept secure and space agencies’ plans for tacking future cybersecurity threats by watching the webinar video (1 hour)

Massimo: We updated our ESA Security Framework in synergy with our Member States and this was approved in the Council in 2020. This is important, because we can say that the new Security Framework is applicable here today to face the future cyber threat landscape of the next 10 years. The objective is to look forward and analyze the evolution of the threat landscape in order to identify which kind of policy, technology and security requirements are necessary to protect space in the future.

ESA has launched two major programmes: the C-SOC [Cyber-Security Operations Centre] and SCCoE [Security Cyber Centre of Excellence]. Today, nothing similar exists in Europe, because the C-SOC will have the unique capability to monitor any kind of threat in space and on Earth. And it is working in synergy with SCCoE, which can emulate any space programme and associate with it a particular threat catalogue, so that users can test real hardware and software in this emulated environment to validate security operations procedures or perform training.

Also, I agree with Stefano that better security means starting at the beginning and following the full lifecycle of system design and development. We therefore start during the ITT [invitation to tender] to define the minimum basic security requirements that will evolve during the lifecycle of the system, with the objective of providing a certification statement that will allow our Member States and stakeholders to be sure that the system is designed to operate in accordance with our Security Framework. It is a stamp of assurance that the system is secure from an engineering perspective.

Douglas Wiemer, Chief Technology Officer - cyber, RHEA GroupThe space industry is an extremely complex one that involves many different suppliers at many different levels. Along the way there is information and valuable intellectual property that passes from one hand to another. As cybersecurity practitioners we need to look at better ways of controlling that, such as how we add security to a model-based system engineering approach.

Douglas Wiemer, RHEA Chief Technology Officer – Cyber

What are the future threats you foresee in the next 10 years?

Doug: Quantum computing has the potential to render our foundational cryptographic processes obsolete. The space domain is actively responding with significant investments in space-enabled quantum key distribution (QKD) techniques and quantum communications infrastructures. But as we look at QKD and quantum communications, we need to make sure we do not forget the need for quantum resilient cryptography and also aspects such as the security of the interfaces between the elements within these new systems.

Whenever there are new technologies and new approaches, and also parallel technology deployments as we are seeing with 4G and 5G, there is always the potential for weaknesses in the design, development and implementation, which could lead to areas that could be compromised. Aspects such as secure systems engineering and security testing are therefore extremely important.

Stefano: There are big expectations around quantum technology and its use in the space domain, including for cryptography. Certification is essential when new technologies like quantum are planned to be used for encryption and decryption of classified information. This is something the European Union is working on together with Member States and in the short term something will be launched for this purpose where standards can be formalized and technologies can be analyzed and tested. This is a big task.

Massimo: Quantum technology presents interesting opportunities and challenges. But without certification it will be difficult to use for security. In the medium term – around 2023 to 2025 – ESA is launching a laboratory to analyze the way to certify quantum technology.

Find out more

Watch the webinar video to hear more about security in space from our expert speakers.

Subscribe to receive information about future RHEA Talks and to receive our Security Bulletin.