library
Over the last six months, our team has explored the Cybersecurity of Space Systems, or SpaceSec. As one of the most active strategic investors in both Commercial Space and Cyber, we identified that both the government and the commercial sector have a role to play to drive innovation in SpaceSec. Applying additional resources and focus to the problem is the first step.
We spoke with dozens of government stakeholders, commercial space providers, academics, investors, startups, and other subject matter experts, surveyed companies in the IQT Space portfolio, and hosted a Roundtable on the topic. From IQT's unique vantage point at the intersection of government, venture capital, and the startup community, we developed insights into the current state of cybersecurity across Space Systems and opinions on where the industry needs to go to tackle this issue.
SpaceSec is critical to U.S. National Security.
In addition to the criticality of Space Systems to U.S. defense and intelligence, virtually every Critical Infrastructure Sector relies on Space Systems for continued operation. Many of the sectors that we rely on for daily life, including financial systems, agriculture, emergency services, and energy, have a direct dependency on the stability and therefore cybersecurity of Space Systems.
The dual trends of the Commercialization of Space and the Proliferation of Space Systems underscore the importance of addressing cybersecurity.
Some experts predict that within 15 years, there could be 100,000+ satellites, 10-15 orbiting stations, cis-lunar bases, in-orbit cloud storage and edge computing, energy production, mining, and manufacturing in space—a significant change from today's space landscape. The shift has already begun from a government-dominated space economy to one that is commercially driven. Companies such as Microsoft and Amazon have identified a business model that enables them to extend their already robust cloud computing capabilities into Space Systems. Furthermore, this commercial activity is global, and developments are unlikely to remain the exclusive domain of any country. It's estimated that up to 30 countries could launch assets into space, resulting in increased nation state competition. China's published national strategy document on Space makes clear their intent to pursue "space superiority."
The cybersecurity of today's Space Systems is weak and tomorrow's will be worse if action isn't taken today.
Several factors contribute to the weakness of today's systems including a lack of incentives to build in robust security, a lack of understanding of security best practices, and the reality that most systems in orbit today have nearly bespoke designs. These three factors have led to a widespread belief that Space Systems are obscured from malicious actors; in other words, they are protected by security through obscurity. Even if this was once true, it has not been for a long time. The ground systems that support these systems are often equally vulnerable.
One particular trend is worth highlighting: The supply chain for Space Systems is becoming increasingly commoditized, and future systems will almost certainly be assembled using off-the-shelf commercial hardware and software. While potentially a good trend to drive down cost and complexity for the Space market, this commoditization will also provide a more homogeneous and well-explored attack surface for threat actors, potentially increasing the volume and scope of cyber attacks on Space Systems as a whole.
We should look to the cybersecurity of terrestrial systems as a roadmap to secure Space Systems.
Space System designers and operators can leverage lessons learned and technologies used in terrestrial enterprise and industrial systems for guidance on how to improve the security of systems deployed into space. Examples include but are not limited to:
- Developing space-focused cybersecurity standards and best practices;
- Improving training for system designers and operators;
- Adopting secure coding and assessment practices; and
- Implementing commercial cybersecurity technologies such as embedded system security, network security, and data protection into system design, testing, deployment, and maintenance.
The industry may also want to consider integrating Cybersecurity curriculum into Aerospace Engineering programs to develop and equip the next generation of Space System developers who will likely be faced with a more challenging cyber threat environment in space.
Innovation has a role to play.
While today, the market for space-focused security products and services is small, we believe the category will grow over the next 3-5 years as more Space Systems with commodity and commercial technology are launched into space.
There are a few companies already thinking about how their technology applies to Space Systems. Developers of solutions focused on embedded systems security, secure and reliable update of safety-critical systems, identity and access management, and cloud and edge compute security are looking toward the future. Startups will undoubtedly emerge to fill the white space not addressed by incumbents. IQT and other investors must be prepared with the capital, domain expertise, and industry experience to connect these cyber innovators with their space counterparts.
The time to act on this future threat is today. Are you thinking about the cybersecurity of Space Systems? If so, we want to hear from you. Please email us at spacesec@iqt.org.