David Livingstone
Associate Fellow, International Security
An electronic attack on the US satellite weather network should serve as a warning of the vulnerabilities of space- and cyber-related infrastructure.
A meteorologist monitors weather in NOAA's Center for Weather and Climate Prediction in Riverdale, Maryland. Photo by Getty Images.A meteorologist monitors weather in NOAA's Center for Weather and Climate Prediction in Riverdale, Maryland. Photo by Getty Images.

On 12 November, the Washington Post reported that the US satellite weather network had suffered an electronic attack, forcing cyber security teams to ‘seal off data vital to disaster planning, aviation, shipping and scores of other crucial uses’. The attack resulted in an ‘unscheduled maintenance’ of the United States National Oceanic and Atmospheric Administration (NOAA)’s data feed for weather forecasts.  Although the maintenance required had only a small impact on weather forecasts, the hack has highlighted a vulnerability in satellite systems that reaches far beyond the meteorological community.

Much of the world’s critical national infrastructure is now heavily reliant on space technology, and the upward trend of this dependency will continue.  Whether related to communications, to precise navigation and timing, or to earth observation (EO), satellite data and its associated connectivity touches every aspect of daily life. There are now many hundreds of satellites orbiting the earth, with many built and controlled by commercial concerns, possessing capabilities that hitherto have been found only in the defence or special intelligence communities. The US government’s recent decision to loosen its export control restrictions on satellite technologies to allow private sector capture of 25cm-resolution imagery shows the importance of the market forces in play.

As the number of satellite data feeds continues to rise, so does the opportunity for illegal interference within the space data eco-system. The origins of space exploitation have hitherto been generally either government (for military and intelligence purposes) or academic; but the future of space lies with commercial enterprise. Low cost access to space, a fundamental enabler for future space capability, is now a phenomenon of the present. For example, cube-sat technology, combined with a dramatic reduction in costs of manufacture and launch, is enabling private individuals, non-governmental and international organizations to launch their own mini-satellites; the UK is now in the process of selecting its first spaceport to launch winged cargo-carrying spaceplanes on a routine basis.  If, right now, space was suddenly denied to its plethora of users through some dramatic event, the harm created to the world’s economy and to the safety of its citizens would be immense.

It is therefore surprising that there is not a greater focus on increasing the space domain’s resilience to cyber attack, from whatever quarter. The UK’s National Security Risk Assessment (NSRA) places cyber within the top four challenges that the nation faces, and this position will no doubt be similar in nations elsewhere around the globe. Thus a 48-hour outage at NOAA is a worrying signal that the space community has yet to adopt a more stringent approach to space-related data. If a government-related data feed has this level of vulnerability, then what will the vulnerabilities be in a broader domain in which commercial drivers, including the sometimes expensive discipline of security, hold sway? Furthermore, it is a concern and possibly symptomatic in the UK’s case that, despite the prominence of cyber in the NSRA, the same issue receives only scant consideration by the British government – only a single dedicated paragraph in the UK’s National Space Security Policy.

Chatham House’s continuing study of space and cyber security indicates that an inclusive and cultural approach to the space-cyber phenomenon is absent on both national and international stages. It is becoming increasingly apparent that there are critical weaknesses not simply in the identification of deficiencies in particular space systems, but also in the way that the conjunction of space and cyber is being organized. There are mature and internationally respected models for the management of cyber security, which, when applied to the ground-based parts of the space data eco-system, serve well. What is needed, however, is an end-to-end approach based on risk management and resilience. Each and every stakeholder, from satellite assembly through to data exploitation, via the space-based segment, needs to know his or her respective cyber security responsibilities in delivering assured space-based services. This applies particularly to the commercial cadre whose management instinct may be to duck the cyber issue (or try and get away with the minimum effort required to tick the ISO 27001 boxes) on cost grounds. 

There will not be a single process applied within this complex and interlinked domain; the level of resource required for individual missions, for example, will depend on a variety of factors, including criticality of the capability being deployed, the endurance of the craft itself, the likelihood of attack and the fall-back options if an attack is successful. The software of spacecraft needs to be designed from the outset for the appropriate level of security, and some systems may need to be checked for resilience before launch (and not once ensconced in orbits from which there are now no plausible recovery options).

Space and cyber security is both a critical area and also one that is most vulnerable to exploitation when set in the context of very complex supply chains and space-related operational infrastructures. Satellite services are key targets for a number of cyber threats, as they support a critical level  of national infrastructure functionality and this is growing year by year. A single successful attack on a critical node, if unmitigated, can have the potential to affect a significant number of important national and international capabilities.

Awareness of the potential attack on the NOAA systems was made clear in July when a report by the Office of Audit and Evaluation in the US Department of Commerce’s Office of Inspector General raised the alarm on the ‘significant security deficiencies in NOAA’s information systems’. NOAA is not alone in being vulnerable to cyber security attacks. Now that the news is out in the public domain, we can only hope that it serves as a significant wake up call.

To comment on this article, please contact Chatham House Feedback