Satellites are essential pieces of infrastructure.
These Earth-orbiting systems that zip through space at thousands of miles per hour keep track of the weather, provide GPS information and help leaders across the globe make decisions. They even make sure we get our nightly television.
They're also targets.
Late last year, researchers at the Cybersecurity and Infrastructure Security Agency found that Russian hackers had infiltrated a U.S. satellite network. It appeared, a CISA analyst said, that hackers had been in the victim's networks for months.
Also in 2022, Russian-backed hackers were suspected of infiltrating the U.S. telecom company Viasat and disrupting internet service in Ukraine. This came just before the Russian invasion of Ukraine more than a year ago.
There's a growing effort to ensure satellites remain secure against these and other types of threats, and private companies and government agencies here in New Mexico have positioned themselves to help.
"There's already a large research and development presence here," said Joseph "Dan" Trujillo, who's the cyber resiliency lead at the Air Force Research Laboratory's Space Vehicles Directorate. "We're really trying to make New Mexico the leader in space cybersecurity."
'Intent and impact'
Satellites are tricky systems to both protect and attack — largely because they can be difficult to comprehend in the first place.
That's how Trujillo described the space cybersecurity problem.
"What people need to understand about [cybersecurity] is that it's hard for an attacker to attack a system they don't understand," Trujillo said. "One of the analogies I use is a house. From the outside you see the doors and the locks.
"But if you own the house, you might know that you have a broken window in the back that doesn't have a working lock."
Trujillo works out of Kirtland Air Force Base where his team studies vulnerabilities in the technical components found in space assets deployed by government agencies. Last October, he helped lead a discussion among industry experts that considered the complicated nature of protecting satellites and how the types of satellites have evolved.
"This connection is quite new," Trujillo said. "Cyber has been around, and space has been around, but the connection between them is an area people are recently starting to work on."
Deloitte, which partnered with the Air Force Research Laboratory and Central New Mexico Community College to host the New Mexico Cyber and Space Symposium, has its own operations to help companies protect against cyber threats.
Instead of focusing on a satellite's vulnerabilities as a way to learn how to protect it, Deloitte's Ryan Roberts prefers to look at the risk posed through potential attacks.
"When trying to understand how you cyber protect anything, it really comes down to what is the risk of this sort of cyberattack happening," said Roberts, a principal at Deloitte who leads the company's defensive cyber operations. "Vulnerabilities are mildly interesting, but it's really about the intent and the impact. Why would an adversary want to do that and what benefit are they going to get from it?"
That approach is more mission-focused, he said. Each satellite, whether it be a communications satellite or a geospatial satellite or any other satellite type, will have a unique mission with unique risk potential, Roberts said.
"The next dollar [companies] are going to spend on cyber should be a very threat- and risk-driven decision," he said. "Vulnerabilities are bad in a general sense, but we need to talk more about what is your risk to mission? What, based on the threat that we know is out there, is the true risk? And how do we prioritize … addressing that risk?"
'As high risk as it gets'
No matter the specific mission risks or technical vulnerabilities, the growing satellite market presented a unique business opportunity for Albuquerque's Proof Labs.
In May 2022, the Space Systems Command — the U.S. Space Force's space operations, cyber operations and intelligence field command — instituted a set of cybersecurity standards to evaluate commercial satellite firms on cybersecurity policies. Called the Infrastructure Asset Pre-Approval program, companies that meet all cybersecurity requirements would be placed on a pre-approved list to do business with the U.S. Defense Department. If not on the list, companies would have to complete "lengthy cybersecurity questionnaires for each individual contract proposal," according to a report in Space News.
"We read it and said, 'Hey, the government's going to be needing to hire assessors to do this type of work'," Proof Labs' Co-founder and CEO Ricardo Aguilar said about the cybersecurity standards program.
Founded in 2021, Proof Labs acts as an independent third-party assessor for companies with space assets. It's in the process of earning a cybersecurity assessment license with the Space Force. That license would give the New Mexico startup the credentials necessary to validate the cybersecurity of hardware components from companies vying for government contracts.
"When you start talking about the cost that's associated with putting things in space, the cost associated with even having access to a network that can communicate in space, that cost is very high," said Dick Wilkinson, Proof Labs' chief technology officer and co-founder. "People want to protect their investment. There's risk associated with those dollars.
"We're on the right side of that risk equation. That's where we make money. It's when people have to protect their assets and have to protect their investments. High-risk environments are good for us, and space is about as high risk as it gets."
Proof Labs was tapped late last year to be part of a national organization called the Space Information Sharing and Analysis Center. The startup plans to begin lab work out of a new Cybersecurity Vulnerability Lab in Colorado Springs early this year. As a result, Proof Labs anticipates a round of hiring on the horizon.
The startup is part of the rapidly growing space cybersecurity industry — an industry that Aguilar said is already valued at over $1 billion. And as more companies become aware of the need to protect their satellites from cyberattacks, he said, the demand for Proof Labs' vulnerability assessments will grow.
"I think to some degree, the market allows for startups and third-party smaller companies to fit that niche," Wilkinson said. "It makes sense, too, in terms of resource aggregation for the industry."
'Security by obfuscation'
Albuquerque-based RS21 is helping to protect satellites in a different way.
The company has a technology called the Space Prognostic A.I. Custodian Ecosystem — or SPAICE — that uses artificial intelligence to analyze data from satellites as a way to predict if and when the systems will fail. SPAICE earned RS21 a multi-year research contract from the Space Force which will give the company money to deploy and expand the AI platform over the next two years.
Using artificial intelligence to protect satellites brings its own cybersecurity challenges, said Kameron Baumgardner, RS21's chief technology officer.
"The nature of artificial intelligence and machine learning in general is that it's supposed to be difficult to understand," he said. "It's kind of like security by obfuscation, which is not a great idea."
Part of the difficulty, Baumgardner said, is making sure the data RS21 gathers from satellites to inform the SPAICE technology is secured. Another difficulty comes from the nature of AI itself, he said.
"If you look at some of the stuff that's out there on like self-driving AI being confused when people put stickers on stop signs, there's sort of a parallel for some of the AI that people would deploy up into space," Baumgardner said. "There may be weird hijinks you could inject that would lead to some unintended consequences."
Unlike research conducted by Trujillo's team at the AFRL or lab work being carried out by Proof Labs, SPAICE isn't involved with ensuring different satellite components themselves are secure. Rather, the technology can detect abnormal satellite behavior that might stem from a cyberattack, Baumgardner said.
Deloitte, too, is rolling out its own satellite protection product called Silent Sentinel.
The company presented the technology, which is currently under development, at the October cyber and space symposium.
Silent Sentinel is a payload that can attach to satellites and "autonomously provide response options for the space vehicle as well as visibility and high-fidelity understanding of cyber activities to ground based operators," according to a Jan. 21, 2022, press release from the company.
"Silent Sentinel is really about how do we start to equip a satellite, which is just basically a computer with solar panels hanging off it. How do we make that more cyber resilient through advanced analytics and censoring?" Roberts said. "So that if there is anomalous behavior on the vehicle that could be cyber related, a cyberattack, how do we in near real-time identify that?"
'Bake in cyber resiliency'
Deloitte's Roberts said the future of satellite cybersecurity lies in more intentional design.
"When we're thinking about the requirements of a system, that is when we have the cybersecurity conversation," Roberts said. "That is where we look at how we bake in cyber resiliency, not after we've cooked the cake. It really needs to be a part inherent to the design of the system."
Still, old methods can provide some guidance for new satellite companies. One of those is TrustPoint, a commercial GPS company based in California that's building a constellation of micro-satellites to deploy into low-Earth orbit.
Patrick Shannon, TrustPoint's co-founder and CEO, was recently in New Mexico as part of NewSpace New Mexico's Ignitor program. He said the company, founded in 2020, wants to launch its first satellite in April.
"The protection of them is definitely something that has to be core to the operations function of the business," Shannon said about the company's GPS satellites. "But there's a lot of known tools [to protect satellites]."
He described protecting satellites as similar to protecting data centers or cloud computing capabilities on the ground.
"We use a lot of the same tools to secure our access to our spacecraft," Shannon said.
But while existing methods might be out there, new processes and technologies, like those being worked on by Proof Labs, RS21 and Deloitte, could provide novel ways to keep satellites safe.
One example is protecting satellites that operate autonomously, said the AFRL's Trujillo. Those types of satellites might require new means of protection because the level of decision-making and control left to the system's autonomous software could lead to unique vulnerabilities.
"That's one of the biggest areas that I want to focus on with my team," he said, adding that continued technological evolution poses a question that anyone working in this field must find an answer for.
"Is space really the final frontier, or is cyberspace?"
