Support 100 years of independent journalism.

  1. Spotlight
  2. Cybersecurity
27 December 2022

UK Space Agency security chief: “Space is a ubiquitous enabler for modern life”

Stephen Straughan discusses how a major cyberattack on space-based services could cause chaos.

By Samir Jeraj

This article is part of The Critical Condition, a series exploring the cybersecurity challenges faced by providers of the UK’s critical national infrastructure. This piece looks at the space sector.

The UK Space Agency (UKSA) was established in 2010 in the final weeks of Gordon Brown’s government, taking over from the British National Space Centre. It is responsible for the UK’s civil space programme. The space sector is worth £16.5bn to the UK and employs around 47,000 people, according to the UKSA. One of its roles is to work with the sector to support and improve its cybersecurity.

“We work with the owners and operators of space-based services, providing support and guidance to help them understand the nature of the risks from cyber-threats and encouraging appropriate and proportionate action,” Stephen Straughan, head of security and resilience at the UKSA, told Spotlight. However, he pointed out that cybersecurity risks to the agency itself are managed by the Department for Business, Energy and Industrial Strategy (BEIS), which is its parent department in government.

Space-based services basically entail the communication of data, often audio and video, around the globe. These can be used to transmit TV programmes, make phone calls, track the weather, or even remotely control military drones – added to this are services that depend on these communication networks, such as energy and transport. Space-based services are run out of the approximately 4,500 operational satellites orbiting the Earth, which quietly work away to make sure the modern world runs smoothly. “Space is a ubiquitous enabler for modern life in the UK, and worldwide,” Straughan said. “Space-based services are so embedded in our everyday activities that most people do not realise how reliant they are on them.”

In 2021 the German Space Agency made a video that invited the viewer to imagine what would happen if satellites stopped working. TV and phone lines go down, flights are cancelled and blackouts sweep the planet as energy management becomes impossible. Emergency services and the military would struggle to find locations, bank withdrawals and transactions would grind to a halt, and modern weather forecasts would be unavailable. In short, it would be chaos.

Select and enter your email address Quick and essential guide to domestic and global politics from the New Statesman's politics team. A weekly newsletter helping you fit together the pieces of the global economic slowdown. The New Statesman’s global affairs newsletter, every Monday and Friday. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.
THANK YOU

One of the biggest challenges in protecting satellites is that hardware cannot be changed once it has launched. “It is important that any cyber-threat is recognised early in the development life cycle of new services,” Straughan said, hence why his security and resilience team work to promote security “by design” across the sector. Fortunately, so far, the sector has avoided any specific attacks or suffered from any “major attacks” – but the vulnerabilities are there.

Content from our partners
Harnessing breakthrough thinking
Are we there yet with electric cars? The EV story – with Wejo
Sherif Tawfik: The Middle East and Africa are ready to lead on the climate

[See also: Data is the crux of your organisation’s security]

Satellites are also in operation for up to 15 years, which means they can quickly become out of date. Straughan said this can be mitigated by things such as software programmable radios, or through the “mega-constellation route” in which large numbers of short-lived satellites are put in low-Earth orbit and replenished with new ones as they reach their end of life, perhaps every five years rather than 15. He acknowledged that replacing hardware is “still outside current capabilities”, but that it may be possible in future with the development of “in-orbit servicing”.

During an average working day, the security and resilience team at UKSA will be working with operators of space services, helping them secure their systems and monitoring for emerging threats. They also run exercises to test their own responses and those of space service companies to cybersecurity incidents.

According to Straughan, the main challenges for cybersecurity in space are that the systems and networks are “highly distributed”, meaning that space-based services exist in a large network with many potential weaknesses that can be exploited. Combined with a long lifespan, the speed of technological change and fixed hardware, space services are relatively vulnerable. However, he said, “the benefits of our work in cyber are that we can help UK owners and operators understand the risks they may face and support them in mitigating these risks.” This means more reliable services and reduced risks. The UKSA currently runs security working groups that bring together companies and experts to discuss issues and share advice and guidance on cyber-threats. Straughan would not be drawn on specific cybersecurity projects, saying it would be “inappropriate to discuss specifics of any activities that might reveal details about risks and mitigations”.

When asked about what lessons other public services could learn from UKSA’s experiences, Straughan underlined that “mitigating the threat of cyberattacks is not something that can be done in isolation”. Because the world is becoming “increasingly interconnected”, risks will cross through networks around the world and not just within a single nation state. Straughan said it is “vital” that the international aspects are addressed, and added that the UKSA is in discussions with other space agencies on “collaborative working, mutual assurance mechanisms and establishing norms of behaviour”.

“Space is no longer the purview of governments and monolithic corporations,” Straughan said. “The cyber-threat is keeping pace and companies need to understand this risk and be proportionate in their activities. Even start-ups can be subject to cyber-risks, but it is too late to try and address these once their systems are developed, in operation and relied upon.”

[See also: Is the UK’s cyber-space more secure after Boris Johnson?]