The UK Space Agency (UKSA) was established in 2010 in the final weeks of Gordon Brown’s government, taking over from the British National Space Centre. It is responsible for the UK’s civil space programme. The space sector is worth £16.5bn to the UK and employs around 47,000 people, according to the UKSA. One of its roles is to work with the sector to support and improve its cybersecurity.
“We work with the owners and operators of space-based services, providing support and guidance to help them understand the nature of the risks from cyber-threats and encouraging appropriate and proportionate action,” Stephen Straughan, head of security and resilience at the UKSA, told Spotlight. However, he pointed out that cybersecurity risks to the agency itself are managed by the Department for Business, Energy and Industrial Strategy (BEIS), which is its parent department in government.
Space-based services basically entail the communication of data, often audio and video, around the globe. These can be used to transmit TV programmes, make phone calls, track the weather, or even remotely control military drones – added to this are services that depend on these communication networks, such as energy and transport. Space-based services are run out of the approximately 4,500 operational satellites orbiting the Earth, which quietly work away to make sure the modern world runs smoothly. “Space is a ubiquitous enabler for modern life in the UK, and worldwide,” Straughan said. “Space-based services are so embedded in our everyday activities that most people do not realise how reliant they are on them.”
In 2021 the German Space Agency made a video that invited the viewer to imagine what would happen if satellites stopped working. TV and phone lines go down, flights are cancelled and blackouts sweep the planet as energy management becomes impossible. Emergency services and the military would struggle to find locations, bank withdrawals and transactions would grind to a halt, and modern weather forecasts would be unavailable. In short, it would be chaos.
One of the biggest challenges in protecting satellites is that hardware cannot be changed once it has launched. “It is important that any cyber-threat is recognised early in the development life cycle of new services,” Straughan said, hence why his security and resilience team work to promote security “by design” across the sector. Fortunately, so far, the sector has avoided any specific attacks or suffered from any “major attacks” – but the vulnerabilities are there.
[See also: Data is the crux of your organisation’s security]
Satellites are also in operation for up to 15 years, which means they can quickly become out of date. Straughan said this can be mitigated by things such as software programmable radios, or through the “mega-constellation route” in which large numbers of short-lived satellites are put in low-Earth orbit and replenished with new ones as they reach their end of life, perhaps every five years rather than 15. He acknowledged that replacing hardware is “still outside current capabilities”, but that it may be possible in future with the development of “in-orbit servicing”.
During an average working day, the security and resilience team at UKSA will be working with operators of space services, helping them secure their systems and monitoring for emerging threats. They also run exercises to test their own responses and those of space service companies to cybersecurity incidents.
According to Straughan, the main challenges for cybersecurity in space are that the systems and networks are “highly distributed”, meaning that space-based services exist in a large network with many potential weaknesses that can be exploited. Combined with a long lifespan, the speed of technological change and fixed hardware, space services are relatively vulnerable. However, he said, “the benefits of our work in cyber are that we can help UK owners and operators understand the risks they may face and support them in mitigating these risks.” This means more reliable services and reduced risks. The UKSA currently runs security working groups that bring together companies and experts to discuss issues and share advice and guidance on cyber-threats. Straughan would not be drawn on specific cybersecurity projects, saying it would be “inappropriate to discuss specifics of any activities that might reveal details about risks and mitigations”.
When asked about what lessons other public services could learn from UKSA’s experiences, Straughan underlined that “mitigating the threat of cyberattacks is not something that can be done in isolation”. Because the world is becoming “increasingly interconnected”, risks will cross through networks around the world and not just within a single nation state. Straughan said it is “vital” that the international aspects are addressed, and added that the UKSA is in discussions with other space agencies on “collaborative working, mutual assurance mechanisms and establishing norms of behaviour”.
“Space is no longer the purview of governments and monolithic corporations,” Straughan said. “The cyber-threat is keeping pace and companies need to understand this risk and be proportionate in their activities. Even start-ups can be subject to cyber-risks, but it is too late to try and address these once their systems are developed, in operation and relied upon.”