The term cyber has become a catch-all word for anything to do with computers and the Internet, which of course are fundamental components of space services. Here, Mark Roberts discusses the interface between space and cyber in the defence realm, and how the concept of the cyber-range applies.
Most of us understand that society is becoming progressively and ever more pervasively dependent on space products for the way we do business and live our lives, particularly those elements requiring accurate timing and global positioning. Without these products, many of the services we take for granted, such as utilities, transportation, banking and communications, may be degraded or lost, with potentially serious and irreparable consequences.
Understanding the threats, vulnerabilities and risks associated with loss of space products, and what we can do to mitigate them, is increasingly essential. Thankfully, the interactions between space and cyber have attributes that offer some advantages when we look at the challenge of providing resilience. And there is a solution that enables us to build on these to provide protection - the cyber-range.
Challenge of blurred lines
Society is becoming progressively and ever more pervasively dependent on space products for the way we do business and live our lives
As we move into the 2020s, the context of the space and cyber dynamic is becoming less distinct. Indeed, it could be argued that it is tipping in favour of those who seek to do harm. For example, until relatively recently, the distinction between military and non-military was fairly clear. However, in the space domain, the progression to more exploitation of dual-use technologies and capabilities is making it increasingly difficult to decide who is using what, when and for what purpose.
This is exacerbated by a continual blurring of the line between ‘offensive’ and ‘defensive’ actions in the cyber domain, to the extent that undertaking offensive activities behind the justification of defensive actions is arguably shifting the norms of acceptable behaviour towards the ‘offensive’ end of the spectrum.
When we go on to consider the offensive-defensive balance in space and cyber, we find considerable asymmetry between the comparatively low cost of attacking versus the high cost of defence. The consequence of this is that highly advanced countries can be vulnerable to attack from less developed states, as well as from terrorist groups and other actors.
Conceptually, the answer to dealing with the resultant issues lies with international - and perhaps legally binding - acceptance of norms of behaviour that would mitigate the threats for all. However, there are many issues that make this a very complex problem.
As we move into the 2020s, the context of the space and cyber dynamic is becoming less distinct
Defining, and agreeing, key terminology upon which we may build new international laws and treaties is no easy task for space and/or cyber. The concept of banning certain dual-use technologies will, for many, be unfeasible, because what is seen by one person as an attack mechanism may be seen by another as a critical capability for assisting with the global climate crisis, to give just one example. Verification adds another complexity, particularly in the cyber domain, where the perception of what constitutes an offensive action can vary widely, confused by context, time, intent and even national norms.
One further potential issue is that the denial of access to sensitive but crucial information may exclude many from the debate who have a vital contribution. Meanwhile, technology (and its uses) marches relentlessly on.
The cyber-range
Examining the potential risks and mitigations by using real assets is not only difficult to do safely but also prohibitively expensive. It simply is not practical to interrupt the mission of an expensive orbital asset for the purposes of test and evaluation. And in most cases it would be impossible to forensically examine a satellite following an attack in order to understand what happened.
While this all sounds rather gloomy, our ability to operate safely and securely in the space and cyber domains (and protect those services we all rely on) is in our hands. Fortunately, there is an inexpensive and effective way of generating the required knowledge, and it is one that leaves orbital and ground assets to get on with their respective missions. This is the concept of the space cyber-range.
Space is totally reliant on ‘cyber’, which can be defined as anything relating to or involving computers or computer networks, such as the Internet, and a cyber-range is a virtual environment that can be used for cyber warfare training and software development.
What is seen by one person as an attack mechanism may be seen by another as a critical capability for assisting with the global climate crisis
Space architecture is, with very few exceptions, managed, connected, controlled and exploited via the medium of cyber, in that the packets of information associated with all of these facets travel through cyberspace. This means we can precisely recreate an entire space architecture in a virtual environment, using software (and sometimes hardware) modules to simulate real assets. This allows us to interact with any space architecture and its assets in a safe and secure virtual environment. More importantly, we can interfere with the replica architecture and be as intrusive as we want.
Further significant and complementary benefits of cyber-ranges are that non-space assets can also be connected and integrated into the cyber test and evaluation setup in a holistic and enterprise-level way - examples include critical national infrastructure (CNI) nodes and assets.
Space cyber-ranges are not limited to threat, vulnerability and mitigation analysis. They are also perfectly suited to planning and rehearsing space missions and activities, testing new concepts and capabilities, and assessing the integration of digital assets.
The space sector is changing faster now than ever, with the private sector playing a growing part in providing space capabilities. This has distinct advantages in terms of innovation and speed, but means that it is even more important now to understand the security of space assets and capabilities, as increasing numbers of potential attack vectors open up.
Exploiting the advantages of the space-cyber dependence provides the opportunity to do this, bringing in everything from the ground up, including people, links and orbital assets.
Governments and their agencies are, in the main, already employing this approach to secure their assets. Now, however, this no longer needs to be the preserve of governments; anyone can buy or access a commercial cyber-range solution that can be used to analyse the threats posed by cyber-attacks, examine where space systems are vulnerable, and design and test how to respond to cyber threats.
The European Space Agency has the first dedicated cyber-range for space at its site in Redu, Belgium, provided by RHEA Group. This provides a safe and secure way for testing and evaluating space systems, as well as gaining a better understanding of how to manage space operations in the face of constant cyber threats. It is also used for operator training, as it is possible to build entire virtual architectures that emulate both space and non-space assets.
Any organisation can buy or access a commercial cyber-range solution that can be used to analyse the threat posed by cyber attacks.
Standard setting
It is time for the cyber-range to become a standard part of the space enterprise
In the defence arena, it is well understood that countries must work together to adequately counter the very serious threat posed by cyber-attacks. The space sector needs to do the same. It is not enough for each government, agency or private enterprise to look only towards its own security and capabilities when it comes to cyber. Instead, we urgently need to develop a space and cybersecurity regime that is flexible and multilateral.
The space community has always been good at promoting acceptable ‘behavioural norms’. Numerous countries and agencies already work together on space projects and solutions - and cybersecurity in space has to become a central aspect of what they do. This can only happen with absolute clarity around the problem, which is where cyber-ranges come in: they provide the perfect safe and secure environment for testing and analysis.
It is time for the cyber-range to become a standard part of the space enterprise, to maximise our chances of keeping space - and all the services it supports - safe from the growing cyber threat.
About the author
Mark Roberts has been the Defence & Security lead for RHEA Group in the UK, since January 2019. Previously, he undertook a variety of lead consultancy roles in the defence, security, energy, education and transportation sectors with Atkins. Mark is the Project Director for the Spaceport 1 Consortium, developing a vertical launch capability in the Outer Hebrides, and is also a faculty member of the London Institute of Space Policy & Law. He previously served in the Royal Air Force, where he was an operational pilot and commanded both 12 Squadron and RAF Lossiemouth. He was Director of the Air Staff in MoD (2007-2010) with Space and Cyber Policy in his portfolio, and Head of Capability Deep Target Attack, with responsibility for Combat Air, Complex Weapons, Land Engagement and elements of the Queen Elizabeth class carrier programme.