05 December 2024
Satellites are playing an increasingly important role in everyday communication on Earth. Cybersecurity expert Jacques Kruse Brandao from TÜVIT explains the current state of IT security in important space infrastructures and what the EU is planning with the "Space Law".
Mr. Kruse Brandao, what’s making the IT security of satellite systems increasingly relevant?
Jacques Kruse Brandao: Satellite systems have long been indispensable for the functioning of our societies. They play a major role in communication, navigation, meteorology and financial transactions. But they can also provide important help in crisis areas, for example in situation reconnaissance or as a replacement for failed terrestrial communication networks. If these satellite systems were to be sabotaged by hackers, this would have serious consequences. A recent study by consulting firm CyberInflight, which counted over 60 critical attacks on space infrastructures in 2023, shows that this isn’t just a theoretical danger. In other words, improving the cybersecurity of these key systems is crucial for all of us.
Especially since the number of satellites in orbit is expected to increase drastically in the coming years ...
That’s right. Until a few years ago, only government agencies were active in space, but more and more private companies like SpaceX or Amazon are now sending smaller satellites into orbit in large numbers to offer broadband Internet from space. China is also planning to do the same. With IRIS², the EU wants to launch its own satellite system, which will offer an Internet connection throughout the bloc for public and private users. So it’s going to get much more crowded in the sky. As of now, around 7,000 satellites are orbiting the Earth. By 2030, there are expected to be about 93,000. This will offer way more attack options for cybercriminals and consequently also increase the need for high standards of IT security.
How is the security of satellite systems currently regulated?
As things stand, it’s only the GNSS modules of GPS satellites that have to be certified for the highest level of IT security. These are considered particularly critical. After all, around eight billion devices use the GPS data of our European satellite constellations, so it’s vital to ensure that these can’t be compromised by hackers under any circumstances. With the new NIS2 Directive, ground stations and control centres for satellite systems are now also classified as critical infrastructure and are therefore going to have to meet the corresponding IT security requirements in the future.
What does that mean in concrete terms?
Operators will have to carry out a risk analysis, implement appropriate security measures and create response and reporting structures for a possible cyber attack. Violations are likely to result in severe penalties. Since manufacturers of electronic devices are also covered by NIS2 under certain conditions, these requirements might also apply to satellite manufacturers like Airbus Defence and Space or OHB from Bremen.
When will these requirements become mandatory?
Transitional periods are planned after the transposition of NIS2 into national law, which should actually have taken place in October. These may vary from one member state to the next. However, the reporting deadlines for cyber incidents will take effect as early as twelve months after implementation. In other words, the operators of the ground stations really need to push ahead with the implementation of the requirements quickly and across the board.
© Adobe StockThe number of satellite systems in space is constantly increasing. Their IT security is now being strengthened by the EU's "Space Law".
© Adobe StockPrivate Internet connections, which are used for sensitive financial transactions, for example, are also dependent on a hacker-proof space infrastructure.
So, NIS2 creates a basis on the ground in terms of IT security. How far does the planned EU space law go beyond this, and what aspects is it intended to cover?
The EU Space Law – EUSL for short – addresses and harmonises functional safety requirements as already laid down by the European Space Agency (ESA). These are all about avoiding collisions, which are becoming more likely with the growing number of satellites. On another level, the law is intended to improve the sustainability of space travel. The priority is to avoid light pollution and space debris: for example, by requiring a satellite to retain enough energy at the end of its service life to be able to steer it into the Earth’s atmosphere to burn up. The third pillar of the planned space law is completely new and covers comprehensive cybersecurity requirements for the satellite systems themselves. If these are enacted, it will only be possible to launch new satellites and use hardware or software components in their construction if their IT security is guaranteed.
The presentation of the draft law has repeatedly been postponed. Why is it taking so long?
In point of fact, the draft law was largely ready back in the spring. But some member states, including Germany and Italy, objected to some of the individual points. For example, that start-ups and research institutes were to be exempted from these cybersecurity requirements. But a system is only as secure as its weakest link. Instead of exempting start-ups and research institutes across the board, it’s much more important to develop models to support and relieve them financially in such a way that they can meet the requirements without being economically overextended.
And when can we expect the draft law to be presented?
Well, the newly formed EU Commission first has to find its feet, of course. As things stand, the draft law should be presented by the first or second quarter of 2025. If the discussion in parliament goes well, it could be voted on as early as the summer or autumn of next year. As is customary, the law is then likely to take effect after 24 to 36 months. It may be passed as an Act. Transposition into national law won’t be necessary in this case. Instead, the same requirements will apply across the EU, giving the space companies concerned the greatest possible clarity on what they need to do to make their systems cyber-secure.
About Jacques Kruse Brandao:
Jacques Kruse Brandao is the Global Head of Advocacy at TÜVIT. The graduate engineer has been working in the field of identification methods and cybersecurity for 20 years and often operates as a “translator” between the technical and regulatory sides of IT security.
