Space sector’s cybersecurity dilemma: Pay now or pay later

MOUNTAIN VIEW, Calif. — Cybersecurity for years has been an afterthought in the commercial space industry — viewed more as a line item than a lifeline. But that mindset is starting to shift as satellite networks grow more interconnected, cyber threats more sophisticated and the financial fallout of breaches harder to ignore, industry officials said Oct. 29 at the MilSat Symposium.

Many commercial operators, they noted, see cybersecurity as non-revenue-generating and difficult to monetize, with limited direct return on investment unless required by government contracts or after a high-profile incident.

Joe Bravman, chief engineer at Lynk Global, which is building a satellite-to-mobile-phone constellation that aims to serve as “cell towers in space,” said the divide between commercial and government cyber priorities remains stark. “The needs of the commercial sector and government sector are very different in terms of cyber security,” he said. The government, for example, has to harden systems for war whereas commercial companies that are not under a military contract are not going to spend money on cybersecurity if they don’t have to.

The cost of encryption technologies has been a barrier. Many of the products now available to make satellite communications encrypted are expensive and out of reach for many commercial space firms, Bravman said.

He argued that cybersecurity needs to be designed into systems from the start. “If you don’t have the right architecture, you can put a lot of band aids on and you never make it secure,” he said. He added that artificial intelligence tools are now enabling new approaches to satellite network defense.

Talbot Jaeger, founder and chief technologist of satellite manufacturer NovaWurks, said the industry’s current approach remains too reactive. Cybersecurity, he noted, has historically been managed at the ground-systems level, with companies often only acting after an intrusion. “Traditional spacecraft and spacecraft architectures were designed before the current cyber threats were envisioned,” he said.

Jaeger pointed to fragmented supply chains and inconsistent requirements across government and commercial programs as compounding factors. Unless minimum standards are mandated or incentivized by customers or regulators, integration of cybersecurity will remain uneven, he said.

Protecting TT&C and beyond

While encryption ensures data protection, Bravman emphasized that it’s only one piece of the puzzle. “Everybody thinks about [encryption] a lot, but you also have to protect the routing, and you also have to protect TT&C,” he said, referring to Telemetry, Tracking, and Command systems — the critical links that let operators monitor and control satellites. “If you lose the satellite because somebody’s played with your TT&C, then it’s game over.”

Growing demand for encryption has benefited firms like Innoflight, which builds space-qualified electronics with multi-layered cybersecurity features and National Security Agency (NSA)-compliant encryption for military satellites.

Jeffrey Janicik, Innoflight’s chairman and founder, said both commercial and government sectors have been reactive about cybersecurity. That’s starting to change, but uneven requirements persist. “We’re trying to stay ahead of that too,” said Janicik. “We’re looking ahead, looking at all the standards, all the requirements.”

Innoflight has been in the cryptography business for decades, and Janicik said the company is bracing for “what I think is a wave of requirements that will come.” He suggested a more formalized system to enforce standards: “It could be the architecture, it could be the ground, it could be the vehicle, where you have to hit a certain rating, otherwise you cannot bid. It’s got to get to that point. There’s no question about it.”

Still, Bravman noted that even when high-assurance products are available, they can be prohibitively expensive. “They’re great products, but they cost too much, and that’s pretty much true across the board,” he said. Producing small batches and obtaining NSA certification only drive up prices further.

He compared the process to drug development: high upfront costs driven by rigorous validation and review. Achieving NSA cryptographic certification, NIST Risk Management Framework compliance, and full mission assurance requires extensive development, validation, and third-party oversight.

Cost now or cost later

Jaeger said commercial operators can no longer afford to treat cybersecurity as optional. The industry, he said, must find ways to make the cost of cybersecurity part of a system’s foundation. Threats are growing, and companies face a simple choice: pay now or pay later.

Bravman noted that not every solution requires expensive hardware. “The space industry should look at other options to implement cybersecurity that do not require costly encryption technologies,” he said. Standards from the 3rd Generation Partnership Project (3GPP), which defines protocols for mobile communications, could play a role. “They are starting to get serious about this,” he said. “There’s a lot of things beyond encryption to just make the system resilient.”

As threats evolve, executives at the conference agreed, the industry’s traditionally reactive stance may no longer be sustainable.