India Needs Better Cybersecurity for Space, Critical Infrastructure

A year ago, India landed a spacecraft — the Chandrayaan-3 — on the moon, becoming only the fourth nation to accomplish such a feat.

Yet, while the country continues to invest in its space capability and ground-based support infrastructure, a greater focus on cybersecurity is necessary to protect the software and hardware on which the systems rely, Dr. Sreedhara Panicker Somanath, chairman of the Indian Space Research Organization, said in a speech last week at the groundbreaking for a cybersecurity training center.

With nearly five dozen satellites in orbit, large nationwide networks for collaboration, and command-and-control networks that connect across the globe for 24-hour access to space-based assets, India needs to focus on cybersecurity for the entire system, he said.

"When the Chandrayaan-3 was landing, our data was coming from Australia and Spain and South Africa and many other places, and we have been coordinating to work with all of this during the landing process," he said. "You should all realize that such command and control of satellites from across the globe could be very, very vulnerable, and ... many of our satellites can become ... easily targets of such attacks."

India is one of perhaps a dozen nations with space ambitions. The competition between nations has bred threats to ground- and space-based infrastructure, and attacks on space systems have increased as nation-state conflicts have heated up. In 2022, Russian attacks on Ukraine's connection to the Viasat KA-SAT network caused communications outages as the Russian army invaded the country. Soon after, Russia cyber-operators attempted to hack and jam the Starlink network, SpaceX CEO Elon Musk stated at the time, while hackers claimed responsibility for delivering malware to a host of satellite terminals, taking communications offline in 2023.

The attacks demonstrated to the world that the cyberthreat to satellites is real, although attackers to date have mostly focused on disrupting communications. However, an emerging space effort, such as India's, could attract regional attackers, says Patrick Lin, director of the Ethics + Emerging Sciences Group at California Polytechnic State University in San Luis Obispo, which received a grant in 2022 from the National Science Foundation to study cybersecurity for space systems.

"India doesn't have as many adversaries as the United States does — its main competitor and sometimes adversary is China, but it also has tense relations with Pakistan," he says. "China has advanced cyber capabilities as well as a strong space program, and it doesn't like regional competition much, so it's not a stretch to think that China and others might target India's rise as a major space power."

Space: The Next Frontier for Cyberattacks

India's current effort aims to develop the cybersecurity tools and expertise to protect its space-focused systems and software, much of which are created in-house or by domestic firms. India already sees more than 3,300 attacks per week per organization, which is 81% higher than the global average of 1,830 attacks, according to data from Check Point Software.

Rapid digitization makes India a growing target, says Omer Dembinsky, data research group manager at Check Point Software.

"Indian organizations face double the global average of cyberattacks due to rapid digitalization, which has outpaced the implementation of robust cybersecurity measures, creating a large attack surface," he says. "A fast-growing Internet user base, underdeveloped cybersecurity infrastructure not able to keep up with the growing sophistication of cyberattacks, and lack of cybersecurity awareness within organizations also make them attractive targets."

The aerospace and defense sector is ranked as the fifth most-attacked industry, and India's space agency reportedly faces more than 100 attacks daily.

Other space-based nations are rapidly researching the potential of cyberattacks targeting space assets and how to defend against those attacks. The US National Institute of Standards and Technology (NIST) has teamed up with MITRE Corp. to create a version of its NIST Cybersecurity Framework for the space sector, while The Aerospace Corp. has created the Space Attack Research and Tactics Analysis, or SPARTA, matrix. The Aerospace Corp. also worked with the US military to create a satellite that can act as a testbed for real-world cyberattacks on space assets, called "Moonlighter."

India Needs Cybersecurity Training

Space is not the only industry that needs cybersecurity professionals, so government initiatives such as Atmanirbhar Bharat — or "Self-Reliant India" — hope to create more startups and a larger ecosystem of homegrown software. Indian organizations have more than 40,000 openings for skilled cybersecurity workers, according to tech staffing firm TeamLease. The country had only about 100,000 cybersecurity professionals in 2021, which tripled to 300,000 in two years.

The need for increased cybersecurity expertise is acute, says Check Point Software's Dembinsky. The country needs to support more training for cybersecurity professionals and emphasize a focus on cyber-awareness training programs.

"The demand for proficient cybersecurity professionals surpasses the qualified talent pool, creating a significant industry void," Dembinsky says. "Currently, a lot of focus on skilled cybersecurity professionals burnout is being reported on, due to the consistent nature of managing these evolving threats."

In addition, the focus on research and development in space technology means that most projects are novel and lack rigorous security testing. The reality of these obscure technologies is that they both benefit — and suffer — from their uniqueness, says CalPoly's Lin.

"Many space projects today are ... one-of-a-kind prototypes in this new era of experimentation with space technologies," he says. "This provides a 'security by novelty' layer of protection, but the flip side of that is, if your technology is under-studied by threat actors, that means you don't know where your system's vulnerabilities are, either."

The lesson for India should be that critical infrastructure — whether it supports scientific research, corporate intellectual property, or financial transactions — is not safe, says ISRO's Somanath.

"Nothing is safe in the world — I think anybody can hack or create havoc in our system," he said. "The data that we have collected, especially the design data, or the personal data or the scientific data that we are created over the years, could all be very vulnerable."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!