Cybersecurity and space: is Australia keeping up with international standards?

A few years since reforms were made to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) in 2021-2022, and further reforms from November 2024, the “space technology sector” remains a key economic opportunity through commercial provision of services, but it also raises security risks owing to a lack of scrupulous cybersecurity measures.

More than a futuristic concern that ordinary Australians don’t need to think about, many of the technology we rely upon is increasingly dependent on space technology. From communication tools using satellites, weather and emergency monitoring, cashless payments, stock trading, military surveillance, intelligence, and commercial business, these assets are hugely beneficial but also vulnerable to hackers.

Commencing in April 2022, the Security of Critical Infrastructure (Application) Rules have fallen short of classifying assets within the space technology sector, unless that asset is also classified as an asset within critical infrastructure, such as communications.

By 2030, it is estimated that the number of satellites in space will number from 27,000 to 65,000, reaping more than $1.5 trillion in commercial revenue.

Without classification of space technology assets, and proactively ensuring cyber security measures and standards apply, the government has failed to ensure that Australia is prepared for increasing, sophisticated attempts at hacking systems that govern our national security and commercial sectors.

Chuck Brooks, President of Brooks Consulting International, is an expert in cybersecurity and Emerging technologies. In April last year, Brooks wrote: “Malware, which can be uploaded to satellite terminals by hackers, can take control of the devices, shut them down, or break communication with the ground. A mass attack against satellites may disrupt everything from text messaging services to GPS navigation.”

He added, “More satellites are in low Earth orbit than ever due to the sharp decline in launch costs. This has expanded the pool of targets that hackers may go after, both at Earth-based control centres and in space.”

Brooks tells LSJ Online, “There are more than 90 countries with active space operations today and all need to be regulated around security measures to avoid incidents. Since the US has the most satellites and investments in space systems, it makes sense that they are the most active in creating legislation that anchors policy for space technologies.”

He adds, “The development of space and defense capabilities is progressing, thanks to a number of European Defence Fund and permanent structured cooperation (PESCO) initiatives that are building the capacities the EU will require in these areas. The civil, defense, and space industries are looking to collaborate. Additionally, as it works to strengthen its alliances on space security, such as those with the United States and the North Atlantic Treaty Organization, the EU is becoming increasingly involved in global governance concerning space-related matters.”

Cyber security legislative reforms

The consultation period on the subordinate legislation to the Cyber Security Act 2024 and Security of Critical Infrastructure Act 2018 ceased submissions on February 14 2025. Consultations have been ongoing since December 2023, and the Cyber Security Act 2024 was passed in the Senate on 25 November last year.

Key amendments include:

1. Inclusion of Data Storage Systems: Businesses must now ensure their risk management and reporting obligations include data storage systems holding business-critical data.
2. Enhanced Government Assistance: The government can now provide assistance beyond cyber incidents, including natural disasters and terrorist attacks, which requires commercial-government cooperation.
3. Stricter Risk Management Requirements: Businesses can now be directed by the regulator to address problematic (and/or noncompliant) deficiencies in their risk management programs.
4. Telecommunications Sector Integration: The SOCI Act has integrated aspects of the Telecommunications Act, consolidating obligations upon the telecommunications sector from both acts.

Following consultation and reforms introduced by the Cyber Security Act 2024 (Cth) upon its introduction on 25 November last year, space technology is still not addressed in isolation, but this is not reason for concern says Jason Sprague, partner at Bartier Perry. The Act mandates minimum security standards for smart devices, which may include satellite communication devices, requiring manufacturers and suppliers of these devices to comply with standards of encryption, authentication, and risk mitigation when those products are sold in Australia.

“In terms of the way that legislation was drafted, it looks at key assets and elements within telecommunications, health, and other sectors considered essential services,” Sprague says.

“While there’s increased regulation, the legislation is not drafted in a way that penalises people. Not unlike anti-slavery legislation, it’s about bringing people on the journey and working with them to improve their security positions, trying to create a stronger system within an organisation so that their risk identification and threat prevention approach accords with best practice.”

In addition to the legislation and compliance measures imposed on various industries, Sprague says, “We’ll also see that private enterprises have contractual obligations that will build in additional security aspects, liabilities and so on. There’s still a lot of need for lawyers and legal experts to work with businesses to go through those particular contractual arrangements and issues from the legislative side.”

Sprague adds, “Space is an evolving area and there’s a view from government that they might stifle involvement if they clamp down too harshly, especially when it’s been an expensive sector to enter. To date, we don’t know of any bad actors regarding Australian assets. We’ve had data breaches, but these may not become public knowledge, especially if there are arrangements with international partners – like the US government, for example – owing to national security secrets.”

Liability for space and terrestrial assets

“It’s very hard to get insurance for space-based assets, especially if they’re at higher risk of loss or damage, such as a launch pad. It’s often cost prohibitive. So, because people don’t insure these things, there’s a higher risk for those objects in space compared to your terrestrial assets. In terms of liability, there are various acts in place, and also international treaties. The jurisdiction lies with the country where assets are launched from, but if you have a launch arrangement with another country, then you will also have contractual obligations in terms of launch permits and whose liability it is. The person whose asset it is will have signed an arrangement with the launching state about liability for the asset once it’s in space.”

Whether an asset such as a satellite is considered critical infrastructure and must comply with greater security measures comes down to who is using it, rather than the technology itself.

Sprague explains, “The allocation of a piece of technology as critical or not will often depend on who’s using it. There are some bespoke government-launched assets which are sensitive and critical, but they’ll either be military-capable, or they’ll already be identified as being used by certain sensitive sectors like health and telecommunications, so they’ll be restricted as far as who can access it and use it. Those low orbit satellites that are used by the agricultural sector or mining sectors to assess land and conditions do not, likely, affect national sovereignty and therefore would not be considered critical.”

One risk that space technology pundits have lamented is the ready use of open source software (OSS), which is at heightened risk of security breaches owing to its transparent code. This increases the possibility of ‘denial, disrupt or destroy’ attacks that target the collection, transmission and hold of data, and the data itself. Another key risk is the growing commercial sector manufacturing, designing and crafting space technology and components thereof. The more stakeholders, and the more complex the supply chain, the greater the security risks become.

Sprague says that many contractual agreements, especially in government and military, ban OSS or have stringent testing, analysis and security protocols applied to its use.

The US, Finland and other Nordic nations are the leading nations in space cybersecurity. The US has relied upon initiatives from NASA, DOD, and the Space Force, while Nordic nations invest strongly in cybersecurity, with an assumption this will extend to the space sector.

In 2020, the US issued cyber security standards for space systems to ensure the security and protection of commercial space systems. The Space Policy Directive-5 Cybersecurity Principles for Space Systems policy was comprehensive, but critics have pointed to the US failure to classify space as a critical infrastructure sector.

NASA’s Space Security Best Practices Guide is publicly available for use by industry, international partners, and those working in the field of space exploration and technology.

Guidelines for space cybersecurity

In an article in Homeland Security Today, Chuck Brooks and Paul Ferrillo Esq provided guidance on “Protecting Space-Based Assets from Cyber Threats”.

Brooks tells LSJ Online, “In our article, we set forth below a non-exclusive list of security elements for defending space-based assets and satellites, along with ground-based control flight networks. We have adapted these from Defending Spacecraft in the Cyber Domain and government sources.”

The security elements fundamental to security in space are as follows:

1. Security by design – not security as an afterthought – built into every satellite from the ground up.
2. Identity and access management (“IAM”) – those accessing flight control information and surfaces need to be identified and verified by an IAM solution that will pass muster on the user using machine learning identifiers to attempt to prevent authorized access to critical vehicle functions.
3. Multi check for IoT related devices – IoT devices must be able to be updated; no hard-coded passwords should be allowed.
4. The backbone of a cyber-resilient spacecraft should be a robust intrusion detection system (IDS). The IDS should consist of continuous monitoring of telemetry, command sequences, command receiver status, shared bus traffic, and flight software configuration and operating states, anticipate and adapt to mitigate evolving malicious behavior. The spacecraft IPS and the ground should retain the ability to return critical systems on the spacecraft to known cyber-safe mode. Logging should also be available to cross-check for anomalous behavior.
5. It is critical that spacecraft developers implement a supply chain risk management program. They must ensure that each of their vendors handles hardware and software appropriately and with an agreed-upon chain of custody. Critical units and subsystems should be identified and handled with different rigor and requirements than noncritical units and subsystems and should also be constructed with security in mind. All software on the spacecraft should be thoroughly vetted and properly handled through the configuration management and secure software development processes (DevSecOps).
6. Both the spacecraft and ground should independently perform command logging and anomaly detection of command sequences for cross-validation. Commands received may be stored and sent to the ground through telemetry and automatically checked to verify consistency between commands sent and commands received.
7. Protections should be carried out against communication jamming and spoofing, such as signal strength monitoring and secured transmitters and receivers; links should be encrypted to provide additional security.