Protecting Space Systems from Cyber Attack
Cyber threats pose a significant and complex challenge due to the absence of warning, the speed of an attack by an adversary, the difficulty of attribution, and the complexities associated with carrying out a proportionate response.
Space systems face many well-known types of attack, including orbital, kinetic, and electronic warfare, but are also vulnerable to forms of cyber threat. Cyberattacks can occur across multiple segments — space, communications link, and ground — within a space system architecture and are often overlooked in wider discussions of cyber threats to critical infrastructure.
What does this mean for the satellites on orbit used every day for weather predictions, communications, or GPS? We asked our space cyber expert, Brandon Bailey, to weigh in on our questions.
How vulnerable are satellites to cyber attack?
Satellites are more vulnerable than some people realize; per the National Institute of Standards and Technology (NIST), a cyber attack is “an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.”
With the overall advancement of knowledge around space technologies, “security by obscurity” for space systems no longer exists, and as satellites have become more digitized and software-driven, the attack surface has expanded. There are a variety of methods adversaries can use to disrupt, disable, destroy, or maliciously control satellites or their ground-based systems which command/control the satellites. The methods range from “script kiddie” attacks — individuals on the ground — known as a TIER I threat, to nation-state level attacks, including supply chain intrusions or space-based attacks. A cyber attack is not a monolithic threat — it can take many forms, have diverse entry and exploitation vectors, and can enable a host of crippling effects when triggered.
As space systems have continued to grow in complexity, they are often perceived as a “black box” of poorly understood but interconnected space-cyber. This is dangerous because cyber threats are relatively cheap to develop compared to other anti-satellite technologies. Additionally, cyber attacks can have a large attack radius, targeting an entire constellation of satellites.
A cyber attack is particularly attractive for adversaries to develop and leverage in time of conflict. For satellites, the boundary is often thought to be the communications link, i.e., the radio frequency link, or the ground system in general. If the boundary is breached, little internal protection exists within the satellite and an adversary can operate unhindered inside the system — in a similar way to the early days of traditional cybersecurity when border firewalls were the only protection from intrusion. Well-protected terrestrial IT systems are now designed with defense-in-depth principles.
Both large traditional developments and more modern rapidly developed space systems should ensure that they have a cyber-hardened design with defense-in-depth throughout. In the traditional sense, when cybersecurity protections have been deployed, the focus has commonly been on the ground segment with little research or guidance on securing the space segment, i.e., the satellite. A space system should have cybersecurity protections applied to both the ground and space segments which will aid in reducing the likelihood of a successful cyber attack on a satellite.
What are some of the biggest cyber threats to space systems?
The physical nature of a space vehicle and its operational environment are critical when analyzing the cyber threats and vulnerabilities of a satellite mission. The satellite must be able to communicate, maintain orbit, and deliver power to mission-significant components. Based on space vehicle mission impact, these are the three systems likely to be targeted. If the ability to communicate is subverted, i.e., attacking Telemetry, Tracking & Command (TT&C) systems, then the asset will be unable to support its mission. Similarly, should an adversary target the vehicle’s orbital dynamics by modifying the attitude control algorithm or firing a thruster to destabilize the space vehicle, the effects would be devastating to the mission. With any capability degraded or removed, a mission could be compromised.
A sample list of attacks that could compromise a satellite mission include:
- Subversion of ground system capabilities by utilizing the ground system to maliciously interact with a satellite
- Communications hacking on TT&C systems via command link injection, replay attacks, or electronic attacks like jamming and spoofing
- Malicious features embedded during hardware development, including hardware-based trojansDesign vulnerability exploitation, where designed-in features of the system are used for malicious purposes, i.e., direct memory writes to a satellite
- Software-defined radio compromise
- Software weaknesses and vulnerabilities exploitation
- Insider threats
What are some of the tactics used to attack space systems?
The tactics to attack a space system vary depending on the entry point or target. A space system is comprised of the ground segment, the link segment, and the space segment. The tactics will differ depending on which segment is attacked.
The term “hacking” is used to describe a tactic on the ground segment where more traditional cyber tactics will work. The ground segment is comprised of mostly traditional information technology like Windows and Linux workstations and servers, so traditional Tactics, Techniques, and Procedures (TTPs) will work from the ground system to the level of the modems and antennas. Attacks on modems and antennas resemble an Industrial Control Systems (ICS) attack. Many of the TTPs from MITRE’s Adversarial Tactics, Techniques, and Common Knowledge, or ATT&CK, framework are commonly successful on ground systems. A combination of MITRE ATT&CK for Enterprise and ICS can be leveraged to identify ground system vulnerabilities.
Ultimately the tactics used would be geared to the objectives an adversary wants to achieve — it could include denying ground telemetry and mission data processing, denying all communications to the satellite, denying the ground’s ability to perform satellite commanding, degrading confidence in system health tools, compromising mission data, exfiltrating mission data or even executing commands on the satellite.
There are fewer tactical options for the link segment as these are more widely understood and well-protected. A long-standing practice for satellite providers is to protect the link segment with Communications Security (COMSEC) used to secure the confidentiality of data at rest or in motion (transmission), and Transmission Security (TRANSEC) used to ensure the availability of transmissions and limit intelligence collection. Without these protections, tactics like jamming, spoofing, command link instruction, radio frequency replay attacks, etc. can be used to impact the satellite. Link layer attacks are more electron warfare than cyber but should be considered when developing a space system strategy.
As for the space segment, satellites are traditionally composed of many elements that process, store, and transmit data, each of which could potentially serve as an attack surface. Satellites are a combination of embedded hardware and software operating in the physically isolated environment of space.
While the system is in development on the ground, however, it is exposed to many of the same threats traditional embedded systems face. The satellite itself can be compared to an internet of things (IoT) device in space. Adversaries undoubtedly seek means to exploit resident vulnerabilities to gain access to, and act upon space vehicle capabilities. Space vehicle subsystems vulnerable to cyber attack target include:
- Attitude Determination and Control (AD&C)
- Command and Data Handling (C&DH)
- Electrical Power and Distribution Subsystem (EPDS)
- Propulsion Subsystem (PS)
- Structures and Mechanisms Subsystem (SMS)
- Telemetry, Tracking, and Command (TT&C)
- Thermal Control Subsystem (TCS)
Like many embedded systems, the interdependencies among subsystems can be leveraged using similar attack methods and patterns for the space vehicle that have been proven to work on more traditional IT or Operational Technology systems.
When targeting a satellite, the flight software would likely be targeted more than most other subsystems given the integration with C&DH and the other subsystems within the satellite’s architecture. Flight software (FSW) based attacks extend through the entire lifecycle of the mission. FSW is re-programmable during the life of the mission; therefore, adversaries have time during development on the ground through post-launch operations to insert or activate malicious logic.
Hardware-based attacks would be mostly restricted to pre-launch where physical access is more widely available. Protecting the hardware supply chain or hardware from physical intrusion during development is critical, but protecting the FSW layer, or the re-programmable logic on FPGAs, requires careful attention throughout the space vehicle’s lifecycle. Like any computational system, satellites are vulnerable to cyber intrusions during all phases of engineering, deployment, and operations. When dissecting the applicable cyber threats and vulnerabilities, it is important to identify an attacker’s desired goals to determine where and how an adversary may target a satellite.
Are cyber security measures for space systems markedly different than protections for terrestrial networks?
Security measures will vary depending on the segment. The controls you apply on the ground and link segment are different than the space segment. However, there are tried and true security principles that transcend the segment. Access control, authentication, authorization, least privilege, etc. are all items that can apply to any segment. Security is sometimes branded using phrases like “zero-trust,” but ultimately security for any sector comes down to guiding principles.
Space Policy Directive-5 (SPD-5), released in September 2020, highlighted the following security measures that must be considered for space systems:
- Physical security of TT&C environment
- TT&C protection using encryption or authentication
- Jamming and spoofing protections
- Supply Chain Risk Management
- Insider Threat
- Follow basic cyber hygiene as well as adherence to National Institute of Standards and Technology (NIST) guidance
With space cyber threats emerging from nation-state actors, government and industry stakeholders identified the need for implementation of additional defenses. Space-centric cybersecurity standards and governance have been slow to materialize, however, and are lagging behind the growth of the cyber threat. Defense-in-depth techniques for space system protection must be adopted across government, industry, and the international community to ensure systems are resilient to cyber compromise. Potential solutions will include increased cooperation across these domains and require a blend of policy, standards, and technical solutions.
The federal governance structure for general IT-based cybersecurity made strides with the maturation of the NIST Risk Management Framework and Cybersecurity Framework. However, parallel progress specific to the space domain still needs to be developed. NIST maturity standards and guidelines help organizations to improve their cybersecurity measures and best practices, but these aspects are not all directly applicable to the space domain. NIST has published Introduction to Cybersecurity for Commercial Satellite Operations — a specific method for applying the Cybersecurity Framework to the commercial space business — to tailor these security controls and principles. It describes an abstracted set of cybersecurity outcomes, requirements, and suggested controls. Other efforts within government are translating security principles to the space domain, attempting to mold these frameworks for space systems. Updated standards and guidelines for space systems are likely warranted, however. SPD-5 has identified this gap and established that U.S. agencies will “foster practices within Government space operations and across the commercial space industry that protect space assets and their supporting infrastructure from cyber threats and ensure continuity of operations.”
While there are no approved space cybersecurity standards that are widely adopted, there are initiatives across the space community addressing cybersecurity for space systems, derived from existing principles from the NIST 800–53 and CNSSI 1253 security catalogs. Translating these principles into implementable requirements and standards for the ground, link, and space segments in the space system is the work that still needs to be done. Failures typically happen with a one-size-fits-all solution; protecting the ground will require different security control baselines than protecting the satellite. Space system engineers need an understanding of the underlying intent of security principles to properly perform this translation with the considerations of size, weight, power, and computational resources of the satellite.
The following considerations are imperative and must have appropriate security controls implemented to protect, detect, respond and recover:
- Protect the ground system from cyber attack
- Protect the ground-to-space command link and any cross-links
- Establish robust strategy for cryptography key management. If key management is poor or keys are stolen, encryption provides little value on protection
- Protect the supply chain and protect the development environment from compromise. Given the complex nature of space vehicle supply chains and the expanding commercialization of space, protecting the supply chain is becoming of upmost importance
- Ensure secure software development procedures are in place to prevent design flaws, insecure logic, and coding defects that could affect the flight software
- Design for cyber resiliency on-board the satellite to ensure proper detection, recovery, and response leveraging automation, machine learning and other forms of artificial intelligence
What does it mean for a spacecraft to be “cyber-resilient?”
There is no single authoritative definition for cyber resiliency, but there’s strong commonality among cybersecurity organizations and operational contexts. NIST’s definition for cyber resiliency is the ability “to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” The application of resiliency for a spacecraft could mean adaptation, absorb/withstand, anticipation, and recovery. These terms also align with the traditional cybersecurity framework for identify, protect, detect, recover, and respond. A spacecraft would need to be able to self-heal or adapt while withstanding a cyber attack in addition to anticipate, i.e., detect, attacks it hasn’t seen before. Cyber resiliency on spacecraft may require aspects of machine learning / artificial intelligence to achieve this goal.
The following principles could aid in designing a cyber resilient spacecraft:
What are some of the challenges in designing space systems for the future?
A distinction needs to be made between cybersecurity challenges for systems that are currently operational, i.e., on orbit, versus those that are in active design or development. Guidance may differ significantly between these two states due to the constraints and potential solution space afforded to mission owners. Especially for the satellite, discussion of challenges is mainly focused around future system deployments. For systems currently in operations, addressing cybersecurity issues is mostly relegated to updates on the ground segment. Software updates can be made in orbit, but these can be risky therefore usually not performed due to potential mission loss.
For ground-based protections, the biggest challenge is knowledge and budget. Since ground mimics more traditional IT systems, budget, standards/requirements development, and knowledge transfer are necessary. For protection of satellites, the biggest challenges are education on the threats and the development of on-board cyber technology that fit within the size, weight, power and computational limitations of the satellite. Satellite engineers have a strong desire to utilize what has worked in the past; therefore, to make the change to implement “security on-board” it will require a change. There are not an abundance of options for security solutions to deploy on-board a satellite. More investment is needed by government and commercial entities to develop and mature security solutions that can work within the footprint of a satellite and have the desired effect of cyber resiliency to protect, detect, recover and respond.
Brandon Bailey is a cybersecurity senior project leader at The Aerospace Corporation. He has more than 16 years of experience supporting the intelligence and civil space arena. Bailey’s specialties include vulnerability assessments/ penetration testing for space systems and infusing secure coding principles within the software supply chain. Before joining Aerospace, Bailey worked for NASA, where he was responsible for building and maintaining a software testing and research laboratory to include a robust cybersecurity range as well as spearheading innovative cybersecurity assessments of ground infrastructure that support NASA’s mission operations.
Bailey is the author of several papers on space cybersecurity, including: Translating Space Cybersecurity Policy into Actionable Guidance for Space Vehicles and Defending Spacecraft in the Cyber Domain