The United States Space Development Agency’s director Derek Tournear, recently said that he does not consider missiles as the biggest threat to the satellites, instead, the cybersecurity and intrusion attacks are more dangerous in today’s scenario. Although satellites are physically far away, throwing them into space and having a global, always-on connection means they should be always available. That opens up ways for more vulnerabilities and offers attackers more access. The missile attack would destroy a few satellites and soon the attackers will face retaliation but the cyberattack on satellites is more worrisome and could destroy an even larger number of satellites. The satellites are getting more software-driven, using components like software-defined radios and having more complex codebases, software vulnerabilities are also a large issue with these systems. The low cost, low power, and compact commercial-off-the-shelf (COTS) components also make smallsats more vulnerable. With the easier access to space and the boom of new space services collecting valuable data, space assets are becoming an attractive target for hackers. The shift of paradigm and transformation of the space domain through new ways of utilizing space and recent technological advances such as mega-constellations, 5G, Internet of Things, artificial intelligence, and advanced materials have resulted both in major challenges and new opportunities.
Advanced threat-actors are turning away from just simple data theft and look instead to cause mass disruption. And as cities and nations trend towards ‘smart city’ infrastructure, the attack surface has grown exponentially – meaning that the risk has never been higher. These attacks have the potential to compromise our most critical infrastructure by turning off the lights, disrupting transport systems, and ultimately threatening public safety. Recent times have shown us that geopolitical tensions are beginning to be played out in cyberspace. Nation-states will have to be on high alert to protect their energy grids, manufacturing plants, and airports from sophisticated cyber threats. Another important point to consider is that a satellite can be threatened through the sensors connected to it. Attacks on these sensors would lead to catastrophic failure of satellite systems. One example is the use of a satellite to update the subscriber identity module (SIM) cards in mobile IoT devices such as autonomous vehicles. This “efficient content delivery” is planned for a variety of reasons, such as its bypassing of a degree of telecom complexity and expense by allowing 5G devices to be accessed directly by satellite. The satellite threat vector goes both ways, up and down (space and ground). A satellite if hijacked would be extremely dangerous not only from the information leakage point of view but also to other satellites that can be accessed through it. With the development of IoT devices, a number of ways for hackers to invade user privacy have opened. The world of IoT includes a huge variety of wire and wireless devices like smartphones, personal computers, PDAs, laptops, tablets, and other handheld embedded devices. The generic topology of the IoT is seen in layers to incorporate the Datacenter, Gateway, IoT Gadgets, and Sensors. The IoT devices used sensors and wireless communication networks to communicate with each other and transfer information to the centralized system. These days the embracing rate of IoT devices is very high, increasingly gadgets are connected via the internet. In the current scenario, these devices are targeted by attackers and intruders.
Terra (EOS AM-1), a NASA’s multinational satellite was targeted by hackers who gained unauthorized access to its command and control systems but did not issue any commands. This satellite was launched in 1991 and this attack happened in June and October 2008. Similarly, in 2011 cyber intruders gained full access to 18 servers supporting key NASA’s Jet Propulsion Laboratory (JPL) missions and stole 87 gigabytes of data. More recently, in April 2018 JPL discovered an account belonging to an external user had been compromised and used to steal approximately 500 megabytes of data from one of its major mission systems.
Small satellites are becoming driven by software and completely networked. That’s where the vulnerability comes in. Cybersecurity experts are particularly concerned about cybersecurity at some of the startups, with fewer than 100 employees that are building small satellites. They generally don’t employ security officers or hire anyone trained in securing networks. Factors like very tight timelines, low experience on the development teams, and small budgets make small satellites more vulnerable to cyber threats.
Edge AI is a system that harnesses AI and ML algorithms and processes the data generated by a local Edge Computing environment locally. It holds the potential to greatly enhance security levels, especially in terms of data privacy due to the lack of a centralized repository. It can prove to be a better and more robust way to tackle threats. Edge AI transfers the ability to process information to a distributed model rather than the legacy central model. This increases the speed of both data processing and data churning. Edge AI’s distributed model can address privacy requirements and maintain a much stronger operational security posture.
The satellite communication network intrusion detection system ensures the security of satellite communication by detecting illegal intrusion in the satellite network. However, because of the complexity of the satellite network and the expensive communication link, many challenges arise while developing a flexible and effective Intrusion Detection System for unforeseen and unpredictable attacks in the satellite network. In this article, I also talk about the intrusion detection system framework for smallsats.
Space Cybersecurity is an Emerging Area for Cybersecurity Professionals
Demand for cybersecurity professionals has never been greater. Many surveys have predicted that job postings related to cybersecurity will grow tremendously. We can say that the space sector is going to be the most attractive destination for cybersecurity professionals because space assets are extremely important for numerous commercial and military applications. The emerging space technologies and reliance on space assets are a clear indication of it. No country or group of countries can lay claim to outer space. But now that space is being used by humans more and more, it’s important the world comes up with ways to protect it.
Industries like transport and logistics, location data is routinely recorded in real-time from GPS satellites and sent to back offices to allow teams to track drivers and assets. Organizations that have remote outposts or ocean-going ships can’t exactly get online via a mobile or cable network, so they have to use communications satellites instead. On top of that, satellites store sensitive information they collect themselves, which might include images of sensitive military installations or critical infrastructure. If a hijacked satellite could collide with another satellite or station, causing severe damage. Security needs to be considered from the ground up and deeply incorporated into a system. There are literally thousands of active satellites upon which we depend, still, satellite cybersecurity is not considered as important as the cybersecurity of terrestrial networks.
The various types of possible cyberattacks on space segments, ground stations, and control segments are getting increasingly visible and have been indeed frequent. What to do in order to counter such occurrences is less obvious and needs to be addressed with priority and a whole new family of countermeasures. This article will address the security-specific aspects of its space missions. Threats related to different types of cyberspace missions will be presented, and possible countermeasures will be discussed. The motivations that may induce some offenders to cause damage to space missions will be then examined.
To ensure that cyber attacks are prevented or mitigated, agencies should emphasize resilience and implement forward-looking technology solutions. Agencies can embrace strategic partnerships to leverage the cutting edge in space operations while building resilient, secure satellites. The regulator should lead the way to communicate and share information between government and industry.
Motivations of Attackers
What are the motivations for potential attackers to expend effort and undertake risks to damage space systems? One possible motivation can be the search of technological information by commercial or institutional competitors, possibly by means of third parties: the knowledge gained by hacking equipment or data could be used to bridge technological gaps and gain competitive advantages in the space arena. Cybercriminals could insert themselves in this race by gathering information and technical details that they could sell to interested parties for some sort of financial advantage. This would require considerable technical skills including the ability to do reverse engineering, to make sense out of the gathered information. Employees of the organization could be the sources of additional threats, seeking some sort of revenge for perceived mistreatment or simply unwittingly creating havoc with their negligent behavior. Insider threats are indeed often referred to in the literature as major sources of hacking problems.
Intrusion Detection and Prevention Systems
A cyberattack can cause serious damage to an end user’s operations. Imagine that hackers target a remote electric substation. The hackers can intercept uplink or downlink packets from the substation’s IP address or inject data to the user system connected to the IP address. Let’s say this false data is injected into an autonomous drone connected to this substation, this false information could result in an override of the system or even crash the aircraft.
There are a variety of means, for instance, through which an attacker can send malicious traffic from one system to a connected system. Once security has been bypassed, there is a high possibility that the attacker will be free to migrate laterally into any of the myriads of connected and downstream systems. It is necessary for all national critical space systems to be appropriately hardened against cyber threats. A space system comprises and should have cybersecurity protections applied to all four segments: space, ground, link, and user.
The backbone of a secured satellite should be a robust intrusion detection system (IDS). The IDS should consist of continuous monitoring of telemetry, command sequences, command receiver status, shared bus traffic, and flight software configuration and operating states. From a telemetry monitoring perspective, several parameters exist that have the highest likelihood of indicating a cyberattack against a spacecraft and should be actively monitored on the ground and looking into the future onboard the spacecraft with the IDS.
The IDS should implement both signatures- and machine-learning-based anomaly detection techniques, an approach. Signatures should be derived from known threat information and weaknesses in the system, which have been identified by analysis. Machine-learning algorithms should be trained on a dataset that includes a variety of typical system operations. Space operations in general lend themselves well to machine-learning approaches for anomaly detection. Space operations tend to be highly structured and predictable: operators rarely deviate from vetted procedures and scheduling is performed well in advance.
Risk Assessment Methodology
The risk assessment methodology can be divided into four phases:
- The first phase: Cyber threat analysis to define the context of the analysis, by defining and modeling the space missions and considering all the possible threats they can be subject to, with particular attention to the new generation of cyber threats, as described in the following.
- The second phase: Identification and assessment of vulnerabilities to identify the potential existing vulnerabilities of the assets of the space mission classes and to define elementary threat scenarios.
- The third phase: Identification and assessment of risks to assess identified vulnerabilities, to evaluate the related risks, and to build attack trees based on the space mission architectures.
- The fourth and final phase: Definition of the necessary measures to counteract the threats and address the risk as defined in the previous phases, resulting in a set of recommendations and a mitigation plan.
Cybersecurity Threats and Vulnerabilities Examples
- Staying with the encryption example, there are certainly cyber-enabled ways to pose a threat to communications with cyber. Instead of waiting for supercomputers to crack encryption standards, if a Satellite Vehicle (SV) was compromised via a ground station terminal, an attacker would be utilizing the correct keys from the ground station and have no issue communicating with the satellite. Once the SV itself is compromised, the attacker could even delete or replace the encryption keys on the SV. Doing so would mean that the SV could no longer communicate with others in a mesh or the ground station since it would never make a successful communication handshake to establish encrypted communications. Worse if the attacker persisted in access to the ground station and kept the new key from the SV, the attacker would in fact be the only one able to communicate with the SV for as long as it went unnoticed on the ground. Impairing an SV’s ability to perform encrypted communications kills the mission window in the same manner that the encryption being broken would. Even if the attacker did not alter fail-safes such as a fallback to unencrypted communications, the SV may be too sensitive to talk to over unencrypted signals. An attacker could always remove or damage fail-safe scripts and components with privileged access to the SV. Even if they did not, simply continuously altering encryption keys on the SV from the ground station even with unencrypted fallbacks means the mission window would be severely hampered or altogether impaired by communication issues. Such communication issues could also cause the SV to not receive important instruction from the ground on altering course to avoid collision or de-orbit as well.
- The computerization of SVs in general and especially small satellites has meant that hardware modulators and demodulators and other antenna equipment have been replaced by software-defined radios (SDRs). These software-defined radios are essentially computers capable of shifting communications frequencies and communications attributes to match different incoming and outgoing communications requirements.
The downside for the SV regarding cyberattacks is that this SDR is also another computer, networked to other parts of the SV that could be pivoted to by an attacker and infected with malicious code. Once access to an SDR is gained, the attacker could actually alter what the SDR thinks is the correct frequencies and settings to communicate with the ground. Performing this attack and disabling safeguards that might reset the SV computers after so many days with failed communications would mean that to those on the ground, the SV would seemingly be unable to communicate or even be functioning.
- Cyber-attacks that create incorrect navigation data or hamper the ability to navigate allow malicious attackers to impact other aspects of the SV like the payload or to ultimately disable it. In the first example, the satellites’ ability to interpret GPS, star tracker, and sun sensor data can be altered such that it thinks it is facing the sun when it isn’t and vice versa. If this type of attack was successful, the inability to navigate correctly would mean that the SV would be unable to turn its solar panels toward the sun, because it would always be turning them away from it in reality. This means that there is no power production and the SV will stop functioning eventually. Disabling safeguards during the cyber attack, as in the other examples, means that even if enough power is accumulated while the vehicle drifts through space for it to turn back on when it does it will simply go back into its inaccurate behavior.
While GPS jamming attacks have been used in the past and are not necessarily considered a cyberattack, GPS spoofing is a cyberattack because of the manipulation of the GPS signal. GPS spoofing is far more dangerous than jamming as it appears that the GPS is working as intended. The trust in the device is not broken for a spoof, which is difficult to detect and becomes dangerous when dealing with critical systems. There are multiple ways to spoof a GPS satellite. One mechanism by compromising the satellite receiver and altering the output signal from the satellite. Another opportunity to spoof the GPS satellite is via a false data injection attack where an adversary uses a GPS signal simulator (whose success will be limited because it cannot always trick the receiver) or use a software-defined spoofer. Software-defined spoofers are more reliable. They work by inserting a barely detectable fake signal behind the true signal. Gradually, the power of the fake signal is increased to the point where the receiver thinks the fake signal is actually the real signal.
- Another example of a navigation issue posing a cyber threat to an SV is loss of control of guidance, navigation, and control. An attacker could gain access to the SV and, upon doing so, put the SV on a direct collision course with another space object. Doing this and making the SV unable to communicate with ground stations as discussed in the Communication section would mean that the SV would literally be destroyed in a collision with another space object. Performing this type of attack in a constellation or a mesh could pose a significant danger to multiple SVs as well.
- There are essentially two ways in which the de-orbit threat can be manipulated via cyber attacks. The first is to simply create the same non-cyber situation we just discussed. In this type of attack, the malicious cyber actor alters configuration data on the SV to either make it think the requisite requirements have already been met to demand a de-orbit take place or change the requirements themselves so that the de-orbit triggers early based on a new configuration.
The second cyberattack involving de-orbit is to burn propulsion or potentially leverage reaction wheels and torque rods to the point that the SV is in an unrecoverable orbit that will cause it to fall into Earth’s atmosphere ahead of schedule. In an SV with onboard propulsion, this can be done by burning through enough of the propulsion resources to get the SV so off course and falling toward the Earth at an inclination and rate which the remaining fuel cannot fix. In an SV where attitude and position adjustment is much slower using flywheels and torque rods, there would likely also be a need to try and prevent a correction from ground stations as this de-orbit attack process would take much longer.
Most systems and software generate logs including operating systems, Internet browsers, point of sale systems, workstations, anti-malware, firewalls, and intrusion detection systems (IDS). From a security point of view, the purpose of a log is to act as a red flag when something bad is happening. Reviewing logs regularly could help identify malicious attacks on your system. Given the large amount of log data generated by systems, it is impractical to review all of these logs manually each day. Log monitoring software takes care of that task by using rules to automate the review of these logs and only point out events that might represent problems or threats. Often this is done using real-time reporting systems that alert you via email or text when something suspicious is detected.
Being on top of logs means a quicker response time to security events and better security program effectiveness.
- Because of the difficulty in operating extraterrestrial devices from Earth, the risk if a cyber attacker was able to gain access to an extraterrestrial SV is very high. No complex code solutions or orbital calculations are necessary to damage or kill an extraterrestrial SV. All an attacker would have to do is tell the SV to drive off a cliff or into a cave at the end of a transmission with Earth. By the time those on Earth realize the SV was doing something they hadn’t planned on telling it to do, it is either unable to communicate ever again because it is in a cave out of reach of sunlight and signals or is in a hundred pieces in a ravine.
- In the cyber threat to deep space SVs, the SV is sent commands from a malicious attacker to send it in an unintended direction such that it might be lost from its operators on Earth. Moreover, if the attacker was able to execute malicious code on the SV itself, all it would take is a programming of a series of random maneuvers over the course of a few months to keep the deep SV from being found. In this instance even if the ground-based operators found it and attempted to plot its new course, it would be changing at random for a period that would likely cause it to be lost forever. Not to mention any of the already discussed threats, if implemented on a deep SV, would also cause an unrecoverable impact on the SV.
- Malicious cyber actors are probably the second most happy individuals regarding the digitization of things like radios as the space system operators themselves. With access gained via a cyber attack, an attacker could simply alter the filtering or frequency settings onboard the SV such that the sensing mission can no longer be accomplished. The attacker could even make the SV think it still had the correct settings but still impede the software-defined radio’s ability to recognize signals appropriately. In this situation, the SV is still operating seemingly normally, but its mission payload is unable to perform its functions. In a scarier situation, the cyber attacker could also start altering the files storing signal recordings themselves so that when they are downloaded by the space system operators, they show whatever the attacker wants.
- Imagining a terrestrial-based space photo sensor for monitoring purposes like a giant security camera faced at the Earth, it is easy to understand the ways in which an attacker may attempt to disrupt this specific mission. An attacker could prevent the feed or video recordings from being sent down to ground stations and consumed by the space system users by having the camera output sent to a non-existent location on the SV operating system file table so that it is never written anywhere in nonvolatile memory like the hard drive. More sophisticated would be an attack where older imagery collection is written over more current collection at certain points to hide ground activity and make it look like something is or is not happening despite what is transpiring within the area being monitored.
- A cyber attack against such a monitoring sensor could either change triggers in the sensor that cause it to record events like solar flares or again attack the data at rest post-recording while it is stored on the SV. An attack like this might mean significant vents out in space are missed or false positives become so numerous the mission cannot be run. In more warlike terms, such a cyber attack might be against a satellite used to detect jamming or other signals from other SVs orbiting the Earth. A cyberattack that impacted the sensor or data dissemination of sensed data from such SVs would mean that the space system operators might be blind to other nefarious acts such as jamming or other signal emissions out in space.
- The threat they pose to positioning systems in space, malicious adversaries launching cyberattacks can do something far more dangerous. Where non-cyber threats typically make positioning emitters unavailable or unusable, a cyber attack could make them provide false data. Triangulation off of multiple SVs in a positioning payload constellation is what is used for a receiver to determine location. If the SVs have incorrect data on their position, there is no way for accurate triangulation and any position information would be off. Worse yet would be an attack where incorrect data is manipulated with a purpose, say over a shipping lane, and causes many commercial and military vessels to run into each other or aground.
Cybersecurity, Artificial Intelligence, and Data
As cyber-attacks grow in variety, number, and complexity, there needs to be an equal response on the defense side with the adoption of autonomous defense systems which are capable of protecting against more advanced threats. Cyber-attackers are not only moving faster, they are adding new and innovative tools within their toolkits. As I discussed at the beginning of the article that with the world turning online, we are moving towards a future where cyber-threats increasingly threaten the safety of not just our data, but of our physical infrastructure too. The future of cyber-attacks is likely to rely on autonomous intelligent cyber-weapons and thus that an autonomous cyber defense is required, acting at the speed and scale of systems and attacks. AI-generated cyber attacks represent a significant potential challenge and may be able to breach secure information systems rapidly.
With the advancements in technologies, it is projected that the future certainly holds the reality of Artificial Intelligence-driven cyber-attacks, where malware can self-propagate through a series of autonomous decisions and intelligently tailor itself to the parameters of the compromised system in order to become stealthier to dodge detection. Autonomous Cyber AI may prove to be the best line of defense against future AI attacks. Because of an autonomous AI system’s ability to form a baseline and find threats based on seeing deviations from the norm on a network, it will be much easier to spot attacks even if they are using advanced methods because any attack will disrupt the normal daily workings of the network.
Artificial intelligence (AI) and data defense at the application level, rather than the network level, may feature prominently in the future of aerospace cybersecurity. In the United States, a Zero Trust Architecture (ZTA) for cybersecurity has been gaining traction. Each of the Department of Defense Service Cyber Components, including Air Force Cyber (AFCYBER), are developing and executing Zero Trust pilots to refine strategies intent to rapidly implement Zero Trust architectures and strategies across the Air Force.
Organizations need to be readying themselves for what is fast becoming a cyber arms race. Organizations need to shift their focus from post-breach response to early detection and autonomous response, which will generate a far more positive outcome for their organization and its stakeholders. Ultimately, digital transformation is happening at such a pace that AI, especially in the area of cybersecurity, is being recognized as a ‘must-have’ in enabling companies to stay ahead of unpredictable threats. And once attackers turn to AI to supercharge their methods, cyber AI will be our most fundamental ally.
The combination of AI and software-driven satellites leads to one more challenge, that is, the large amount of data generated by high-fidelity cameras and sensors. So, artificial intelligence at the edge is becoming more popular, as an example, Intel started using onboard processing to identify and discard cloudy images, thus saving about 30% of bandwidth. Satellites are used mostly to collect data and then beam it to the ground for processing. If we moved the processing to an edge model, where the satellite is applying some AI algorithm and then only sending the required information to the ground, it becomes more susceptible to attacks in orbit. It also makes the satellite a more attractive target since compromise of the satellite can lead to more covert compromise of the mission than before (when all you could hope to do is break/attack the camera).
Small Satellites and CubeSats
Recent advances in technology miniaturization enabled the space industry to build small spacecraft from readily available, low cost, low power, and compact commercial-off-the-shelf (COTS) components. Subsequently, this trend has inspired the development of a CubeSat concept. The CubeSat standard was created by Stanford and California Polytechnic State Universities in 1999, and it specifies that a standard 1U unit is a 10 cm cube (10×10×10 cm3) with a mass of up to 1.33 kg. A 1U CubeSat could either serve as a standalone satellite or could be combined to build a larger spacecraft. For instance, a 3U CubeSat will have a form factor similar to three 1U CubeSats combined. One of the main advantages of this standardization is to allow launch vehicle producers to adopt a common deployment system independent of the CubeSat manufacturer. Given the very successful nature of the smaller CubeSats such as 1U and 3U units, an advanced standard for larger (6U, 12U, and 27U) CubeSats was brought forward for enabling much greater CubeSat capabilities. Usually, small satellites are classified based only on their mass but in the case of CubeSat standard, the volume is also considered.
CubeSats considerably decrease the cost and complexity of development and launch as compared to robust traditional satellites with redundant subsystems, as evidenced by the observed dramatic increase in the number of CubeSat launches over the last decade. CubeSats could provide space exploration opportunities to small countries, educational institutions, and commercial organizations around the world by allowing them to develop and launch their own spacecraft with relatively modest budgets of a few hundred thousand dollars.
Over the last fifteen years, the small satellite industry experienced explosive growth and most of this growth comes from the nanosatellite class, in particular CubeSats.
To date, more than 1000 CubeSats have been successfully deployed in orbit by universities, private companies, and others for a variety of tasks including Earth observation, weather monitoring, radio transponder communications, biological experiments, and interplanetary missions, among others. But for all the benefits of CubeSat and the various successes of the individual satellite missions, there are also reasons for concern.
Cybersecurity in CubeSats
- The use of security controls also facilitates another risk factor. An attack that aims to drain a satellite’s power, e.g. creating lots of resource consumption, may lead the satellite to turn off security controls to prioritize power-saving efforts. This makes the CubeSats more vulnerable to other attacks because of their low power.
- Physical layer security achieved through information-theoretic models provides computationally unbounded security as opposed to cryptographic protocols with computational security. Reusing the physical layer features can decrease additional energy costs for security, as CubeSats cannot afford the additional silicon area, power consumption, and code space needed to perform the expensive mathematical calculations of cryptographic methodologies. Physical transmission techniques achieve security by exploiting the unpredictable features of a wireless channel through artificial noise, jamming, beamforming, etc.
- Securing small satellite platforms against cyber-attack poses challenges unique to the space domain. Once in orbit, software updates to the satellite (both security-related and otherwise) become more difficult and expensive. Any update must be highly assured with respect to software bugs. A crashed process can have dangerous physical effects if it manages a hardware device, such as causing an orientation failure that results in a thermal imbalance or inability to charge via solar panels. Should control of the satellite be lost due to a cyberattack, the lack of physical access to the system’s hardware makes it much more difficult for legitimate operators to reassert control than in an enterprise environment. Finally, the physical constraints of the space environment make it very difficult to recover from the result of a successful cyberattack, even if control can be regained. For example, if an attacker can cause orbit changes via firing of thrusters, that satellite may have insufficient fuel to recover even if the legitimate ground station is able to reassert control.
- Complicated encryption schemes may not be suitable for satellites due to the high Bit Error Rate and long delay of satellite links. Moreover, most of these solutions require a computational effort that could be not affordable for the CubeSats.
- Makers of these CubeSats, use off-the-shelf technology to keep costs low. The wide availability of these components means hackers can analyze them for vulnerabilities. In addition, many of the components draw on open-source technology. The danger here is that hackers could insert back doors and other vulnerabilities into satellites’ software.
- The highly technical nature of these satellites also means multiple manufacturers are involved in building the various components. The process of getting these satellites into space is also complicated, involving multiple companies. Even once they are in space, the organizations that own the satellites often outsource their day-to-day management to other companies. With each additional vendor, the vulnerabilities increase as hackers have multiple opportunities to infiltrate the system.
- The lack of a standard, usable cryptographic algorithm to secure communications to and from spacecraft is a growing concern, while not all CubeSats require encryption, many future CubeSats plan to incorporate propulsion making their potential comprise problematic and driving a need for encryption. The growth of the use of small satellites for military applications also drives the need for suitable cryptographic technologies for use on small satellites.
- While there are several scenarios that could potentially unfold, the most likely one to occur, should a hacker gain control of a satellite, is that it would be held for ransom. With limited actions they could take to combat the attack, satellite owners are likely to pay the ransom. The downside is just too great. Not just to the individual satellite being targeted, but to surrounding satellites as well. If one of these CubeSats is attacked and potentially knocked out of orbit, it could potentially start a chain reaction, damaging other CubeSats and more costly and important satellites. Given what we see today on the Internet with high-value targets being held for ransom, we are likely to see that trend become more mainstream in space.
Threat | Applicability | Description | Impact Example |
---|---|---|---|
Unauthorized control | Space segment, ground segment | A type of threat action whereby an entity assumes unauthorized logical or physical control of a system resource | Adversary assumes remote control of a spacecraft or ground system |
Corruption / modification of system and/or data | Space segment, ground segment, Link segment | A type of threat action that undesirably alters system operation by adversely modifying system functions or data. Subtypes: “tampering,” “malicious logic,” “hardware/software error” | A corrupted spacecraft command could result in a catastrophic loss if either no action occurred (e.g. a command is discarded) or the wrong action was taken onboard a spacecraft |
Interception of data | Space segment, ground segment, space-link communication | A type of threat action whereby an unauthorized entity directly accesses sensitive data while the data is traveling between authorized sources and destinations. Subtypes: “RF analysis,” “wiretapping,” “theft” | Interception of data may result in the loss of data confidentiality and data privacy if the data is not encrypted |
Jamming | Space segment, ground segment, space-link communication | A type of threat action that attempts to interfere with the reception of broadcast communications. Adversary can deny RF communications to/from spacecraft by injecting noise, by transmitting on the same frequency from another source, or by simply overpowering the original source | Spacecraft commanding, as well as the ability to receive science or engineering data from the spacecraft, could be blocked. Authorized access may be impacted |
Denial-of Service | Space segment, ground segment | The prevention of authorized access to a system resource or the delaying of system operations and functions | Consumption of resources (e.g., communication bandwidth, processor bandwidth, disk space, memory), disruption of system/network configurations (e.g., routing changes), disruption of state information (e.g., persistent network connection resets), disruption of network components (e.g., router or switch crashes), or obstruction/destruction of communications paths |
Masquerade | Space segment, ground segment | A type of threat action whereby an unauthorized entity gains access to a system or performs a malicious act by illegitimately posing as an authorized entity | If an external entity can masquerade as a spacecraft operator; unauthorized commands could be transmitted to the spacecraft resulting in damage, data loss, or loss of a mission |
Replay | Space segment, ground segment, space-link communications | An attack in which a valid data transmission is maliciously or fraudulently repeated, either by the originator or by a third party who intercepts the data and retransmits it, possibly as part of a masquerade attack | If the replayed commands are not rejected, they could result in a duplicate spacecraft operation such as a maneuvering burn or a spacecraft reorientation with the result that a spacecraft is in an unintended orientation |
Software threats | Space segment, ground segment | Misconfigurations, programming errors, installation of malicious/unvetted software, and exploitation of vulnerabilities by threat agents | Loss of data, loss of spacecraft control, unauthorized spacecraft control, or loss of mission |
Supply Chain | Space Segment, Ground Segment | Attack in which extra electronic/electrical components to Printed Circuit Boards (PCBs) schematics or layouts. Malicious firmware is added to embedded systems’ microelectronic devices | Covert control of the power controller of the system management bus (SMBus) of a PCB would allow a threat agent to interfere with the communications of ground segment systems and space system sensors |
Mitigation Strategies
- Securely Parse and Ingest Data
Mistakes will be made when code is written, and larger codebases have room for more mistakes. Mistakes on the “edge” of a program where it interacts with data from other programs are particularly harmful. Designers should minimize and simplify interfaces between components of a system. This leaves less room for a data consumer to make a mistake that could lead to vulnerability. This includes the message, network, and Application Programming Interface (API)-level interactions. Several of the following strategies build upon this basic concept.
- Surface/Component Minimization
In the spirit of secure parsing and ingestion, the overall size and complexity of the system should be minimized. Remove unneeded features, libraries, modules, and other code that is not necessary for the system. Identify and aggressively minimize “trusted” components without which the system will fail to operate. These components should receive intense scrutiny during the design process to understand and limit the effects of their failure if compromised.
- Component Isolation
Software generally has two types of interfaces: customer-facing interfaces through which it sends/receives commands and data to other software, and system-facing interfaces through which it manages the accesses and resources needed to get its work done. The system-facing interfaces are often library APIs and operating system APIs. Those libraries and operating systems can be viewed as “sandboxes” designed to contain the software and ensure it doesn’t disrupt other functions on the system. The principles of secure parsing, ingestion, and surface minimization apply when interacting with the system-facing world as well.
- Data Protection
Designers should protect data as they move through mission systems. Protections typically focus on confidentiality, integrity, authenticity, “freshness” (including replay protection), and non-repudiation. These data include key material, credentials, communications to/from the terminals, and metadata about those transfers, such as the geographic locations of terminals. Some data that may not require protection for mission needs could nevertheless benefit security if protection is implemented.
- Authentication and Secure Control
Developers should provide means to remove unauthorized data flows and ensure that command/control (C2) messages are only accepted from authorized entities. Authentication and secure control are important components of a system and of all of the other systems that interact with it. Ensure the system can accurately measure and report its internal state to appropriate parties for monitoring and remediation. This is a blend of surface minimization and data protection, used to “bind” data to specific entities and enforce relationships between them.
- Randomize, Diversify, and Adapt
Where possible, create system diversity without increasing configuration and management burden. Diversity makes it more difficult for an adversary to achieve a “break once, break all” attack and requires the adversary to use more complicated attack vectors to overcome the moving-target nature of the system under attack. Ideally, engineer the system to automatically recognize which moving-target options are vulnerable to observed attacks, migrate to an immune option, and eschew the vulnerable options in the future. In the electromagnetic (EM) world, adaptive frequency hopping is the canonical example: the system automatically adapts to the EM spectrum by avoiding noisy channels, and it randomly jumps between clear channels to make it more difficult for the adversary to target the transmission.
- Rapid Replacement and Reconfiguration
Ensure the system can be easily reconstituted in case of compromise, failure, or discovered vulnerability. When a vulnerability is discovered, ensure that the vulnerable component(s) can be rapidly and safely replaced. When an attack succeeds and mitigation is attempted, adjustments need to be made to ensure that the attack that took the system down won’t succeed a second time, and it must then be brought back into service as rapidly as possible.
- Create New Space Asset-specific Standards
There is no lack of cybersecurity standards and best practices available for developers to follow when attempting to design and develop secure systems. Many of these standards like the National Institute of Standards and Technology (NIST) Cybersecurity Framework are well-documented and widely adopted in some form. Another such framework is the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) Program for identifying, prioritizing, and mitigating cybersecurity risks of government networks and systems. Most space systems’ security can benefit from using these standards. In some cases, these standards may not apply to the specific technologies used in space systems. For these systems, space asset organizations should create new space asset-specific standards and best practices so that security can be applied consistently across organizations. Vendors of space asset organizations should also be held to these standards. This should involve explicit testing and demonstrations that vendors of space asset organizations must conform to when building and selling components to a space asset organization.
- Cryptography for New Space
Novel cryptographic mechanisms are emerging in the satellite industry. Navigation message authentication (NMA) is an authentication mechanism to provide authenticity and integrity of the navigation data to the receiver. NMA can use both or either of the symmetric/asymmetric key encryption approaches to achieve this goal.
Conclusions
Small satellites enable a wide range of applications, including Earth and space exploration, rural connectivity for the pervasive IoT networks, and ubiquitous coverage. Current smallsat research is mostly focused on remote-sensing applications. Unfortunately, few efforts have been made to offer cybersecurity solutions for smallsats. Therefore, in this article, I have reviewed the literature on various aspects of cybersecurity and particularly CubeSats. I also outlined several significant future research challenges. This article is a good starting point for the governmental, academic, and industrial researchers focusing on providing cybersecurity solutions for smallsats.
I believe security can no longer be an afterthought, some sort of standard or guidelines need to be established to ensure better satellite safety. One thing is for certain: the escalating risks surrounding satellite vulnerabilities are simply too great to ignore any longer. As more and more satellites, both large and small, make their way into space, the likelihood of a significant satellite attack increases. I can conclude the article in a few points CubeSats are IoTs in space. Despite smallsats and CubeSats being small, they are still highly calibrated machines that are sensitive to attack. The types of attacks against them are not significantly different from attacks on other cyber-physical control systems.