Last August, the Air Force and DOD’s Defense Digital Service ran a competition intended to spur interest in aerospace cybersecurity. The challenge was called “Hack-A-Sat” and hackers were able to take control of a satellite. While it was a controlled event, the hackers demonstrated why protecting space-based assets from cyberthreats needs to be a new priority.
The national security community believes it is only a matter of time before the nation-states move their cybersecurity wars to “space”-based assets like satellites. The purpose of targeting satellites would be an attempt to disrupt communications or information streams vital for commerce and security. China, Russia, and other nation-states possess the capabilities already to do a cyber-attack on the high frontier.
In 2014 the network of the National Oceanic and Atmospheric Administration was hacked by China. This event disrupted weather information and impacted stakeholders worldwide. (1) There were approximately 14 other satellite attacks before the NOAA attack. (2) This one was not a new realization for cyber-defenders.
The threat is both kinetic and non-kinetic. There is an array of capabilities adversaries may use to interfere or disable space-based assets. Dr. Malcom Davis, senior analyst at the Australian Strategic Policy Institute, summarizes these threats: “Counter space capabilities are emerging in the Chinese and Russian militaries. One trend is towards the development of ground-based and space-based (co-orbital) ‘soft kill’ (or non-kinetic) ‘counter space’ capabilities. Satellites could be targeted through electronic warfare (jamming and spoofing), microwave weapons, laser dazzling and, perhaps most worryingly, cyberattacks. The prospect of cyberattacks on satellites dramatically expands the scope and risk of counter space threats for a number of reasons. Countries like China and Russia, and even Iran and North Korea, are highly experienced in waging cyber warfare, and directing such attacks against satellites is something they could do now, and at relatively low cost.” (3)
Why satellites and why now? Principally because our networks are changing from terrestrial (land) based communications to the cloud, taking advantage of satellites to move data over large, international distances. Second, there are more satellites circling in low earth than ever as launch costs have significantly lowered, which has created more targets and thus a wider attack surface for hackers to potentially attack both in space and at land-based control centers.
Bill Malik, expert on satellite cybersecurity and vice president of infrastructure systems at cybersecurity firm Trend MicroOne, recently noted, “The threat is clearly growing, First, the cost of jamming and control-takeover technology is dropping, and the benefits to hackers (whether criminals or nation-state actors) is growing. More sophisticated supply-chain attacks could harm food production (by tampering with crop observations — drought (leading to over- or under-watering), insect or blight infestations (leading to incorrect application of pesticides), harvest times (leaving foodstuffs to rot, or be harvested too early (impacting yield and causing price instability in futures markets).” (4)
Increased global connectivity to industry verticals combined with the nationwide rollout of 5G communications may even create more of an opportunity for hackers to intercept space-bound communications.
“Battening down” space-based assets and terrestrial control networks
Though there are few clear rules of the road on space-based and terrestrial-based control networks, it is clear that many rules of the road for terrestrial-based networks (of whatever sort) have not significantly changed just because they interact with satellites.
We set forth below a non-exclusive list of security elements for defending space-based assets and satellites, along with ground-based control flight networks. We have adapted these from “Defending Spacecraft in the Cyber Domain” and government sources. (5)
- Security by design – not security as an afterthought – built into every satellite from the ground up.
- Identity and access management (“IAM”) – those accessing flight control information and surfaces need to be identified and verified by an IAM solution that will pass muster on the user using machine learning identifiers to attempt to prevent authorized access to critical vehicle functions.
- Multi check for IoT related devices – IoT devices must be able to be updated; no hard-coded passwords should be allowed.
- The backbone of a cyber-resilient spacecraft should be a robust intrusion detection system (IDS). The IDS should consist of continuous monitoring of telemetry, command sequences, command receiver status, shared bus traffic, and flight software configuration and operating states, anticipate and adapt to mitigate evolving malicious behavior. The spacecraft IPS and the ground should retain the ability to return critical systems on the spacecraft to known cyber-safe mode. Logging should also be available to cross-check for anomalous behavior.
- It is critical that spacecraft developers implement a supply chain risk management program. They must ensure that each of their vendors handles hardware and software appropriately and with an agreed-upon chain of custody. Critical units and subsystems should be identified and handled with different rigor and requirements than noncritical units and subsystems, and should also be constructed with security in mind. All software on the spacecraft should be thoroughly vetted and properly handled through the configuration management and secure software development processes (DevSecOps).
- Both the spacecraft and ground should independently perform command logging and anomaly detection of command sequences for cross validation. Commands received may be stored and sent to the ground through telemetry and automatically checked to verify consistency between commands sent and commands received.
- Protections should be made against communications jamming and spoofing, such as signal strength monitoring and secured transmitters and receivers; links should be encrypted to provide additional security.
Security elements for defending ground-based systems and network assets include but are not limited to:
- Adoption of cybersecurity best practices, including those aligned with the NIST cybersecurity framework (“CSF”). As academic professors and pragmatists, we both are strong supporters of the CSF and see no reason why the hundreds of space and satellite suppliers should not adopt the NIST framework.
- Key network components should be logically and physically separate to prevent virus-like (ransomware) attacks from spreading throughout the network.
- All ground-based system and network assets should be required to have the following policies in place: incident response, business continuity and crisis communications plans, patching policies, BYOD policies and backup policies.
- All ground-based space systems and facilities should be required to hold quarterly employee training for all individuals on things like spear-phishing and socially engineered email attacks.
- All ground-based space systems and facilities should be required to adopt a fulsome vendor supply chain risk management program that touches all primary and tertiary vendors.
- All ground-based space systems and facilities must adopt machine learning intrusion detection systems to help guard against anomalous and potential malicious activity.
- All ground-based space systems, facilities, and space manufacturers and vendors should be required to join the Space ISAC in order to be able to collaborate by sharing threats, warnings and incident information.
Should there be cybersecurity regulation for space-based systems?
We note that at least for the moment the lists we have outlined above of “should haves” and “must haves” are completely voluntary. Even the presidential memo, Space Policy Directive 5, is merely a directive that does not have the force of law or regulation. There is a huge national defense component of our race “back into space.” There also is a huge spending component of the space race as well. Indeed, in the United States, the FAA (2018) estimated the U.S. space industry was valued at approximately $158 billion in 2016. Similarly to Canada, satellite communications reportedly lead the space sector in the United States; specifically, satellite services, manufacturing, ground equipment, and launch services (FAA 2018). The DOC Bureau of Industry and Security (2014, 3) estimated employment for the “U.S. space industrial base” was over 2.6 million workers in 2012. See “Measuring the Value of the U.S. Space Economy.” (6)
Given these facts and figures, we would suggest that the “Space Systems” industry adopt, if not require, participants to partake in a DoD-inspired CMMC-like regulatory model to create rigor in space cybersecurity requirements. There is way too much at stake here to allow lax security to potentially jeopardize our national security and perhaps the health and safety of dedicated space workers.
What is clear is that protecting space-based assets from cyber threats is a national security imperative. As we invest and continue to build the satellite backbone that will guide our safety and economic well-being for the next decades, security by design cannot be an afterthought.
See “Cybersecurity and Space Security,” available at https://www.thespacereview.com/article/3950/1 (“Cybersecurity and Space Security” article)
See Attack Vectors in Orbit: the Need for IoT and Satellite Security, (RSA presentation), chart available at https://published-prd.lanyonevents.com/published/rsaus19/sessionsFiles/13692/MBS-W03-Attack-Vectors-in-Orbit-The-Need-for-IoT-and-Satellite-Security.pdf
See “The Cyber Threat to Satellites,” available at https://www.realcleardefense.com/articles/2019/09/09/the_cyber_threat_to_satellites_114731.html; Cybersecurity and Space Security article at p. 2 (explaining the difference between Kinetic and non-kinetic attacks on space-based assets)
See “The NSA is studying satellite hacking,” available at https://www.defenseone.com/technology/2019/09/nsa-studying-satellite-hacking/160009/; “Securing the final frontier: Why space systems need cybersecurity too,” available at https://www.kaspersky.com/blog/secure-futures-magazine/cybersecurity-space-exploration/31581/. (“Although residing in the vacuum of deep space makes them less vulnerable to physical attacks, space-based systems are still ultimately controlled from computers on the ground. That means they can be infected just like any other system.”)
See https://aerospace.org/sites/default/files/2019-11/Bailey_DefendingSpacecraft_11052019.pdf and the “Memorandum on Space policy Directive- 5 – Cybersecurity Principles for Space Systems,” available at https://www.whitehouse.gov/presidential-actions/memorandum-space-policy-directive-5-cybersecurity-principles-space-systems/ (“SPD 5”) as much of the information in this space is “all over the map,” if it exists in one place at all.
Paul Ferrillo is a partner at the law firm of McDermott Will & Emer. He focuses his practice on corporate governance issues, complex securities class action, major data breaches and other cybersecurity matters, and corporate investigations. He is also a Adjunct Professor at Florida State University College of Law, and the current Director of the New York Chapter of Infraguard. Paul is author of the books Take Back Control of Your Cybersecurity Now: Game Changing Concepts on AI and Cyber Governance Solutions for Executives and Navigating the Cybersecurity Storm: A Guide for Directors and Officers
LinkedIn Profile: https://www.linkedin.com/in/paulthecyberguy/
Chuck Brooks, President of Brooks Consulting International, is a globally recognized thought leader and subject matter expert Cybersecurity and Emerging Technologies. He is Adjunct Faculty at Georgetown University in the Cyber Risk Management and Applied Intelligence programs. During his career, Chuck received two Presidential Appointments, and served an executive for several leading public companies. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named by Thompson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer.” He is also a Visiting Editor of Homeland Security Today.
LinkedIn Profile: https://www.linkedin.com/in/chuckbrooks/