Non-cyber Threat to Confidentiality

Many times, the ground station dishes are covered by radomes. This is a ball-like structure that encapsulates the antenna and allows it to pivot and rotate within the structure without impedance. In most cases this is done to protect the antennas and prolong its operational life in climates with more severe impact. The added benefit is that from the naked eye and optical observation, the direction the antennas points and the way it slews to keep lock on spacecraft as they pass overhead is also obscured.

This keeps the potential SVs the ground station communicates with much more difficult to determine without other information and can keep certain portions and aspects of the space missions being conducted out of that ground station confidential. A compromise of this confidentiality either by damage to the radome or other detection techniques used to identify the pointing and tracks of the dish motion could divulge otherwise sensitive information about the operations and purpose of the organization using the ground station.

Cyber Threat to Confidentiality

The cyber domain can also be used by an attacker to gain access to a ground station and determine the exact locations of the SVs being communicated with by reading such data straight from the positioning and communication equipment attached to ground station computers. This means that even with a protective radome, the confidentiality of the space system movements would be nonexistent. This could impact very important operations by those flying the space system. Say, for example, a SV was being jammed over the same location every time it passed overhead and it was preventing successful mission execution in that area.

The assumption would be the enemy has predicted the path of the SV orbits and just jams when it is overhead. If the operators were to communicate with that satellite to have it alter course slightly in an effort to avoid the jamming, the information the ground station used to track and communicate with it on the next pass would reveal the new orbit information to the attacker who has compromised the ground station and could be used to reposition jamming resources. There are obviously other ways of locating the satellite via radar and other technologies, but this example nonetheless shows a way that confidentiality of flight operations can be compromised.

Non-cyber Threat to Integrity

There are numerous non-cyber threats to the integrity of ground station operations. Whether they are the flight operations of the spacecraft, the execution of its payload, or the receipt and dissemination of the space system data, non-cyber threats boil down to physical security. Space operations require difficult training and are conducted by skilled professionals to avoid irreparable damage being done to the SV or its payload from improper commands being sent to and executed by the SV. Any compromise to physical security which protects the consoles used by the space system operators is a risk to the integrity of those operations, and as such physical security must be commensurate with any other efforts to reduce risk to the space system.

Cyber Threat to Integrity

The cyber threat presents itself to ground station operations beginning at the console where an insider threat or a remote attacker may execute commands from the cyber domain. These remote commands are unauthorized just as those that might be run by an adversary who broke through physical security barriers to attempt to alter or compromise space system operations would be. Just as physical security must be used to control who can access control terminals for space systems, the permissions and restrictions of various users on those systems must each maintain appropriate swim lanes within the system so that users can only execute the commands they are knowledgeable on and responsible for. If the same organization houses the ground station, SV flight operations, and payload operations, the users responsible for flying the spacecraft probably don’t need permissions to execute commands tasking the payload and vice versa. Controlling these actions via permissions and user account settings as well as keeping up to date on security issues in an effort to avoid unauthorized escalation of privileges via local cyber attack should all be employed to maintain the integrity of ground station space system operations at the terminal or console level.

Non-cyber Threat to Availability

The non-cyber threat once again boils down to the physical environment around the ground station. This means planning ground station locations not only to allow for sufficient communications with the SVs as they orbit but also to avoid potentially hazardous environments and locations with likely natural disasters. Additionally, another consideration for ground station location should be protectability. Many space systems are operated by military or defense organizations and serve warfighting and intelligence-gathering activities. Beyond that, many civilian-utilized space systems enable search and rescue, emergency communications, and other vital assets. If the ground station is located in an area where protection from adversaries isn’t available, then the ground station operations, at least from that particular ground station, will remain at an elevated risk level.

Cyber Threat to Availability

The cyber domain–based attacks that could impact or negate ground station operations are only limited by the imagination, resources, and access of the attacker. The ground station side of space system operations is the most accessible attack surface to cyber attack, and though it has the greatest access to security capabilities, it poses the most significant impediment to a strong risk posture. An adversary could leverage a cyber attack against many different supporting systems to reduce the availability of a ground station to the overall space system. An attacker could breach the fire prevention and control system of a building and make it think there is a fire in the operations room, soaking the computer systems of the ground station in water and damaging them severely. The attacker could attack the heating, ventilation and air conditioning (HVAC) systems of the building housing computing equipment and crank up the heat in hopes of damaging the ground station equipment that way; power sources to the building running the space operations equipment could be disabled via cyber attack. These and other support systems that have impact on availability of a space system are not as likely to get the cybersecurity focus that, say, control terminals for the flight and payload computers might, and this is a huge potential blind spot in the security posture of a space system that must be addressed with the same scrutiny as the easily identifiable, directly space system tied, computer equipment because the effect can be the same or worse in efforts to compromise them and ultimately compromise space system availability.

Non-cyber Threat to Confidentiality

In a non-cyber attack example, the issue of improper dissemination can be as simple as mislabeling disseminated information with the wrong classification or sensitivity or handling instructions which could result in unauthorized individuals gaining access to data they should not because those handling the mislabeled data are protecting it based on inappropriate dissemination rules. Mischaracterization aside there is also a potential for mistakes to result in data being sent to the wrong individuals via data streams or even emails. In such an instance, if someone without a need to know or appropriate clearance received the data, there would be a breach in the appropriate confidentiality of that data, but at least that person could be informed of how to properly protect and handle such information after the fact due to it being labeled appropriate but sent to an unauthorized person.

Cyber Threat to Confidentiality

Via a cyber attack, a remote malicious actor may be able to compromise the workstations where analysis is conducted and gain access to either raw data from the SV or data that has very specific dissemination controls. In either case this access to the workstation and likely exfiltration of sensitive data to adversary networks represent a loss of that data’s confidentiality and illustrate that many devices involved in a space system operational pipeline can impact even the SV. As we discussed, raw or improperly characterized information from the SV might reveal how it is actually collecting that data. If an adversary or competitor were to get that information via a cyber exploitation and exfiltration, they could all together avoid the SV capabilities that target them which essentially makes portions or the entirety of a given mission forfeit.

Non-cyber Threat to Integrity

In many forms of analysis of collected data, specifically imagery or video data, whether from a space collection asset or one on Earth, a human is often involved in identifying objects within that image or video. Though there have been advances in machine learning and artificial intelligence to help aid such determinations, the final decision of what is being seen in the image often comes down to being made by or verified by human eyes. This means that there is still room for error. If a human analyst mischaracterizes an image as something it is not and then passes that information on for dissemination, the integrity of the space systems final product cannot be maintained. This could be as innocuous a mistake as incorrectly identifying a geologic land feature while passing satellite imagery off to topographers to utilize in mapping to something as dire as mistaking a minivan for a tank when passing off targeting imagery to an artillery battery. Once again, though far down the chain from the actual SV taking the images, these types of mistakes can impact the overall perceived effectiveness and accuracy of the space system itself and its mission.

Cyber Threat to Integrity

Unfortunately, with the preceding analytics often taking place on a computer, there is attack surface open to hackers to gain access and alter the resulting data that gets sent for dissemination. If you remember when we talked about threats to sensing payloads, there are two ways that remote exploitation and code execution that change these systems can impact the end product. First an attacker could alter the raw files before the analyst got and reviewed them to say hide something like a dank by changing the pixels that show the tank to match those of the terrain around it. The other method involves altering the reporting after the analyst reviews it to change their determinations. Either way the integrity of disseminated analyzed data would lack integrity and be unreliable or misleading.

Non-cyber Threat to Availability

Any number of things can happen to limit the ability for analysts to continue accessing available raw data from a space system and ultimately hand it off for dissemination. It is unlikely that the ground station that pulls signals down is in the same room or even building where analysis of that data may take place and something as simple as a cut fiber line between said buildings could eliminate the availability of that data for analysis for long periods of time. Even in a situation where backup communication methods or hand couriering data is an option in emergency, it may affect the timeliness of data, and if that data is involved in a military operation or search and rescue, it might not meet mission requirements for relevance due to its age once analyzed.

Cyber Threat to Availability

Raw data from a SV and analyzed data waiting to be disseminated are likely to be data at rest for some amount of time along the way, and this data at rest is another way an attacker can go after the availability of space system information. The installation of malware that deletes certain types of files such as images or corrupts entire databases all together could set back the ultimate production of SV data used by customers for hours, days, or weeks. Each step along the path from download from the SV to analysis and dissemination includes locations where the data is stored on a hard drive and can be deleted by a cyber attacker with enough access. Again, if the space system as a whole is not producing data because it was deleted somewhere along the way before being disseminated out of the space system organization, then the overall mission of the space system is being strategically impacted in a similar fashion to if the SV itself had physical damage impeding payload execution.

Non-cyber Threat to Confidentiality

Just because consumers are asked to request SV collection in a certain way and to follow certain rules in doing so does not necessarily mean that the human beings doing the consuming follow those rules 100% of the time or don’t make mistakes or purposefully inappropriate requests. When an inappropriate request is made from a consumer and goes improperly verified by the space system, it could result in a product being returned to the consumer that gives them information they are not supposed to know, or which is illegal or sensitive. Imagine someone who had access to request collection from an imagery satellite was tasking the satellite to take pictures of his or her vacation home instead of the targets they were authorized to ask collection of photos on. This would be a break of confidentiality of the data the space system can produce by essentially requesting unauthorized information from the space system.

Cyber Threat to Confidentiality

In a similar but cyber-based compromise of the requesting process, a cyber domain–based attacker may be able to get access to unauthorized collection from a SV by exploiting the systems of one of the organizations that consumes its data and not have to go after any system under the operating organization at all. In this situation the hacker has violated the confidentiality of the system by breaching the expected privacy or control of data that gets sent to consumers. This is done by inserting him- or herself using interactive access gained on a computing system at the consumer organization to ask their own tasking of the SV. This could be to simply gain intelligence via the payload mission method on the SV or gain information about that actual payload’s capabilities.

Non-cyber Threat to Availability

Depending on the space system or systems involved, there is likely to be a question of prioritization. SVs are expensive and often perform important missions for consumers on the ground. Take an imagery satellite, for example, that takes pictures over a particular area of interest. The consumer base for such a system might be multiple government organizations, military units, and intelligence functions. This is the same of a civilian space asset that takes imagery. Such imagery could be useful to anyone from farmers to law enforcement or even surveyors and map makers. Adequately prioritizing the collection tasked to either of these imaging satellite examples should be done in a way that produces the most cost benefit overall in many cases.

This might mean that a farmer rarely gets priority to have pictures taken if law enforcement use is heavy during a certain period. It could also mean that certain military units never get images from a satellite because an important intelligence mission is ongoing. In either case and no matter how this tasking is prioritized, there is potential that the SV may be essentially unavailable to some of the customers to task and that some may almost always have priority. There are chances that choices to build more ground stations or launch more satellites could mitigate such an issue, but when that is not an option, availability concerns for all consumers will have to be balanced by a third party or perhaps the space system organization itself to attempt to optimize availability.

Cyber Threat to Availability

From a cyber perspective, the need for adequate prioritization of consumer collection tasking to enable successful availability of a space system to all consumers affords one last attack surface from which the cyber domain could lead to an impact to the space system by preventing one or more customers from getting the data they need. Malware could be used to alter tasking requests from a certain consumer after they are written to lower the labeled prioritization such that they never end up getting processed by the space system itself. In situations where a third-party organization handles prioritization and ordering of tasking from multiple consumers to a space system, that organization itself is also a target adversary hacker could seek to exploit and attack.