Once the space system is past its pre-operational phases and begins its operational life cycle, threat vectors that present risk to the system as a whole are now both in space and on the ground. In the next chapter, we will walk through scenarios involving operational specific vectors for space system threats. This chapter focuses on communications as a vector which are a constant battle between implementing appropriate security standards and practices and allowing for the operability that the intended mission and its customer required to justify developing and flying a space system in the first place.
Between Ground and Space
With the earliest of space-based systems, there has been a communications link in one form or another between the operators on the ground and the space vehicle (SV) in space. This has matured over the years and our understanding of radio frequencies and ability to build more efficient antennas have increased. In addition to communications-specific technologies like antennas and frequency modulation and demodulation, there has also been a digital evolution where the communications link between a ground station and a SV is computerized and as such allows more flexibility and functionality and presents a more dynamic and at times accessible cyber attack surface.
Confidentiality
Confidentiality of communications in general is a classical security problem where communications between two or more parties are understood to only be known to those parties. There is an assumption that no one besides the known communicating parties is listening and there is an expectation of privacy. Communications between ground stations and SVs have the same hopeful assumption that other parties can’t talk to the SV and that other parties cannot receive data from the SV.
Non-cyber Threat to Confidentiality
A non-cyber but technical-related risk to the confidentiality of ground-to-space communications is one that plagues communications in general. Poorly implemented encryption puts confidentiality at risk and gives the communicating parties a false sense of privacy and security within which they will operate until they are informed that the supposedly secure encryption they are operating within is actually compromised.
Encryption technologies and the technologies that break encryption are in an arms race as old as protected communications themselves. Earliest examples in use by historic military and political organizations were extremely low tech, involving only written language. There will certainly come a time where the encryption standards of today will become as trivial to break as the original wireless encryption protocol which can currently be broken using a pen, paper, and simple arithmetic. As such, encryption needs to be viewed more as a speed bump so that whether due to poor standards, implementation, or the eventual computational obsolescence of the encryption, the communicators are prepared to change course when their private communications are no longer secure.
There is added danger to ground-to-space communications with regard to encryption resilience since unlike over wire and other mediums, the communications, though encrypted, are constantly being transmitted across the air for anyone to listen to. This means the encryption exposes itself to extremely large and regular communication sessions that might allow an attacker to determine patterns and break the encryption.
Cyber Threat to Confidentiality
Where supposedly private and secure communications are at some point eventually going to lose that privacy, the cyber domain allows an attacker with sufficient access to create that moment whenever they need to. Ignoring attacks against keying and encryption we already covered in Chapter 5, “Threats to the Vehicle,” and Chapter 6, “Threats to the Mission,” there is a capacity to force a SV or even a ground station into a less secure or sophisticated form of communication. There are configurations where space systems employ backup forms of communication that use different frequencies, technologies, and potentially beacon and transmit in the clear. Though these backup communication vectors are often limited in their access to other functionalities on a SV, an attacker with interactive access to a space system could trick the SV into switching over to less secure fallback communications which are then exploitable from the ground or other space-based receivers and transmitters.
Integrity
For the sake of this chapter, we will outline the integrity of a communications stream as the ability for that communications stream to maintain truth in the data it sends and receives. If data can be injected or altered as it passes between two communications nodes, then the link between those nodes and potentially the nodes themselves cannot provide integrity in communications.
Non-cyber Threat to Integrity
In a non-cyber sense, this could be in a follow-on fashion to a failure of confidentiality. Once another party has compromised the confidentiality of communications stream and has the ability to listen to communications, they are also potentially able to then send unexpected or unauthorized communications back across the space system. In this way the integrity of that system communications link would be compromised. If at times the SV was unable to determine what commands were coming from legitimate operational sources and which were coming from enemy ground stations that had the ability to communicate with the SV, it would no longer have a reliable integrity regarding its tasking and ground-to-space communications.
Cyber Threat to Integrity
An attacker who leveraged the cyber domain and had access to one or more members of a satellite mesh would be able to potentially direct those satellites to receive tasking not only from the operators in the ground station but from an attacker-owned one. In this way, by setting a compromised satellite to listen for and receive tasking from a rogue access point, in this case an enemy-based ground station, the integrity of the communications and tasking across the mesh would be compromised, and commands could be permeated through the mesh via this method as well as using it to offload mesh gathered data as well. Unlike the non-cyber example which required a compromise of confidentiality for this to happen, the cyber example actually enables a widespread compromise of confidentiality.
Availability
Availability of communications is the ability to make and maintain communications streams between the ground and SVs in a space system. Without such availability, a space system cannot intuitively operate. Even in a system such as Sputnik, which simply broadcasts a radio signal, it was only considered to be functioning for as long as that signal was able to be detected and received on Earth. More complex systems are no different and in nearly all modern instances require bidirectional communications availability between the ground and flight systems as well as in many cases the payload for tasking and data offload.
Non-cyber Threat to Availability
We have covered aspects of jamming and their threat in general to space systems; the communication vector between the ground and SVs presents a well-rehearsed attack avenue against space systems. Terrestrial-based jammers have infinite power in comparison to the SV itself, and larger and purpose-built jamming SVs also in orbit above the Earth have capabilities allowing them to inhibit communications. In any scenario where jamming is successful enough at degrading or preventing communications between the ground and space, it means that tasking can’t be taken, course corrections issued, or valuable intelligence and data offloaded to the ground and consumers. Jamming can affect not only the maintaining of a communications stream but also strictly target the initial handshake which establishes the communications stream to begin with.
Cyber Threat to Availability
Software defined radios allow cyber attackers to attack via communications from either the ground or the SV. Where both likely utilize SDRs to configure, send, and receive signals across their antennas, an attacker could alter the configurations of those devices to attack the communications stream and alter its ability to maintain strong lines of communication. An attack against the SDR at a ground station, or aboard the SV or both, could be done in a way that it isn’t a complete shutdown of communications that would incur an immediate incident response action by the operators but could involve slow and low levels of degradation that simply made the communications stream between one or several ground and space systems spotty and therefore cause the operators to direct communications to other ground stations and impact the coverage and persistence of the SV or mesh of vehicles due to an operational avoidance of an issue-riddled ground station.
Between Space and Space
Space-to-space communications will present an increasingly impactful vector for risk and attack exposure to space systems. As the prevalence of meshed SVs is utilized to accomplish various missions, the communications across that mesh will increasingly be targeted in the same way ground-to-space communications are as well as in novel and specific ways to constellation and mesh configurations. Space-to-space communications may involve many low Earth orbit satellites communicating with each other, or even a less peer to peer but hub and spoke type architecture where lower orbit satellites all communicate up to higher orbit ones which then pass the signal around the Earth and/or to the ground.
Confidentiality
Confidentiality in space-to-space communications is essentially identical to the ground-to-space confidentiality needs and issues and has many of the same pitfalls. The main difference being that a rogue access point to a satellite in the ground-to-space scenario involves a terrestrial ground station not owned and operated by the space system owner being leveraged to perform unauthorized communications with the SV. In a mesh or constellation scenario, the rogue access point is a compromised or outside SV maneuvered into place and set up to alter communications flows within the mesh architectures.
Non-cyber Threat to Confidentiality
A non-cyber issue that presents itself in the space-to-space communications threat vector involves architectural and protocol-based decisions. If space systems are not configured to speak in a point-to-point fashion but rather leverage broadcast capabilities to attempt to communicate to and from all points in the mesh at once, it would be ineffective and risky. Not only does that expose all mesh communications to essentially open air collection by other SVs or even ground stations but it would be exhaustive to onboard power budgets to try to send and receive communications from and to all devices all the time. This is also not considering the challenge to implementing a tasking and communication protocol across such a transmission medium. There is also the similar situation of protocol for communications where connection-oriented communications should be used instead of connectionless protocols. Tying in traditional computing protocols used for communication transportation, the SV architecture should leverage communications that are more like TCP and less like UDP to help prevent issues.
Cyber Threat to Confidentiality
We have already touched on how a cyber attacker could either replace encryption keys with their own or remove the encryption piece all together from communications to the ground which would allow for unauthorized transmission or even control of the SV from another ground station. This has the benefit to the operator of being a relatively noticeable issue since the appropriate ground station will likely realize that it cannot communicate with the space system or see it performing other communications or receiving other tasking. If this sort of attack was carried out on a SV-to-SV link or to enable communications from an outside the mesh or constellation it would allow for a similar compromise of the space system but in a less noticeable fashion.
Integrity
Once again, space-to-space integrity issues mimic those of the ground, with the difference being the unauthorized actions or alterations to what is being transmitted can come from a compromised SV and not necessarily a ground station.
Non-cyber Threat to Integrity
Following the example earlier, a non-cyber threat to communications integrity could involve a rogue SV belonging to another organization or country being maneuvered into position to communicate with the constellation or mesh, and due to a compromise of confidentiality in some way, that SV is able to alter information being passed across the space system, inject improper data, or otherwise damage the integrity of the mesh or constellation network. It is important as mesh and constellation use ramp-up that they consider lessons learned from terrestrial wireless networks to include 802.11 normal home and corporate wireless systems. Rogue access points and devices in those networks represent the same types of threats space systems will face. SV meshes should ensure that they maintain control and audit of the SVs communicating across the peer-to-peer network so that even if compromised the space system operator will at least be notified that there is a new and unauthorized SV present within their network.
Cyber Threat to Integrity
The non-cyber example earlier required an enemy-provided SV be integrated into a mesh and used as a rogue access point to that mesh which allowed the attacker to compromise the mesh network integrity. With cyber compromises and the cyber domain and attack surface it affords enemies and adversaries, a hacker could gain enough control of a particular SV within a mesh that it acts as an insider threat to the mesh network in the same fashion the externally introduced SV did. Again, tying in to known and already being addressed terrestrial issues, this is a problem to normal wireless networks. Not only does a peer-to-peer or access point–based wireless network need to address rogue access points and unauthorized users, it needs to be able to detect when a user on the wireless network is acting improperly or otherwise compromised.
Availability
Communications availability within the mesh is actually less impactful to the overall space system than a loss of availability from the ground to space. Even in a scenario where communications between SVs became completely unavailable, if those SVs could still communicate with ground stations, they could essentially pass required information to each other via networked ground stations if necessary. It may also be that a mesh or constellation of satellites can perform its mission just in a limited nature given only space-to-ground communications if point-to-point communications in space were to fail.
Non-cyber Threat to Availability
Space-to-ground communications require varying amounts of precision communications beams from the SV down to the ground station due to power constraints on the SV. Ground-to-space communication is not as hindered as more power can be used to get the signal into a wider area of space, and therefore less precision is necessary. In space-to-space communications which must be point to point in nature, precision is extremely necessary. When both parties in a point-to-point space communication are power constrained, it means they both must have pretty precise location information for each other in order to send the communications beams to each other across space.
This becomes an increasingly important issue when point-to-point communications utilize optical waves instead of radio waves. Optical waves can allow SVs to communicate with each other at much higher data speeds and can do so without worry of degraded performance thanks to the vacuum of space. The downside to this is that the margin for error is much smaller than radio wave communications, and precision is more of a requirement. Any non-cyber issue that impacts a SV’s ability to have a precision determination of its own and other SV’s locations would impact point-to-point communications’ effectiveness. It also may mean that with only one point-to-point antennas, transceiver and receiver, a SV may be only able to communicate with one other at any given time.
This also means that before it can communicate with a different SV in the peer-to-peer network, it may have to maneuver so that its optical or precision radio communications capability faces that of the new SV. In a large mesh of satellites, this may introduce a problem for appropriate tasking regarding which vehicles will slew to communicate with others, which won’t and when to enable efficient communications across the mesh to fully leverage it.
Cyber Threat to Availability
As you may be picking up by now, the peer-to-peer mesh concept introduces a lot of classical computer network problems to space operations. An attack on the availability of space-to-space communications that could take advantage of an age-old computer network attack would be to introduce routing loops into peer-to-peer mesh communications. In a true peer-to-peer mesh, each device or in this case SV must act as a router of traffic, passing along and processing data when necessary. An attacker with access to a SV could gain an understanding of the way data is transmitted and traffic routed across a mesh of SVs and start introducing traffic that will solicit other SVs to continuously pass information along in loops until it dies or is discarded due to time to live exceptions.
In this way traffic could be altered to flow around the mesh until it was discarded and never transmitted down to ground stations as needed. This would make the mesh unavailable for reliable communications. As SV meshes become larger and more complex in their operation, standards for how traffic is routed and passed across those meshes need to work off lessons learned from early networks and prevent this sort of attack and others from preying on such peer-to-peer networks. To this end, extremely large and complex meshes may benefit from having a small number of SVs within the mesh whose sole purpose is health and security operations for the mesh. This would allow for routing rules and other security applications to be wrapped around mesh communications and improve reliability and security of those communications.
Between Bus and Payload
The last communication vector we will highlight is one that I feel is less understood, less protected, and a potential Achilles heel for certain space systems via their SV configuration and design. In many satellites, there is a different party that flies and operates the flight components or bus of the SV that operates the payload. This means that one organization’s ground station might track the SV and make sure it avoids other space objects and stays in orbit, and another organization’s ground station may interact with the payload.
The consideration here is that a compromise of one or the other may eventually mean that a cyber attack executed on board the SV bus or flight systems could allow that attacker to pivot from one to the other and eventually back to the ground station and networks of an entirely different organization. Where such an example represents a need to at least logically separate the bus and payload, there are also instances where a payload may collect and offload extremely sensitive or classified information and yet the bus and flight computers are operated at an unclassified level.
Encryption could be used on board the payload to offload this data via unclassified means or project the payload from an attack on the bus, but I do not feel this issue is adequately addressed by security professionals or the space industry and could lead to the compromise of sensitive payloads via less protected flight bus systems and ground station organizations. There is also the little known or understood concept we just covered where compromise of one organization ground–based networks could actually use payload to bus links to pivot to and compromise a completely unconnected and geographically diverse ground network via the SV.
Confidentiality
In this sense confidentiality refers to the ability, when necessary, to prevent an adversary or operator of the payload or the bus from being able to read unauthorized data from the other. In some cases this is important to national security to protect the confidentiality of classified or sensitive payload data from less cleared operators of the flight bus, and in some instances it may not be worth the cost benefit if both organizations, though different, may have the same security posture.
Non-cyber Threat to Confidentiality
One of the payload types mentioned in other chapters was the communication payload where the satellite is there to provide communication pipes to different locations on the ground. An insider threat could alter the onboard configurations of such a payload to duplicate the communications going across a requested pipe and send them off to a third ground station unbeknownst to the communicants. In this example, the parties using the payload as a communication pipe between each other have no idea that the confidentiality of the communication pipe is being violated as their communications are also being sent off to a third party. This situation is similar to an attacker or admin mirroring a communications port on a switch or router to send a copy of all communications across it to a separate location. This has purpose for both security professionals and attackers.
Cyber Threat to Confidentiality
Continuing with communication payload examples, a broadcast communication payload like the ones that provide satellite radio to various customer areas around the world could be attacked via the cyber domain and altered to remove expected confidentiality as well. An attacker with access to the ground station and/or satellite providing space-based radio signals could start broadcasting to all radio receivers that they were actually subscribed, regardless if they were or not, and thus allow anyone with a satellite radio receiver to listen to the stations without a subscription. In this instance confidentiality is not so much a privacy concern but a business one where the satellite radio provider wants to keep the satellite radio services confidential only to paying customers, and an attacker could enable anyone with a receiver to listen to their services.
Integrity
Integrity across the bus and payload communication relationship refers to the ability of the payload to rely on the bus for accurate information and pass back to the ground unaltered payload data in configurations where the payload collects data and encrypts it before sending it to the bus to offload to a ground station instead of having a payload-specific communications capability with the ground.
Non-cyber Threat to Integrity
A good non-cyber example for integrity and/or reliability issues between the bus and the payload would be something that should be tested and evaluated for, but which does not always get caught. Emanations from a bus might impede a payload’s ability to separately communicate with the other ground stations it talks to and vice versa. Where operators flying the SV and operators tasking the bus have separate onboard communications capabilities and ground stations, a failure to deconflict communications efforts as well as protect emanations from each other’s operations impacting the other is necessary.
Cyber Threat to Integrity
Though a bus and payload may be logically and operationally separate in a digital sense, if they leverage some of the same onboard resources, there is opportunity for an attacker to go after that shared resource and impact the bus from the payload and vice versa. A payload may leverage an onboard GPS chip for triggering collection events related to its mission, and if that GPS chip is a resource shared with the flight computer and systems on board, a cyber attacker with interactive access to a bus and flight computer may be able to exploit the GPS chip in such a way that it starts reporting incorrect data which would ultimately affect the integrity of mission data produced by the payload as it was being triggered to conduct its mission over the wrong locations. This could mean taking pictures of incorrect locations or emitting jamming signals into empty space or at other unintended SVs.
Availability
Availability of bus and payload communications is important to the operation of any SVs. Security implementations that are aimed at preventing attacks from traversing this communications path must take into account potentially failing open in an effort to not provide another point of failure and risk to the space system. Further, many SVs rely on bus-to-payload communications because though they may be operated by different organizations, the payload may utilize the same antennas and SDR to communicate with the ground as the bus. Anything that denied this availability could end the space mission by preventing the payload from communicating its tasked actions and resulting data to the ground-based operators and consumers.
Non-cyber Threat to Availability
Non-cyber threats to this bus and payload communications link are essentially any issue that might occur to a shared resource. Where such an issue may not ultimately cause the SV to die on orbit, it might cause the communications between bus and payload to no longer be operational. Also any failure that forces a SV into a power conservation mode could shut down the payload operations all together to preserve power budget and turn off a payload entirely or at least prevent its data from being offloaded, not because of damage to the communication line but from forced stoppage of data offload and payload communications in an effort to preserve the SV.
Cyber Threat to Availability
Even in situations where the communications link between the bus and payload is not eliminated and compromise is not possible by a hacker from the bus to the payload systems, encrypted payload data can still be at availability risk. In configurations where a payload is passing encrypted sensitive data off to the bus for the bus to then transmit to the ground, a compromised flight computer or data handler on board the SV could be leveraged to alter the payload files in some way so that when they are received on the ground station, they are unusable. Though not outright preventing communications between the payload and the bus, this would make the communications altogether useless. Even something as simple as executing compression on the encrypted files with password protection and a password not known to the operators of the space system could make payload data sent to the ground unusable and unrecoverable.
Conclusion
The communication vector is itself a complex mechanism with various problem sets that affect space systems. Some are classic encryption and communication challenges that the space industry and security industry both historically understand. Others are emerging threats to space system communications that are well understood in the computer and network security industry but new to space. Ensuring the space industry takes lessons learned from terrestrial-based peer-to-peer networks and routing problems and implements modern security solutions to them in space is integral to protecting such systems. The security industry needs to take known solutions for these types of problems and explore tailoring them around the constraints of space operations to better provide security to space.