Threats are those characteristics, qualities, or attributes of a space system that would allow it to be compromised. In this chapter we will focus on threats to the vehicle itself. We will later discuss threats to the mission. It is fair to say that any threat to the vehicle would certainly pose a threat to the mission being conducted by the SV. While this is true, the ways in which threats to the vehicle or the mission specifically might happen or be leveraged require different vectors and efforts. As such, I will first cover the threats to the SV itself, openly acknowledging that any threat to the vehicle likely impedes the mission as well.
These threats all have the potential to result in a no longer functioning SV. This may be due to the destruction of the SV, depriving it of resources or giving the appearance that it is no longer functioning at all to the consumers and operators on the ground. Though I will go into watchdog scripts later, I also acknowledge that such automated safety protocols and others like them potentially might save the SV from various threats to its existence. This is true in many different ways on many different SVs, but the fact that a watchdog script may save the SV from a threat does not change the fact that such threats are a general way a SV may stop functioning.
Once again, I will focus initially on threats that are applicable to smallsats in LEO. I have the same justification, that they are the more immediately prevalent space system facing cybersecurity issues and needing good solutions. Also, each of these threats easily translates into the more complex types of SVs which we have discussed, and any specific threats to other types of SVs which are not smallsats in LEO will also be discussed in this chapter. Additionally, while I explore threats to the SV as far as how they can be used to damage or disable it, there is a central system which ties many, if not all, of them together. The Command and Data Handling functions (C&DH) relay and direct communications around the SV. Suffice to say any cyber attack that affected C&DH functions would hamper or disable the SV. However, since the C&DH functions and aspects are typical of a computer in general and not specific to space, I will not present examples unique to this part of an SV.
Electrical Power System (EPS)
Power, commonly known as the Electrical Power System (EPS), is the most critical requirement and therefore the biggest threat to successful operation of a SV. Without power the SV can’t fly, communicate, run missions, or correct. Anything that goes wrong on a SV is potentially lethal to it and must be understood and protected against. Whether the power threat is manifested through natural or unforeseen environmental or operational issue or is the result of a malicious cyber attack, it must be mitigated in some way.
Non-cyber Threat to EPS 1
The first non-cyber threat I would like to touch on is an issue with the SV and its ability to generate power. This is typically done via solar panels that either are on various sides of a satellite or fold out from it post deployment. If a physical defect or damage were to impede the satellite from deploying its solar panels or the panels themselves were otherwise damaged, the power budget for normal operations of the SV might become exceptionally inefficient or all together impossible.
SVs in general but smallsats specifically have huge constraints when it comes to the ability to generate power. It would be hard to fold up and fit giant solar panels and have them deploy from a smallsat the size of a bread box. Therefore solar panels are not likely to produce exceptionally higher than necessary power generation, and if one out of two solar panels did not deploy or was damaged, it could mean that the mission window for the system has a lot less operational windows within it since the satellite will have to spend much more time facing the sun and charging than conducting mission actions like snapping photos.
Non-cyber Threat to EPS 2
The second non-cyber threat for power of a SV is the ability to store power once it is generated. SVs, especially smallsats, are not spending the majority of their mission life in view of the sun. This means that power generation, while important, must also be able to be stored for when the sun is not readily available. If a portion of the battery or one of several batteries becomes damaged, it will also limit the amount of operational time that the mission life span has available to it. With less energy stored, the SV cannot conduct too much mission actions when out of view of the sun for risk of draining too much of the stored power.
There is also the potential threat of a battery becoming damaged in a way that it ends up having a destructive effect on other parts of the SV. Imagine perhaps that a battery cracked under the stress from launch and the resulting chemical reactions damaged the SV so bad it never even turned on once it was deployed from the launch vehicle. It is true that some battery designs are more stable and safer than others like, say, lithium batteries. However, no matter how the battery is made, if it becomes cracked or damaged, it will at least limit the amount of energy the SV can store for when it is out of view of the sun. At worst it means that the SV may be destroyed from the inside.
Cyber Threat to EPS 1
Where the non-cyber threats to a SV’s power come in the form of damage or failed operation, the cyber threat to power comes when code is changed on the satellite system that will also cause issues with the SV’s ability to stay on power budget or maintain any balance of power production or storage. In this and all following cyber examples of threats, it is safe to assume that if an attacker has the ability to go after such threats to the SV, they also have the access and permissions to alter the SV’s safeguards against such threats. In this case if code is being deployed to negatively influence the power production utilization and storage on the SV, then such an attacker can disable watchdog scripts and automatic power resets and so on.
The first cyber threat to power is where the payload is told to essentially attempt to communicate constantly, at maximum power until the battery is depleted. With this and any threat to a SV’s power, there is always a chance that the SV eventually drifts through space long enough that its solar panels generate enough power that the SV essentially wakes back up. In this case, if the threat was persisted on the SV, any time it turned back on, it would just continue to broadcast maximum strength nonsensical signal into outer space until the battery and SV was dead again.
Cyber Threat to EPS 2
Another example of leveraging this threat would be if the payload was configured to either constantly sense or emit or run whatever mission it had to the point that it also drained the battery. In this example the SV’s safeguard and safe boot options are also replaced by the attacker so that if the SV ever generates enough power to start back up, it will just keep blowing through its power with payload activity. These two attacks represent how both the bus and the payload can be attacked using code that makes them waste their power at a high rate and prevents safeguards from taking over and preserving the SV.
Communication
Communication threats to the SV may not have the potentially permanent or even destructive results as can be seen in power issues. Even so, a communication threat is essentially just as dangerous. Though the SV itself may survive, and even continue to function as normal, an inability to communicate with ground stations or other devices in a mesh means that to the users on the ground, the SV has ceased to function.
Non-cyber Threat to Communication 1
The first non-cyber communication threat is probably the most typical threat SVs face from known malicious actors in regard to communication. Jamming or electronic warfare is where the receiver is essentially sent overpowered or confusing signals that cause it to lose its ability to communicate effectively with remote devices. Power of signal is often a factor in jamming situations, and in LEO examples especially, the simple fact that resources are very constrained and power sources and storage very small means that effective jamming from the ground or other SVs is a real potential threat.
There are certainly ways around jamming threats. Jamming typically requires either a knowledge of the frequency that the signal communicates across or an ability to jam large swaths of frequencies. Therefore, any SV or communication device that can move around frequency ranges or has an ability to overpower the jamming signal can likely survive it. These solutions are not foolproof, but there are resiliency and mitigating methods to communicating in a jammed environment. This non-cyber threat to communication is nearly as old as over-air radio communication itself, and the arms race between jamming and anti-jamming technology is very mature.
Non-cyber Threat to Communication 2
The second non-cyber threat to communication that I will bring up is encryption. Though a necessary component of secure communications, the issue with encryption is that once implemented users of the encrypted communications link, in our case a SV and another SV or ground station, assume all further communications are safe. Just as in the jamming scenario, there is a constant arms race between encryption implementations and those trying to break encryption standards. What is important for all users of encryption but especially space systems to understand is that encryption must be viewed as only a speed bump to attack or compromise and not a safeguard.
As computing power increases exponentially, year-to-year encryption standards continue to fall to high-powered cryptanalysis. The added danger here to space systems is that if an encryption standard used between a SV and a ground station were to be compromised, the communications between the two are in the open air, open to anyone with a mind to get close enough to also view the now essentially clear text communications. Something else to keep in mind is that even with uncracked encryption, communications can still be subject to jamming. Though this non-cyber communication threat is not as complete a threat as the jamming threat, loss of secure communications may render a space system mission pointless or even dangerous and essentially kill the remaining mission window.
Cyber Threat to Communication 1
Staying with the encryption example, there are certainly cyber-enabled ways to pose a threat to communications with cyber. Instead of waiting for supercomputers to crack encryption standards, if a SV was compromised via a ground station terminal, an attacker would be utilizing the correct keys from the ground station and have no issue communicating with the satellite. Once the SV itself is compromised, the attacker could even delete or replace the encryption keys on the SV. Doing so would mean that the SV could no longer communicate with others in a mesh or the ground station since it would never make a successful communication handshake to establish encrypted communications. Worse if the attacker persisted access to the ground station and kept the new key from the SV, the attacker would in fact be the only one able to communicate with the SV for as long as it went unnoticed on the ground.
Impairing a SV’s ability to perform encrypted communications kills the mission window in the same manner that the encryption being broken would. Even if the attacker did not alter fail-safes such as a fallback to unencrypted communications, the SV may be too sensitive to talk to over unencrypted signals. An attacker could always remove or damage fail-safe scripts and components with privileged access to the SV. Even if they did not, simply continuously altering encryption keys on the SV from the ground station even with unencrypted fallbacks means the mission window would be severely hampered or altogether impaired by communication issues. Such communication issues could also cause the SV to not receive important instruction from the ground on altering course to avoid collision or de-orbit as well.
Cyber Threat to Communication 2
The second cyber communication threat I will posit is more complicated but no less detrimental to the SV. The computerization of SVs in general and especially small satellites has meant that hardware modulators and demodulators and other antenna equipment have been replaced by software defined radios (SDRs) . These software defined radios are essentially computers capable of shifting communications frequencies and communications attributes to match different incoming and outgoing communications requirements.
The downside for the SV regarding cyber attacks is that this SDR is also another computer, networked to other parts of the SV that could be pivoted to by an attacker and infected with malicious code. Once access to an SDR is gained, the attacker could actually alter what the SDR thinks is correct frequencies and settings to communicate with the ground. Performing this attack and disabling safeguards that might reset the SV computers after so many days with failed communications would mean that to those on the ground, the SV would seemingly be unable to communicate or even be functioning.
Guidance, Navigation, and Control (GN&C)
GN&C ensures that the SV will not collide with other space objects, fall into the Earth’s atmosphere, and burn up in de-orbit as well as maintain adequate position when necessary to communicate with the ground. Loss of navigation is detrimental or lethal to a SV, and threats to navigation must be seriously considered and mitigated when possible.
Non-cyber Threat to GN&C 1
When a small satellite or even larger satellites and other SVs are deployed from their launch vehicle, there is always going to be some level of detumbling. This is where the SV adjusts for any unwanted motion and inertia induced by leaving the launch vehicle. This might be minimal and hardly noticeable, or it could be severe and unrecoverable. There are even certain satellites that are designed to accept certain rates of rotation around certain axis and other tumbles so they can afford to expend less or no energy in detumble before performing their mission.
A tumble-related threat to navigation could be that a SV with little to no detumble capability was put into a fast spinning tumble through space when part of it did not separate from the launch vehicle on time. Catching part of the SV on the launch vehicle sent it into a fast spin from which it cannot recover. This could mean that solar panels are unable to deploy or that the SV is only able to communicate with the ground if it is able to do so at all. In this way an inability to detumble would mean that to the ground the SV is unable to function or be communicated with, meaning it can’t be corrected. An uncorrected tumble means the SV can’t guide to correct orbits and may collide or de-orbit. Worse if the tumble is severe enough to prevent solar panel deployment or prevent the SV from facing the sun for enough time, it will die a slow power death as well.
Non-cyber Threat to GN&C 2
A more straightforward non-cyber threat to navigation is simply the damage of the onboard GPS chip by radiation or physical event. Though there are other corrective capabilities some SVs have on board such as sun sensors or star tracker, loss of GPS is usually catastrophic. These other methods are of course less accurate than utilizing GPS triangulation with a chip, and even when on board the SV, such technologies may only be enough to somewhat correct the device and the mission window for the SV can still be significantly degraded.
Cyber Threat to GN&C 1
Cyber attacks which create incorrect navigation data or hamper the ability to navigate allow malicious attackers to impact other aspects of the SV like the payload or to ultimately disable it. In the first example, the satellites’ ability to interpret GPS, star tracker, and sun sensor data can be altered such that it thinks it is facing the sun when it isn’t and vice versa. If this type of attack was successful, the inability to navigate correctly would mean that the SV would be unable to turn its solar panels toward the sun, because it would always be turning them away from it in reality. This means that there is no power production and the SV will stop functioning eventually. Disabling safeguards during the cyber attack, as in the other examples, means that even if enough power is accumulated while the vehicle drifts through space for it to turn back on, when it does it will simply go back into its inaccurate behavior.
Cyber Threat to GN&C 2
Another example of navigation issue posing a cyber threat to a SV is loss of control of GN&C. An attacker could gain access to the SV and, upon doing so, put the SV on a direct collision course with another space object. Doing this and making the SV unable to communicate with ground stations as discussed in the Communication section would mean that the SV would literally be destroyed in a collision with another space object. Performing this type of attack in a constellation or a mesh could pose significant danger to multiple SVs as well.
De-orbit
In LEO SVs particularly, but other types as well, there is a requirement that after so long the SV will de-orbit and burn up in the atmosphere to keep down on the amount of junk floating around in popular orbital areas and planes. To accomplish this feat, SVs are either placed in an orbit that will naturally bring about the de-orbit of the SV or they have onboard propulsion or attitude and position adjustment capabilities that will de-orbit the SV in the appropriate time.
Non-cyber Threat to De-orbit
Subject to the environments of space, there is always a small possibility that something will confuse the SV to the point that it thinks it needs to trigger its de-orbit sequence. In such a scenario, the SV is sent burning up in the Earth’s atmosphere at the incorrect time. There is also the potential that a SV has an issue with its ability to de-orbit. It is nontrivial to build guaranteed de-orbit ability after say a decade in space when the SV itself is expected to only conduct an operation window for several years.
Cyber Threat to De-orbit 1
There are essentially two ways in which the de-orbit threat can be manipulated via cyber attacks. The first is to simply create the same non-cyber situation we just discussed. In this type of attack, the malicious cyber actor alters configuration data on the SV to either make it think the requisite requirements have already been met to demand a de-orbit take place or change the requirements themselves so that the de-orbit triggers early based on a new configuration.
Cyber Threat to De-orbit 2
The second cyber attack involving de-orbit is to burn propulsion or potentially leverage reaction wheels and torque rods to the point that the SV is in an unrecoverable orbit that will cause it to fall into Earth’s atmosphere ahead of schedule. In a SV with onboard propulsion, this can be done by burning through enough of the propulsion resources to get the SV so off course and falling toward the Earth at an inclination and rate which the remaining fuel cannot fix. In a SV where attitude and position adjustment is much slower using fly wheels and torque rods, there would likely also be a need to try and prevent correction from ground stations as this de-orbit attack process would take much longer.
Non-LEO Space Systems
Since the predominance of the examples discussed involve LEO satellites or satellites in general, I did want to cover a cyber and non-cyber example of an attack to SVs in the other types of space systems we have covered so far in this book.
Weapons
Space systems that are weapons incur significant risk to not only the loss of the SV but more importantly loss of human life on a potentially large scale when cyber and non-cyber threats to the system become a reality.
Non-cyber Threat to Weapons
Most examples of a weapon system that is also a space system with a SV in the upper reaches of the Earth’s atmosphere or at higher altitudes are guided systems. Even though this is the case, there is the potential for such systems to drift off course in situations where the flight of the weapon or its accuracy cannot be guaranteed. In an observed and controlled weapon, when this happens, safety personnel are likely to destroy the weapon in flight as to avoid unintended consequences. When that is not possible, there is a chance that in the best-case scenario, the weapon never returns to the Earth to do its damage and is therefore ineffective for the actor that launched it. At worst this means another actor’s space weapon system is not intercepted or the launched weapon impacts on unintended innocents. These examples relate to systems such as intercontinental ballistic missiles, interceptors or even hypersonic weapons.
Cyber Threat to Weapons
The least damaging attack on such weapon systems from the cyber domain would be if the workstations used by the safety personnel were compromised and any weapon system launched into space was told to self-destruct when not appropriate. More nefarious would be an attack that compromised targeting and launch systems for such devices, sending them at potentially innocent or unintended targets at unintended times. Both of these examples though do not involve a compromise on the SV itself and are not necessarily threats specific to the SV. As such weapons become more self-sufficient for targeting logic based on artificial intelligence (AI) algorithms and machine learning, there is a greater possibility that those onboard computing assets are compromised via a cyber attack and that the decisions that AI makes for the weapon once underway conflict with the intent of the individuals who launched it, likely in disastrous fashion.
Crewed
Crewed weapons obviously have humans on board with their livelihoods as a primary goal. That being said there are still threats specifically to the SV itself in these situations as well.
Non-cyber Threat to Crewed
The most realistic situation where a crewed SV is under threat is due to physical damage. This could be in the form of radiation events that fry important electronics that allow the crew to steer and manipulate the SV. It could also be due to actual kinetic damage from something like another space object impacting the SV and damaging thrust or control mechanisms. In these situations, the humans on board are not immediately at risk, but the SV is unable to be controlled or utilized adequately. With crewed SVs there is likely a link back to ground stations for support and potentially for someone on the Earth to fly the SV if necessary. Threats to crewed SVs are those that impede the ability of both those on the ground and those on board to control the SV. Additionally, where the ground station in other space systems has the potential for insider threats to carry out an attack both cyber and non-cyber, the crewed SV has this issue both at ground stations and on board.
Cyber Threat to Crewed
A cyber threat to a crewed SV is one that essentially results in the same impact to the SV that we just discussed from the non-cyber realm. Any malicious cyber attack that can lock both ground station based and onboard crew out of onboard computers or fool them into thinking things are fine when they aren’t has the ability to pose huge threats to the SV itself. As we have seen with other types of SV cyber threats, such attacks can also cause the SV to damage itself in physical and irreparable ways. More on threats to the crew specifically in Chapter 6, “Threats to the Mission.”
Extraterrestrial
Extraterrestrial systems have the added complication of being far from Earth with very long communication delays and rare communications windows. This means that those on the ground controlling such systems are likely not afforded opportunities to try and interfere with cyber and non-cyber threats alike from damaging the SV.
Non-cyber Threat to Extraterrestrial
Examples of threats to extraterrestrial SVs are based on fact and history. For example, a dust storm could cover the solar panels on an extraterrestrial rover such that it is unable to ever recharge its batteries and it dies in place. There is also the potential that an extraterrestrial rover becomes stuck in a crevice or between rocks or in sand. In any of these cases, extraterrestrial environments pose threats innumerable to SVs that end up in them. It is also easy to imagine how all of the already discussed threats to SVs could be easily lethal to a system operating on another planetary body.
Cyber Threat to Extraterrestrial
Because of the difficulty in operating extraterrestrial devices from Earth, the risk if a cyber attacker was able to gain access to an extraterrestrial SV is very high. No complex code solutions or orbital calculations are necessary to damage or kill an extraterrestrial SV. All an attacker would have to do is tell the SV to drive off a cliff or into a cave at the end of a transmission with Earth. By the time those on Earth realize the SV was doing something they hadn’t planned on telling it to do, it is either unable to communicate ever again because it is in a cave out of reach of sunlight and signals or is in a hundred pieces in a ravine.
Deep Space
Similar to extraterrestrial systems, deep space systems have long communication delays and short and potentially rare communications windows. Instead of taking minutes to get communications between, say, Mars and Earth, the delay might now be hours or days. The risk that deep space systems have that extraterrestrial systems do not is a possibility for unknown trajectory or positions. A SV on Mars is going to stay on Mars at least so operators on Earth should know where to point communication antennas to find signals from SVs on that planet. If anything altered the course of a deep SV, this is not necessarily the case.
Non-cyber Threat to Deep Space
Continuing the altered course threat, imagine our deep space probe encountered a rock orbiting a planet or moon far from Earth or even a small interstellar object. If the deep SV was set adrift or off course, it would be a struggle and potential impossibility to find it again from Earth and direct communications at the new location and trajectory of that spacecraft. Obviously omnidirectional antennas on board such a SV would help this scenario, but it is a challenge specific to deep space that position and trajectory can become essentially unknown.
Cyber Threat to Deep Space
In the cyber threat to deep SVs, the SV is sent commands from a malicious attacker to send it in an unintended direction such that it might be lost from its operators on Earth. Moreover, if the attacker was able to execute malicious code on the SV itself, all it would take is a programming of a series of random maneuvers over the course of a few months to keep the deep SV from being found. In this instance even if the ground-based operators found it and attempted to plot its new course, it would be changing at random for a period that would likely cause it to be lost forever. Not to mention any of the already discussed threats, if implemented on a deep SV, would also cause unrecoverable impact to the SV.
Conclusion
We have covered many threats to SVs in this chapter. Many of them stem from the challenges we have discussed earlier in this book coming to fruition against SVs. This can clearly happen naturally or without cyber-enabled effects or be the result of malicious cyber activity on the SV or ground station. The big takeaway is that, for every challenge that has been overcome by the space community which allows space systems to function, cyber brings about a renewed threat that any of them could be reintroduced to the SV by a malicious attacker.