Table of Contents
Abstract
In modern times, satellites and space-based system plays a vital role in national critical infrastructures. For example, the reliance on climate and weather satellites in agricultural industries, the reliance on intelligent satellites by militaries and the reliance on global positioning system (GPS) satellites in various transportation industries. These infrastructures are vulnerable to a broad range of security threats.
There is considerable effort to improve the cybersecurity of the critical infrastructure, but less focus is provided on cybersecurity for space systems. Challenges to secure space systems includes technology development, ownership, and management perspectives. This report presents the recent major cybersecurity threats to space systems, and the potential motivations of cyber criminals or nation-states that would be interested in compromising space systems. In conclusion, possible next steps in advancing cybersecurity for space systems are also discussed.
Introduction to the System Under Investigation
Major critical infrastructure depends on satellites and space-based systems. Transportation depends on global positioning system (GPS) satellites. Communications systems depends on telecommunication satellites. The food industry makes use of GPS and weather and climate satellites. It is hard to find such industries that does not have a critical dependence of some form on space systems in some or the other forms.
However, despite efforts to improve the cybersecurity of critical infrastructure, there has been little focus on cybersecurity for space systems. Challenges to secure space systems include technology development, ownership, and management perspective. An initial step in controlling any area of risk is to put in place means for measuring and assessing the risks. In conclusion, more focus is provided on encryption of data communication link between satellites and satellite based systems.
Assessing the Security Risks of the System under Investigation
A framework for risk assessment for satellites must include considerations for the unique features of space systems. These considerations should include:
- An understanding of the assets, their required security properties, and the severity of the loss of those properties.
- An understanding of the exposure to the threat environment.
- An understanding of the threat environment, attackers and their capabilities, and the likelihood of an attack.
- An understanding of restrictions and requirements regarding candidate security controls.
Availability and accessibility are the major security properties at stake in the satellite cyberthreat.
In 2012 there was a programming challenge, DroneGames, held in San Francisco [2] on interesting applications for a semi-autonomous radio-controlled drone, the Parrot AR drone. Second place was a program to control multiple drones from a single computer. But first place went to a drone that would infect any other drone it encountered, causing them to “run amok” despite the best efforts of the controllers.
Like satellites, the drones had complete dependence on the radio spectrum for both data and control. A cyber-attack that renders the satellite inaccessible by ground control results in the catastrophic loss of the asset, even if it was “only” a Denial-Of-Service attack that in other sectors would be considered only a minor nuisance.
Space Systems are continually exposed to attack from their control and data streams. In 2016, there were 1046 active satellites, from 47 nation-states. In the same year, Amdhi [1] cited several alleged cases in which satellite command and control systems were penetrated to the point where the attacker had achieved the ability to issue commands to the satellite control systems. Multiple reported instances of hijacked satellite transmissions and security research demonstrations have also shown the ready exposure of satellites to attack.
With the availability of Very Small Aperture Terminal (VSAT) ground systems able to directly connect to satellites, and the flexible capabilities of Software Defined Radio (SDR), radio transmission is no longer the barrier that it was. But there is no longer even a need to go that far; satellite systems can have live connections through their ground control networks to the internet. An attacker can thus choose following multiple avenues of attack depending on the connectivity of the satellite and the resources available to the attackers:
- Attacks through ground terminals,
- Attacks through proprietary ground communications networks,
- Attacks through ground control networks,
- Attacks through SDR transceivers,
- Attacks through co-orbital assets and
- Attacks through public networks.
The capabilities of expected attackers are at the Nation-State level, so the attack likelihood is very high, it no longer helps in discriminating between security practices. It is a common dogma in cybersecurity that the likelihood of attack depends largely on the capability and motivation of the attacker. In the case of satellites, the worst-case motivation and capability are posed by the nation-state, and by those covert attack threats such as advanced persistent threat (APT) who have demonstrated significant resources and alignment with national interests. Nation-states have launched orbital assets with explicit anti-satellite capabilities. Anti-satellite actions are part of standard military doctrine among multiple nation-states.
So, the base likelihood of an attack is a certainty – high capability attackers will attack satellites. In addition, satellites have long service lives and routinely function through several cycles of terrestrial technical progress. It is necessary to change the risk assessment focus from what attackers could do given their capabilities, to a worst-case assumption of what an attacker could do given the satellite’s capabilities.
The beginnings of this can be found in the safety analysis process for commercial aircraft, where the goal is to be able to state that any harmful event that could occur will occur unless there is verification and assurance that it won’t occur. More formally, consistent with the commercial aerospace cybersecurity assessment methodologies such as DO-356A [5], a means to mitigate the impact of potential attacks is to reduce the likelihood of a successful attack, which in practice means to increase the coverage by the security controls, and to reduce the likelihood that the security controls fail or are defective.
Controls on the ground control networks are necessary, but not sufficient. Assessment of technical controls needs to include consideration of detection, response, and restoration controls. While ground control networks can be protected through their cybersecurity controls, radios can contact satellites outside the ground control systems.
In the case of attacks outside the ground control networks, the only protection are the embedded technical security controls on the satellite. Controls that prevent access by attackers such as encryption are important, but with the long service lives of satellites, the encryption algorithms are subject to obsolescence. The ability to monitor and respond to attacks on the satellite becomes an important means to respond to the changing threat environment. An effective monitoring control would be one that can detect the technical precursors to an attack before the attack renders the satellite unresponsive to ground control.
Even more critical is the ability to restore the satellite to a secure and functional state. In financial systems, security control should be Fail-Secure. In commercial aircraft, security controls may need to be Fail-Open to retain pilot access to critical flight control functions. For satellites, the issue is maintaining the availability of the asset, even if this means a temporary loss of functional availability. For a satellite, security controls need to be Fail-Restorable- if a security control fails, it needs to fail in a manner that will allow accessibility of the satellite to be restored.
In other cyber-physical systems, an important control is “Secure Boot,” the ability to ensure that when a device resets, it will use a trusted core as the initial software basis. In the case of satellites, this functionality can be extended to “Secure Restoration,” the ability to ensure that the Secure Boot includes sufficient functionality to render the satellite accessible to its ground control.
Planning the Security Level
Satellites must contain the highest form of cryptography to protect data from any undetected changes during transmission or while in storage. Cryptography and fault detection play critical roles in combating these issues by hiding information, and securely transmitting data. There are various software programs which are designed to target these vulnerabilities, each with its own methods of distributing the keys that scramble and unscramble data.
Several encryption methods to use for satellite data transmission system were considered. Many factors were taken into consideration when choosing one of the many different cryptographic algorithms available. The three most popular of these include the Advanced Encryption Standard (AES), the Data Encryption Standard (DES), and the Rivest, Shamir, Aldeman (RSA).
- Advanced Encryption Standard (AES) DES was mainly adopted by businesses for security products. The algorithm design for encryption and decryption process is done with the same key.
- Data Encryption Standard (DES) AES is a symmetric key algorithm. Both the sender and the receiver use a single key for encryption and decryption. It is great for security and speed, with fast hardware and software implementation.
- Rivest, Shamir, Aldeman (RSA) DES was mainly adopted by businesses for security products. The algorithm design for encryption and decryption process is done with the same key.
Key length, cipher type, block size, development, cryptanalysis resistance, security and time [1] were looked at.
Cipher types Block cyphers are a central part of designing a shared-key cryptography. It has two inputs: one being a k-bit string and the other an n-bit string and returns an n-bit string. The first input is the key. The second might be called the plaintext, and the output might be called a cipher text. The key-length k and the block-length n are parameters associated to the block cipher [6]. It should be designed to provide difficulty when there is an attempt to break the system.
To provide security, the block ciphers depend on the key length and block size. One block cipher is a k-bit string and the other an n-bit string, which returns an n-bit string. The former input is the key. The latter input might be called the plaintext, and the output might be called a cipher text.
According to the data found in a survey on performance analysis of the three encryption types, DES algorithms often have key distribution and key agreement problems but have less power consumption. Meanwhile RSA consumes a large amount of time to perform encryption and decryption operations [1].
SAES Algorithm
The AES algorithms were found to consume the least amount of time for data encryption, decryption, and buffer usage compared to DES and RSA algorithms. AES also offers flexibility during and after implementation, which the other algorithms do not.
Encryption algorithms may be symmetric or asymmetric. AES uses a symmetric key algorithm for cryptography. This means that the same cryptographic key is used for both encryption of plaintext and decryption of cipher text.
More specifically, the AES algorithm uses a symmetric block cipher to protect information in software and hardware to encrypt sensitive data. The Public Key algorithms are used to perform the authentication and key connection, and then AES uses the symmetric algorithm to encrypt the data [3]. The key must only be shared only using a secure channel by both the sender and the receiver [3]. Asymmetric key algorithms on the other hand, use a key pair.
Many modes can be used to avoid faulty transmission. However, AES has one specific mode that can be used for ground stations, the CTR (Counter) mode. CTR is referred to as stream cipher mode as they do not require the whole block before encryption, only a partial block. Also, the CTR mode is more suitable for noisy channels because unlike other modes, cypher data bit transmission errors are not expanded in the received plain data. This mode is recommended as the optimum choice for satellite applications [4]. Based on these factors, AES is able to transfer data in the most efficient way [3].
Proposed Solution
A potential data breach that can occur commonly is referred to as a Man-in-the-middle attack. This happens if an attacker alters the communication between the sender and the receiver, and the receiver believes the data is being transferred over a secure, private connection, when in fact the communication is controlled by an attacker. Secure data transmission, with following goals, was desired:
- Data being sent is received by intended user.
- Detect and prevent Man-in-the middle attacks.
A security framework in which a new security layer encrypts data at the sender side and decrypts data at the receiver side is proposed.
In case of Man-in-the-middle attack, if the data being transmitted is lost and never reaches the receiver, or the data sent is not received intact, and it is treated as spoofing by an attacker. The next steps would be to change the authentication, encryption decryption keys, as well as the sockets for data transmission. Now, the attacker cannot spoof any end user, since all the network access authorization and authentication processes are changed.
Conclusion
Cybersecurity for space systems is still in its infancy. Quantum leap in technology and standards are expected as more investments are made in commercial space, autonomous vehicle, industrial internet of things, and argumentation. Using suitable encryption technique communication between satellite and satellite-based systems can be secured.
As a future step, as we know satellite communications are data intensive, various compression methods can be introduced before encryption. This can significantly improve amount of data transferred per second and allow us to monitor flow of data that can help us to detect precursors of cyber-attacks more quickly.
References
- Alberts et al., “Operationally Critical Threat and Vulnerability Evaluation (OCTAVE) Framework,” Technical Report, CMU/SEI-99-TR-017, June 1999.
- “AR Drone That Infects Other Drones With Virus Wins DroneGames,” IEEE Spectrum, Dec 2012.
- DO-356A, “Airworthiness Security Methods and Considerations,” RTCA, June 2018.
- “Cybersecurity Risk Assessment for Space Systems,” IEEE Space Computing Conference (SCC), 2019.