by Dr Mathieu Bailly
In the race to launch smallsats into low earth orbit quickly and cost-effectively, operators and manufacturers have compromised on security and left themselves vulnerable to cyber attacks. Let’s not make Newspace a paradise for hackers.
Smallsat operators and manufacturers need to consider why their smallsats are so vulnerable to cyber attacks, the harm attacks can cause, cyber security weaknesses, why basic encryption is not enough and what can be done about it now. These are the issues that this article addresses.
Newspace: the new frontier for cyber threats
Historically, space engineers have designed satellites to make them as durable and as reliable as possible, maximizing the available volume and mass for the payload at the expense of security features.
Today, the growing amount of valuable data created in space or transiting via space is making space assets an attractive target for hackers. The popularity gained by smaller and cheaper platforms, the “Newspace”, connecting additional billions of people and objects and observing Earth in near real-time and high definition makes the situation even more alarming.
Smaller satellites, bigger risks
Small satellites offer an attractive combination of a short time-to-market and powerful capabilities, making them a popular choice with around 1,000 new small satellites to be launched per year in the next decade.
Smallsats carry the spirit of the pioneers who built the first cubesats in their university labs to show students that research could be done from space with a limited budget and a lot of creativity.
Somehow this heritage of academic and amateur backgrounds still sticks today. Smallsats are still perceived as “inoffensive” despite the avalanche of new applications they can now address. Besides the academic projects, many smallsat missions collect sensitive data for commercial customers in industrial sectors such as oil & gas, and even national agencies are launching their own smallsat constellations.
Despite their commercial success, nobody seems to care about the cyber risks related to launching smallsats into low earth orbit. Why is that?
Many smallsat operators surf the newspace wave, disrupting the market for the older generation of large satellites. They are often startups led by ambitious entrepreneurs and backed by VC funds for whom being first to market makes a significant difference in terms of customer acquisition and growth potential.
Smallsat operators are therefore under tremendous pressure to develop platforms in a hurry. In this rush, security is often the first casualty.
They may ignore security aspects for two good reasons. First, smallsat companies typically do not have cybersecurity embedded in their cultural DNA, since most of their engineers are space engineers for whom cyber security is not necessarily part of their training and expertise. Second, there are few solutions off-the-shelf available to secure smallsat communications.
Dramatic consequences of a cyber attack
As Robert Mueller, FBI director said, “There are only two types of companies, those who have been hacked, and those that will be.” The question therefore is when the first commercial smallsat cyber attack will occur and what the consequences will be.
Hackers have many ways of exploiting the vulnerabilities of satellite systems. Cyber attacks can cause various levels of disturbances. They include a short service interruption, the undetected eavesdropping on or tampering with information. Cyber attacks can also lead to the partial or complete loss of ground terminals, and the partial or full loss of control of the satellite itself. Most of these actions are compatible with ransom demands.
The day a significant cyberattack occurs on a satellite will be the equivalent of 9/11 for the industry. That particular operator or ground segment provider will not only suffer from legal, financial and social consequences, but will also have its reputation soiled, eventually making customers and investors loose the trust in the company and leave, similar to the situation when a plane crashes and the airline goes bankrupt. A major cyber attack on one smallsat operator is also likely to cause collateral damage to the entire space industry, leading to less deployment and investment in space services.
Any ground or space infrastructure represents a potential entry point for hackers who always exploit the weakest link in the chain. Let’s review.
First the ground infrastructure: the most critical part of it is the Mission Control Software (MCS) which sends and receives all telemetry and telecommands to and from the satellite.
Typical implementation models to run the MCS of a smallsat include off-line and online servers (or even a basic laptop) on-premises and public cloud hosting. All three models have their own weaknesses, which often come down to the credentials used to secure the access to the software and the secret codes used to secure the link with the satellite.
Using regular servers offline seems to be a good idea to stay away from remote threats resulting from an internet connection. However, it raises a range of additional concerns related to the physical access to the server. Through poor identity and access management (IAM), or employee management, a malicious insider could gain entry to the server by, for example, embedding a trojan to access the data and the satellite or simply shut it down with a physical attack.
Online servers benefit from all resources available on the internet but open up opportunities for a hacker to make his way to the server and eventually to the MCS. Properly securing an online server on premises takes a fully skilled IT team.
Finally, cloud-hosting has become popular recently due to the easy setup of scalable, efficient services at a cost-competitive price and the removal of all the IT hardware maintenance costs and concerns. However, all these advantages of cloud-hosting come at the expense of security as large breaches have recently shown. These were mostly due to the challenges of properly configuring the cloud services as well as keeping the administrator credentials safe. There are also issues with data retention laws when using US-based providers falling under the Cloud Act may be problematic for a satellite operator with an international client portfolio.
Still on the ground, the development of the satellite until it is launched and commissioned is also full of opportunities for a hacker. For instance, the cryptographic secrets that will encrypt the downlink on board the satellite during the mission, are vulnerable. They may have been poorly generated or handled on the ground, or an unsecure technique to inject the keys onto the satellite may have been used. All these uncertainties lead to a decreased level of trust in the secrets on board the satellite, making the mission and the data potentially less valuable.
Last but not least, once the satellite is in orbit and in service, it is possible to impersonate either the ground station or the satellite itself to send malicious commands or information if no authentication mechanisms are being used.
Current trends in Newspace are facilitating the jobs of hackers
First, smallsats often operate as part of a larger constellation, so that any cyberattack on one satellite can potentially lead to the contamination of the entire fleet.
Second, many customers want flexible payloads and platforms in order to serve multiple customers from different businesses and geographies who share payloads that are reconfigurable in-orbit. New services create additional opportunities and vulnerabilities for operators.
For example, in-orbit reconfiguration is a fantastic opportunity for a hacker to install rogue firmware on the On Board Computer (OBC). Also, having multiple payload and customers involved in the mission raises the issue of isolation between the different streams of data as well as the applications running on board, that could be compromised by a rogue or hacked software.
In short, the more connected and flexible the satellites are, the more secure they need to be.
Fighting the illusion that basic encryption is enough
Some small satellites have zero protection and communicate in clear with their ground stations, using publicly available amateur frequency bands. Anyone with a technical background can easily intercept and play with the signal. Fortunately, these tend to be exceptions related to academic projects. Most of the commercial missions now use at minimum AES encryption typically with a 128 bits key size for the downlink and uplink.
Encrypting the link can only prevent an attacker from reading the signal, provided the secrets are not compromised. However, this does not prevent an attacker from impersonating a spacecraft or a ground station.
As a major principle of cybersecurity, the encryption algorithm and key size, although important parameters, are not the sole drivers of the level of protection. The level of protection is driven by the level of trust that the operator has in the secrets, typically keys, used to perform the cryptographic operations as well as its ability to manage these secrets during the lifecycle of the satellite (update, revoke, etc).
Even the most robust algorithm in the world becomes worthless, if you cannot trust the secrets used by the mathematical functions. It would be a bit like leaving the keys on the door of your house equipped with the latest generation of video cameras.
This is why having a “root of trust” i.e. a secured environment where cryptographic secrets have been generated and stored on the ground and on board the satellite is critical to the secure operation of a satellite.
What do we do now?
Eventually cybersecurity standards with enforcement policies will be inevitable, even for smallsats. But it will take years, if not decades, to implement them.
To get a sense of how the smallsat market can overcome its cyber security issues, one can look at terrestrial markets which have faced similar challenges. For example, on the ground, the Internet of Things (IoT) also started with zero security. IoT is slightly ahead of the Newspace market in terms of security awareness. Embedded security solutions are now available off-the-shelf, certification schemes have been drafted and are starting to be enforced. From a technical perspective, many components and security architecture used in IoT could inspire smallsat operators. Security components in IoT include Secure Elements, a tamper-resistant hardware platform, taking the form of a chip, capable of securely hosting applications and storing confidential and cryptographic data, for which the market is booming. This proves that small chips combined with secure practices on ground and security certification schemes can be a winning combination to make smallsat security operations sustainable while having a minimum impact on the satellite design, operations and performances.
Preventing space from becoming a paradise for hackers
Smallsat operators and manufacturers need to realise that their satellites are vulnerable to cyberattacks. However, adoption by smallsats of security tools and certification schemes that already exist in other technology domains such as IoT can prevent Newspace from becoming a paradise for hackers.
Dr Mathieu Bailly, VP Space & Iot, CYSEC SA, a Swiss cybersecurity company. He oversees product development and activities related to the fast-growing markets of the Internet of Things, Space and Maritime, where cybersecurity is not yet regulated and has become a major concern. Mathieu holds a MSc in Materials Science from the Grenoble Institute of Technology in France and a PhD in Chemical Engineering from Queen’s University, Canada.
Contact details: [email protected] T: +41 79 102 07 92