Holding the High Ground: Defending Satellites From Cyber Attack - AFCEA
2023-04-02 08:44 (EST) - Richard W. Skowyra
The Cyber Edge Writing Contest 1st-Place Winner, 2023
MIT Lincoln Laboratory and the Space Cyber-Resiliency group at Air Force Research Laboratory-Space Vehicles Directorate have prototyped a practical, operationally capable and secure-by-design spaceflight software platform called Cyber-Hardened Satellite Software (CHSS) for building space mission applications with security, recoverability and performance as first-class system design priorities. Following a successful evaluation of CHSS against an existing U.S. Space Force (USSF) mission, the CHSS platform is currently being extended to support hybrid space vehicle architectures that incorporate both CHSS-aware and legacy subsystems. CHSS has the potential to revolutionize the cyber-resiliency of space systems and substantially ease the burden of defensive cyber operations (DCO).
DCO on space systems has historically ranged from intractable to impossible due to the inherent constraints of the domain. Not only are satellites physically inaccessible, with bandwidth-constrained and intermittent communication links, but cyber-physical safety constraints impose strict timing and predictability requirements that few existing DCO tools could meet. Moreover, the importance of space heritage results in mission-critical code with strong resistance to modernization. A satellite is an integrated system of opaque software and hardware components with complex and diverse provenance. Without the ability to inspect or command these components, DCO tools are often relegated to best-effort monitoring of the communications bus. The combined challenge is akin to defenders being asked to defend a tank that lacks armor and whose crew is actively opposed to the idea. The attacker has every advantage.
One might incorrectly believe that satellite software is a difficult cyber target. Unfortunately, that’s not the case. MIT Lincoln Laboratory researchers analyzed common spaceflight software inventories and identified major concerns with widely deployed operating systems, third-party software dependencies and firmware that allow adversaries to implant automated malware via software supply chain attacks during satellite development or integration. Furthermore, software supply chain attacks are just one of many possible cyber threat vectors. For example, the increasingly networked world of cross-linked constellations offers another avenue for attackers to leverage one compromised satellite to attack others.
This hostile environment requires a revolutionary approach to defensive cyber operations to regain the advantage and deny attackers access to critical space systems.
Revolutionizing DCO: To tackle this problem, MIT Lincoln Laboratory researchers distilled the challenges outlined above into four adversarial conditions that spaceflight software must tolerate during operation. That is, the only way for spaceflight software to be resilient to cyber attack by nation-state actors is to function despite these conditions:
A cyber attack has already succeeded. One or more flight software components are compromised. DCO personnel do not know which one in advance or the end goal of the malware. This is consistent with software supply chain attacks that go undetected until malware activation. Humans are unavailable at the necessary timescales. Malware operates at the speed of computation. A human operator cannot respond in real time, especially given that ground segment links are often intermittent and bandwidth-limited. Safety violations are worse than security violations. Violation of cyber-physical requirements can damage or destroy the satellite. If DCO software causes safety violations, it imposes an unacceptable risk to the mission system. Uncooperative software will always be present. Proprietary software, unmodifiable space heritage software, software built for specific operating systems, binary-only software or software from stakeholders that do not value cyber-resiliency is unavoidable. There are too many subsystems and different units of integration to avoid opaque components that must be trusted but cannot be proven as trustworthy.
These conditions effectively act as security design requirements for spaceflight software that, when satisfied, result in a revolutionary DCO capability to return the advantage to the defender. Such spaceflight software could operate through cyber attacks that have already established a foothold, mitigate the attack at least semiautonomously, meet cyber-physical timing requirements, integrate with existing spaceflight software and avoid removing existing flight heritage or imposing unrealistic requirements on stakeholders.0
CHSS is a promising starting point for realizing this ambitious vision. CHSS is a mission-agnostic spaceflight software platform whose functionality was inspired by NASA’s core Flight System but with an emphasis on cyber-resiliency. Most notably, CHSS offers security without sacrificing performance.
