Schrodinger in Space: Opposing Cybersecurity Truths to Better Protect Space Systems
By Tomas Pena
May 3, 2022
Space is often considered the 4th Domain of War, behind Land, Sea, and Air. It makes sense, then, that principles and truths seen in other domains would apply to space as well. Schrodinger’s Cat, a thought exercise developed by Dr. Erwin Schrödinger in 1935, proposed that an object (cat) could be said to exist in two states simultaneously (dead and alive), so long as it remained unobserved. In effect, he hypothesized that two opposing truths could exist at the same.
The cat is dead…
AND: The cat is alive.
Similar thought exercises can be applied to the space domain within the field of cybersecurity. Authors have written volumes on cyberspace and its earthly cyber threats. This article proposes sets of opposing truths to spotlight facts that should be considered when securing space systems.
1. Everything in space is in constant motion…
Although one wouldn’t know it from sci-fi movies and television, there are numerous forces acting against objects in space at all times, including powerful gravitational forces from planets, moons, and stars. Satellites launched into Earth’s orbit must accelerate sufficiently to remain in orbit or risk falling back into the atmosphere, as we recently witnessed when 40 Starlink satellites aiming for Low Earth Orbit (LEO) encountered higher-than-expected drag forces due to atmospheric variations which resulted in their complete loss. Operational spacecraft are also in motion. The resource-bare environment of space requires maneuvering solar panels to collect energy for long-term operations and the increasing proliferation of satellites in LEO sometimes require maneuvering to avoid collision with other space objects.
Growing dependency on space systems for location data, telecommunications, and deep space awareness puts space systems at risk regardless of their continuous motion. Malicious Cyber Actors (MCAs) who have previously attempted to gain access to Earth-bound systems have expanded their activities into space technologies. As more space systems incorporate commercial and open-source products into designs, MCAs leverage availability of common tools to advance their goals of collecting information, spying, or holding space systems at risk.
AND: Most things in space stay still.
It doesn’t take an expert to understand that objects in space are difficult to access physically. While scientific advances makes object retrieval in higher orbits possible, many space systems will never be touched by humans after launch. Most space systems must maintain a static and resilient system architecture to maintain high levels of reliability. For this reason, systems must be designed for long-term operations and depend highly upon forecasting operational scenarios, including responding to cyber-attacks. Within the past few years, the introduction of reprogrammable microchips, such as the Field-Programmable Gate Array (FPGA), has made it possible to remotely update hardware configurations using a technique similar to a software update.
MCA tactics, techniques, and procedures (TTP) are most effective against static targets. Early stages of attack include reconnaissance and surveillance. These activities inform follow-on phases in the kill chain and permit long periods of inactivity between time of intrusion and time of effect. Systems which are not able to change operational configurations more easily fall prey to MCAs using traditional methodologies which do not account for such changes.
2. Cyber-attacks are benign… (bear with me)
With many types of cyber-attacks, nothing is seen or heard. No operations are affected and there's little evidence to suggest an adversarial presence. To prevent loss of access after intruding into a target, MCAs establish persistence by quietly putting into place mechanisms to return easily. Furthermore, network noise and occasional system hiccups normally occur within complex systems, creating an environment where it’s easy for an MCA to hide the few traces of actions that could raise suspicion. Space systems further complicate cyber intrusion investigations since visibility into subcomponent behaviors are limited to remote observation. A successful intruder need only filter outgoing information to eliminate attempts to raise alarms.
The infamous Sunburst supply chain intrusions into SolarWinds and Microsoft software updates in 2020 shed light on an otherwise silent MCA campaign. In these attacks, malicious software changes made during the development process of a powerful network management tool went unnoticed for months. They were only discovered during a FireEye investigation into a previous cyber incident. Later Sunburst investigations revealed the specific domains which were targeted and those which successfully established contact with MCA infrastructure. If this information had not been discovered, many more organizations would be expending resources to analyze systems for persistent-presence techniques which could have been left behind. In supply chain attacks, MCAs usually attempt to bypass detection until the time and place of their choosing. The largest amount of time spent by MCAs is going unnoticed.
AND: Cyber-attacks are deadly.
Aside from situations focused on the goal of stealing data, MCAs eventually use, or intend to use, unauthorized system accesses in order to create effects in cyberspace or other domains. Cyber-attacks with a focus on information collection may go unnoticed, but many of them are designed to create noticeable effects. Today we see effects in the form of ransomware, denial of service (which commonly does not require system access), and dangerous modifications to industrial control systems’ processing such as those for water and petroleum. Observations from the Russian invasion of Ukraine have involved everything from viruses that delete data to regional jamming of GPS and Starlink satellites in attempts to disrupt Ukrainian defense operations.
As the use of space systems proliferate into safety-critical systems, the potential for life-threating effects increases. Today’s military operations leverage space-based capabilities for communications, situational awareness, and strategic decision support. Denying these services could result in significantly reduced operational effectiveness and loss of life. Worse yet, subtly tampering with systems services could cause severe accidents or conceal enemy actions. Due to the global nature of space system services, effects brought about through cyber-attacks on space systems extend the potential impact of these effects globally.
3. Secure coding is vital.
MCAs often target software as it interacts with system resources such as memory, storage, and networking. Vulnerabilities appear as the result of unsecure coding practices which don’t adequately manage resources or protect against misuse. Coders must be cautious and use security best practices to avoid pitfalls that result in new exploitation opportunities, especially when code is reused. While vulnerabilities may occur as the result of environmental changes or advances in attack techniques, many of them can be easily avoided during coding. Common best practices for coding are readily available through organizations such as the Open Web Application Security Project (OWASP), and the use of such best practices is often required for high-risk systems.
Space systems have unique coding requirements. Expensive launches and the challenges of making on-orbit software changes contribute to the need to code securely. These considerations are captured in terms of Space, Weight, Power and Cost. These factors influence the overall system architecture—often depending on embedded systems and purpose-built engineering solutions. Using secure coding practices at the lowest level improves software’s resistance to exploitation.
AND: Secure coding is insufficient.
Unfortunately, secure coding by itself is insufficient to secure a system during development. Factors such as the selection of programming language and compilers, code reuse, and third-party product integration must be judiciously applied. The concept of emergence describes a phenomenon in which sufficiently complex systems demonstrate unpredictable behaviors. In large System-of-Systems, the combination of complexity and unpredictability increases the challenge of identifying vulnerabilities before a system enters operation, especially in budget- and time-constrained situations.
More so than other systems, space systems must be engineered in a way that permits thorough system monitoring and behavioral analysis to distinguish non-malicious from malicious activities. Once launched, access to internal subcomponent behaviors is physically constrained and deep software troubleshooting and updates are frequently impossible. To avoid the most easily implemented security mechanisms, MCAs leverage software vulnerabilities in chains, linking several vulnerabilities rated as low risk in order to complete their objectives. A thorough security approach involves a defense-in-depth approach that considers even the smallest abnormality as a potential MCA action. Recently publications of Zero Trust Architecture (ZTA) by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense (DoD) have recognized the importance of the key principles required to sufficiently protect systems. To help protect against MCA, Zero Trust involves the use of principles such as verification and authentication within subsystems beyond those commonly used today.
4. Zero Trust is easy…
The concepts behind Zero Trust are simple to summarize: “Don’t trust anything,” “Assume all devices and infrastructure may be compromised.” Guiding principles must be applied at the lowest levels in the most critical components of a system to protect the system’s mission. Guidelines recognize that achieving mature ZTA will not occur overnight, and principles may be applied incrementally as a system matures. Perhaps initial verification methods rely on cryptographic hashes from a known configuration. Authentication could depend upon a simple code check initially and anomaly detection could be based on simple machine learning behavior models such as k-means clustering algorithms.
Data plays a large role in many space systems. ZTA requires protecting data throughout the system using mechanisms similar to those which have been used in earth-bound systems for decades. Likewise, secure solutions for ground system communications and process execution management are well understood by both engineers and MCAs. Space system engineers must examine these known-secure approaches and apply them to space system designs to achieve cyber resiliency in space.
AND: Zero Trust is hard.
Describing strategies has always been simpler than carrying them out. Another way of interpreting the principles behind ZTA is to identify precisely what will be trusted, and then base system operations at all levels on validation by that trusted source. Since that source would become obvious to an interested MCA, it’s necessary to apply protections at multiple levels, using a combination of embedded and general-purpose processors and virtualization—expected to become more common within space systems due to advances in miniaturization. Experts in cryptography, embedded coding, electrical and mechanical engineering, and space operations must participate in designing space system security. This holistic approach to system security would lead to thorough system monitoring capabilities which can observe, analyze, and intelligently react to perceived system threats.
Standards for implementation of ZTA within space systems which experts in multiple disciplines can leverage are still under development. Furthermore, the market for space systems commercial and open-source subcomponents is limited, which increases engineering costs for all but the most basic requirements (at least for now). That said, efforts by the National Institute of Standards and Technology (NIST) and others are beginning to address these gaps to help develop more secure space systems.
5. Finding the threat is the goal…
Designing and implementing an aggressive system monitoring capability pays off when the system detects and alerts on suspected MCA activity. Alerts with low false-positive rates are required to quickly understand MCA actions and support incident response-response decisions. To achieve maximum cyber resiliency and support system operational availability in space, autonomous actions are required to immediately restrict MCA activity while preserving mission-critical operations. Critical functions within systems vary but should be the areas where the most robust detection and response actions are focused.
Systems which successfully identify and mitigate MCA activity improve system availability and functionality. However, responding to an MCA attack by temporarily restricting communications or partial system reset may not be sufficient to eliminate MCA threats. As discussed above, key objectives for many attacks are to remain undetected and create the ability to reinstate access.
AND: Finding the threat is only the beginning.
Indications of a cyber-attack are not always clearly understood or helpful in eliminating MCA access to systems. This was demonstrated in the previously discussed Sunburst attacks which leveraged unsecured Domain Name System (DNS) infrastructure to contact MCA command and control infrastructure. In the moments after getting target network access, Sunburst MCAs were capable of sending commands for actions such as reconnaissance and establishing persistence. Additional payloads may also have been downloaded to perform any number of actions which could have gone undetected. In short, to fully eliminate potential avenues of persistence, systems must be sanitized to the lowest levels or be replaced.
The physical isolation of space systems provides a unique challenge for digital forensics and incident response. Whereas ground-based systems may be easily analyzed and refreshed before returning to operation, space systems rely completely upon remote analysis and response. Designing systems to be refreshed from a known-secure configuration helps to mitigate this threat but may be insufficient if the initial attack injects dangerous commands. For example, if an MCA successfully commands the space system bus—the component responsible for physical “steering” of the spacecraft—recovery may not be possible when remote communications are broken unless autonomous capabilities to re-establish communication are present. A savvy MCA may reserve obvious effects as a last resort, however, instead choosing to create more subtle effects over an extended period, which may be erroneously attributed to normal system malfunctions if detected at all.
Recognizing and applying the above truths to space systems are critical to protecting space systems being increasingly integrated into everyone’s daily lives. As MCA methodologies mature, the importance of distinguishing root causes of system behavior increases along with the need for remote forensics and autonomous response capabilities. Financial and engineering benefits of incorporating commercial products and engineering best practices must be coupled with maturing Zero Trust implementations to ensure space systems remain available when they’re needed.
About the Author
Dr. Tomas Pena, Lt Col, USAF (Retired), is Editor in Chief of Military Cyber Affairs, the scholarly journal for the MCPA as well as the Chief Technologist of Cyber Operations for the Space and Airborne Systems Segment of L3Harris Technologies and volunteers with the Marine Corps Cyber Auxiliary. Dr. Pena holds a Bachelor of Science degree in Computer Science, a Master of Science degree in Computer Information Systems, and a Doctorate of Science degree in Cybersecurity. He proudly served as a Cyberspace Operations Officer in the U.S. Air Force in multiple combatant commands, domestically and overseas.