A Safer Frontier
Print Issue: September 2014
On October 4, 1957, the Soviet Union successfully launched the first satellite into low-earth orbit, where for 92 days it sent scientists valuable information on the interstellar climate until it burned up when reentering Earth’s atmosphere. Sputnik triggered a race to send satellites—and later, people—into the skies to learn more about the earth and the area surrounding it.
More than 50 years later, at least 50 countries have joined the Space Race and are sending more than just rockets into the atmosphere. Currently, 1,167 operating satellites are orbiting the planet, gathering and sending information to public and private organizations alike.
And recently, public funding of the space industry has bottomed out, allowing private companies to make their way into the industry, transporting goods to astronauts and even making plans to send tourists to space in the near future. But these opportunities have also exposed vulnerabilities. Cybercriminals are now looking to the skies to disrupt military operations and the day-to-day functions of the financial, retail, utilities, and communication sectors.
During a March hearing of the U.S. Senate Armed Services Committee, industry experts and government officials described the ever-growing importance of the space industry and the need for funding to develop space security programs.
“[The space industry] underpins [defense] capabilities worldwide,” said Douglas Loverro, deputy assistant secretary of defense for space policy. “It enables U.S. global operations to be executed with precision on a worldwide basis, with reduced resources, fewer deployed troops, lower casualties, and decreased collateral damage.”
Almost every critical industry relies heavily on satellites for daily operating functions, but recent reports have shown that thousands of satellites are widely vulnerable to an array of cyberattacks. Hackers can intercept proprietary information, block critical communications, and even take over and maneuver susceptible devices. Despite these threats, experts worry that satellite security is a low priority.
Space Exploration Technologies Corporation, more commonly known as SpaceX, is a private space transport service company founded by PayPal entrepreneur Elon Musk in 2002. SpaceX paved the way for the private space industry, launching the first privately funded rocket and breaking into the government-controlled sector via a $1.6 billion contract with NASA to transport cargo—and eventually humans—to the International Space Station. SpaceX is currently developing reusable rockets that will facilitate commercial travel into orbit by 2015.
Although SpaceX is privately funded, it deals with the same threats as government-run space programs. And today, those threats come in the form of cyberattacks, says Branden Spikes, former CIO of SpaceX. Spikes worked at SpaceX for 10 years and says that his biggest challenge was one that many other large corporations face: creating and maintaining a secure network.
Employees would click on malicious links, inadvertently downloading malware and potentially exposing sensitive information on the company network. SpaceX had network security systems that prevented every attack vector successfully, Spikes says, except for the Internet browser, which runs on a public-facing network.
Although SpaceX has never suffered a breach, Spikes says this was the problem he lost sleep over. “It was sort of exacerbated by the need to launch humans into space someday, so that was always in the back of my brain,” Spikes says. “How am I going to succeed at creating a secure environment where human life is at risk?”
The answer was building a solution from the ground up, a departure from the traditional detection-based security technology. The application, now marketed by Spikes as AirGap, isolates malware attacks and protects browsers, no matter what users click on.
Spikes notes that another security challenge faced by SpaceX and the aerospace industry as a whole is creating completely secure, fail-proof system networks. Much of the network technology in the industry is outdated, relying on technology such as fiber optic lines and direct closed-circuit video feeds. Converting the network to something more modern—video over IP (VoIP) and cloud-based services, for example—is risky and at times unrealistic, Spikes says.
The goal is to create a system where one network can go down and not affect critical systems, Spikes explains. SpaceX created a separate network for mission control so if the main network had to be shut down for maintenance, it wouldn’t interrupt a mission.
Although the private aerospace industry is growing at a rapid pace, space flight accounts for a small percentage of the objects in orbit. Satellites are far more prevalent.
As cybercrime rapidly evolves, satellite security design becomes outdated or disappears, explains Kazuto Suzuki, chairman of the Global Agenda Council on Space Security. Because of this, satellites are susceptible to intentional disruptions of communication between the Earth and the satellite, including jamming the signal, feeding the system false data (also called spoofing), or overriding the entire system and changing the position or orbit of the satellite.
It is almost impossible to prevent these attacks on satellites, leading cybergangs and nation states to target them, Suzuki says. For example, Iran has sent a jamming signal to prevent BBC television from being broadcast in the country, and North Korea has jammed GPS signals to make military attacks more difficult to execute.
One of the most common components of satellite systems is the very-small-aperture-terminal (VSAT). There are more than 2.9 million VSATs currently in use, and two-thirds are U.S.-based. VSATs are land-based satellite dishes that are used mainly for communication—journalists, oil riggers, ship captains, and even shops, banks, and utilities rely on the satellites to quickly send information to and from remote locations.
However, at least 10,500 VSATs are vulnerable to hacking, according to a report by cybersecurity firm InterCrawler. The main vulnerability lies in the use of default passwords, or no passwords at all, states the report.
Hackers can easily scan the devices for security gaps and monitor the proprietary data being sent to and from vulnerable VSATs. If attackers are able to access the VSAT network, they could jam or control the satellite’s communication, the report says.
Targeted companies will most likely never find out their digital communication has been breached, says Pierluigi Paganini, CIO of software company Bit4id. And even when these sectors learn of a possible vulnerability, they are often slow to take action, he says. “Unfortunately, the life cycle of satellite systems is very long compared to the evolution of common cyberthreats,” Paganini says. “This means that during the operation of a satellite architecture, we will see a broad range of threats, making it absolutely critical to think of security by design for these complex systems.”
Hackers who access VSAT networks can also learn the precise locations on Earth where the satellite communications are being sent to and from. By using tools such as Google Maps, criminals can home in on critical infrastructure systems and learn their layouts and physical security, the report states.
IOActive, a security consulting group, released a report in April detailing various vulnerabilities in satellite systems designed to keep aircraft, ships, and military personnel safe. The affected Broadband Global Area Network (BGAN) satellite receivers provide Internet and voice connectivity for global military forces.
The vulnerabilities allow hackers to install malware on the BGAN terminals, access the location of the soldiers communicating with the satellite, or even disable the systems, according to the report. Hacked satellites used by ships could tamper with navigation systems to reroute a vessel’s course or disable distress messages, and vital aircraft communication could be intercepted.
The vulnerable satellites aren’t hard to infiltrate—even a text message could block communications, Paganini says. IOActive uncovered a long list of flaws in the BGAN satellite design, from poor firmware design to insecure protocols to weak password reset processes.
Despite the clear threat to military and other critical satellites, the space industry has few tools to handle the physical, digital, and legislative protection of its assets. There are five international treaties that govern space activities and address arms control in space and the prevention of harmful interference with space activities. However, it is the responsibility of each nation to govern—and enforce—its space-related activities.
Current space laws are vague and outdated when it comes to addressing cybercrime against satellites and control systems, so the onus of keeping space technology secure falls on the developers. According to Paganini this is troubling because satellite vendors have been slow to address the reported flaws in their products. Though the technology exists, improving satellite infrastructure is costly and time-consuming.
“The most alarming thing is the slow response of satellite equipment manufacturers,” Paganini says. “Despite the researchers at IOActive reporting the findings to the CERT Coordination Center [an Internet security organization], which promptly issued an alert to the vendors in January, to date the reply is faint. Believe me, bad actors are very efficient and these delays benefit their cyber offensive.”
In a time where public funding for space technology is waning and reliance on private companies like SpaceX for space transportation increases, both lawmakers and industry experts are emphasizing the need for publicly funded space security initiatives. During the recent U.S. Senate Armed Services Committee hearing, for example, Loverro encouraged lawmakers to provide defense funding for space surveillance programs.
“Space is no longer the sole province of world powers. It is a frontier that is now open to all,” For example, Loverro explained at the hearing. “In the last several decades, space has become more competitive, more congested, and more contested. What worries me the most is the contested nature of space, which we now face.”