Cybersecurity Risk Mitigation For Ground Systems
By Rania Toukebri
Nearly all satellite missions – commercial, military or scientific – use Ground Systems to control and manage their operations. Ground Systems operate 24 hours a day, 7 days a week, 365 days a year and can often support multiple spacecraft. These Systems consist primarily of a large antenna that communicates with the orbiting spacecraft via radio waves, called a telecommunications link. Ground Systems are responsible both for transmitting information (such as command and control instructions for orbital corrections) and receiving information (such as telemetry data about where the satellite is located).
However, the issue of cybersecurity for satellite Ground Systems has been largely neglected. To date, very few studies have addressed the different vulnerabilities and challenges of safeguarding our Ground Systems, leaving us incapable of identifying and evaluating the cost of a cybersecurity attack.
With the increasing number of small satellites, and a global network of Ground Stations needed to provide low latency for data getting between low Earth orbit and users, the potential threat and degree of impact for cyberattacks has grown significantly.
We are in a phase in which we need to mitigate the risks by simplifying the necessary controls, using time-based methods for analyzing controls, and instigating proactive cybersecurity mechanisms on new systems in order to provide data assurance.
Ground Systems have been victim to an increasing number and sophistication of attacks in recent years. Attacks took advantage of different vulnerabilities. For instance, in 2008, the Johnson Space Flight Center’s mission control computer network was hacked and forced to upload malicious software onto computers on the International Space Station, disrupting on-board communications. Another potential threat concerns GPS receivers’ software. Hackers have been known to spoof or jam the GPS signal, which can render GPS’s precision timing invalid and preclude proper functioning.
The first step in a good cybersecurity strategy is having a risk management framework to determine what assets are most attractive to hackers and how they should be protected. This means taking into account all the existing assets (physical and virtual) and the cost associated with the access of these assets by the hacker. The Cybersecurity Maturity Model Certification (CMMC) program initiated by the United States Department of Defense (DoD) is a good example of effective cybersecurity action. This program measures the defense contractors’ capabilities, readiness, and sophistication in the area of cybersecurity.
The CMMC have different levels of security maturity. Stage 1: Scanning is the first step that a corporation thinking about cybersecurity will undertake, Stage 2: Managed Assessment and Compliance, Stage 3: Formalized Analysis and Prioritization, Stage 4: Attack Focused Management ending with the Stage: Optimization.
While existing frameworks provide current guidance on cybersecurity, it’s important to monitor for any recommended changes on a regular basis.
Many security control models only address the presence of controls first and do not quantify what those controls provide. The assessment of risk in these models remains qualitative and the risk in these models become a subjective measurement.
The Time-Based Security method offers a framework within which users can measure the effectiveness of their security using a simple mathematical formula: Protection Time > Detection Time + Response Time; in other words, Protection Time needs to be greater than the Detection Time plus the Response Time. Protection Time is the time a security measure will provide safety before it becomes compromised or disrupted. Detection Time is the time it takes for the people controlling the system to find out that a compromise occurred. Response Time is the time it takes those people controlling the system to act accordingly. So protection measures from every security process should allocate more protection time than it takes for the system managers to detect and respond to the potential attack.
This model provides a method for evaluating successive multiple controls. A high-level example could test the time it takes attackers to: access to the base network, access to the satellite control network, and finally access to the console. Commanders then can make true risk-based decisions on whether they can afford additional protections. The major issue of a quantitative time-based model becomes the requirement for granular testing of every security control on an existing system.
The time-based method is applied to new systems, but the selection of security controls becomes a difficult process if the system designers do not consider security at the outset of the design. The selection of security controls in the time-based model may overwhelm system designers. Without an idea of what to protect in a new or modernized ground system the quantitative model only provides best guesses. Consequently, the quantitative models work best in existing systems.
Another model for risk-based evaluation of space ground systems uses a preventative mission assurance model based on redefining cyberspace as anything processing a signal and then using the six steps of the data lifecycle: generation, processing, storage, communication, consumption, and destruction in evaluating the risk to the system. Unlike the other models that consider the detection and usually the threat vector, this preventive model focuses specifically on vulnerability. Generally, if we can build a system without vulnerabilities of the operating system, then we can assure security. This preventative model requires the re-engineering of communication channels. It does not provide adaptive methods for dealing with existing cybersecurity channels as those found in existing space systems. In the future, this model will be extremely important for the modernization and re-engineering of the Air Force Satellite Control Network (AFSCN) ground station network architecture coordinating communications to more than 100 satellites via nine ground stations positioned around the globe.
Threat elements release new risks of attacks on a daily basis, so security operations should be adapted in a sustainable way. It is crucial to consider risk models to assess the strength of existing controls against the threats addressing most potential security vulnerabilities. Having an established framework that will react fast and effectively is mandatory at this stage.