View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series.
As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace.
The need to ensure the security and safety of these technologies has never been more pressing.
So, let’s discover a range of measures to secure the space systems.
Security by design
Security by design is an approach to designing systems, products, or applications with security as a primary consideration from the outset, rather than adding it as an afterthought.
Security by design is an important consideration in the New Space industry because New Space companies are often startups or smaller companies that are developing innovative solutions to space-related challenges, and security by design is essential to ensure the safety, reliability and security of these new technologies and satellites.
One of the key components used in the New Space industry is the software defined radio (SDR).
Let’s dive deeper into the application of a security by design approach for an SDR architecture.
Secure SDR architecture
Software defined radio is the new groundbreaking technology leading this new space era.
Thus, securing the SDR architecture is an essential step in preventing cyberattacks.
The European Secure Software Defined Radio (ESSOR) is a project created by nine European countries. It seeks to develop mutual technologies for European military radios and provide a secure communication system.
NASA also developed a Space Telecommunications Radio System (STRS) architecture standard.
The purpose is to develop an SDR architecture security by design.
SDR architecture is composed of a software part and a hardware part. There were many proposals to secure the SDR architecture addressing the software part as well as the hardware part.
On the one hand, a proposed secure SDR architecture focusing on hardware is the new spectrum management architecture. This design is based on an automatic and calibration & certification unit (ACU), a radio security module (RSM) and a built-in GPS receiver.
Proposed SDR hardware architecture
The ACU is a hardware radio frequency (RF) manager. It checks output power spectrum compliance with the local radio regulation parameters. The ACU is integrated between the programmable physical layer and the RF modules.
RSM is the security manager of the hardware; the local radio regulation parameters are securely downloaded to the hardware and stored in the RSM. It manages the software life cycle — downloading, installation, operation and termination.
This architecture relies on a security module, based on software or tamper-proof hardware, to secure the software operations (download and installation) or the radio frequency configuration parameters.
On the other hand, a proposal for securing SDR based on software architecture looks as follows.
There are some software SDR architecture components that need to be secured.
The new proposed architecture is based on two key concepts. The first key is the separation between the application environment and the radio operating environment so that the compromise of one does not affect the other.
The second key is the check against security policies of all the SDR reconfiguration parameters created by the application environment before they result in impact on the radio environment.
Traditional (a) and proposed (b) secure architecture of SDR
The defined SDR secured architecture includes a secure radio middleware (SRM) layer. It contains the components that need to be secured: radio applications (RA) and the radio operation environment (ROE).
RA is a software component in SDR that controls the radio by implementing the air interface and modulation and communication protocols. RA needs to be protected because a hacker can reconfigure it with erroneous parameters (frequency, modulation, etc.).
ROE contains the fundamental core components for the radio platform operation.
The SRM layer is built under the user application environment (UAE) layer (OS); thus, it’s immune to UA and UAE compromises.
This secure layer contains verification mechanisms that ensure the radio reconfigurations compliance with the security policies.
Proactive defense in cybersecurity refers to the measures and strategies designed to prevent a potential cyber threat to assets and systems before they can cause harm.
By taking a proactive approach in space systems, New Space companies can better protect themselves against potential cyberattacks and minimize the impact of any security breaches that do occur.
Proactive defense in space systems may include measures like:
- Risk assessments
- Vulnerability management
- Patch management to apply software patches and updates with the aim to fix flaws and vulnerabilities
- Threat modeling by identifying potential threats and attack vectors
- Attack surface management
- Endpoint protection with behavioral analysis and machine learning capabilities
- Security awareness training for space system operators to educate potential space security risks and best practices
- Offensive security assessments including pentest and red team campaigns to apply an adversarial approach and determine the weaknesses in the space system components.
A proactive approach can help to ensure the safe and effective operation of space-based assets and systems and can also help to maintain the integrity of critical space-based infrastructure.
Reactive defense refers to the approach of responding to cyber threats and attacks after they have already occurred.
The reactive cyber defense measures may include:
- Forensic analysis to determine the root cause of a security incident after it has occurred
- Security Information and Event Management (SIEM) solutions to collect, analyze and respond to security events and alerts from various sources within the space system components
- Incident response with the development of plans and procedures to respond to security incidents, such as a data breach or a cyberattack on a satellite or ground station
- Disaster recovery plan.
A reactive approach is very important to minimize the damage caused by a cyberattack and restore normal operations as quickly as possible.
However, by combining proactive and reactive defense measures, space industry actors can create a comprehensive security strategy that addresses both the prevention and response to cyberattacks.
Identity and access management
Identity and access management (IAM) for space assets is an essential measure to improve security posture and streamline how users and consumers access resources and services.
In the ground segment, command and control centers require IAM controls.
Ground station components like the payload control station, flight control station and SDR need to be secured by strict access control policies.
Regarding space vehicles, access control needs to be implemented for SDR, data handler and flight computer components to authorize only legitimate users to access sensitive data and satellite commands.
Space industry actors need to adopt an identity and access management strategy as a part of building an enduring security program using a zero trust approach so that they can:
- Establish a state of least privilege so no user has any more access than what’s needed
- Verify continuously, as users access data and tools
- Always assume a breach.
Signal authentication is one of the essential mechanisms that can protect satellite communication from attacks like jamming, eavesdropping or spoofing.
Most of the satellites use broadcast flow to send data downlink to the ground station — GNSS data is one such example.
According to research developed by Qascom company, the GNSS Authentication protocols can be categorized into three domains: data level, signal Level, and hybrid level.
Data level authentication
In data level authentication schemes, we talk about cryptography.
To ensure the integrity, authentication and non-repudiation of exchanged data, we need a broadcast data authentication scheme.
The simplest broadcast data authentication schemes are based on message authentication codes (MACs), which provide data integrity and data authentication, and digital signatures (DSs), which address integrity, authentication and non-repudiation.
These schemes include three main families: block hashing, hash chaining and MAC-based source authentication schemes.
Timed Efficient Stream Loss-Tolerant Authentication (TESLA) is an example of an authentication protocol using MAC-based source authentication schemes. TESLA protocol is known for its robustness to Denial-of-Service attacks.
Navigation Message Authentication (NMA) is also a concept of data-level authentication introduced in 2005 to provide authenticity and integrity to the navigation message stream.
Signal level authentication
Signal level schemes refer to the spread of spectrum signal properties. Leveraging these signal level schemes, it’s hard for an attacker to demodulate the signal without knowledge of the secret code.
Spread spectrum security codes (SSSCs) and signal authentication sequences (SAS) are schemes that were proposed as signal level authentication.
Hybrid level authentication
Hybrid authentication is a solution that combined both data and signal level authentication. Hence, the concept of supersonic codes is introduced.
The supersonic codes are block ciphered and in code phase with open codes, and the same code is repeated for a predefined security period. This allows direct authentication without time dependency, as opposed to stream-cipher-based solutions.
The protocol focused to deliver a very fast authentication scheme that does not require time knowledge.
The supersonic authentication scheme is robust against known GNSS attacks such as spoofing and replay.
Quantum key distribution
Quantum Key Distribution (QKD) is an emerging technique that relies on the unique properties of quantum mechanics and provides tamper-evident communication used to deploy new cryptographic keys with unconditional post-quantum security and without direct physical contact.
In 2016, China launched a satellite-based quantum cryptography: Micius Satellite.
The satellite had successfully demonstrated the feasibility of satellite-based quantum cryptography and has been used for communication between a fiber-based QKD backbone and remote areas of China.
Post-Quantum Cryptography (PQC) is an alternative approach to secure communication and data exchange between satellites and ground stations. Unlike QKD, PQC uses cryptography and mathematical calculation to develop secure cryptosystems for both classical and quantum computers.
In July 2022, The US National Institute of Standards and Technology (NIST) announced the first quantum-safe cryptography protocol standards for cybersecurity in the quantum computing era.
In 2016, contenders from all over the world submitted 69 cryptographic schemes for potential standardization. NIST later narrowed down the list of candidates over three stages, eventually shortlisting seven finalists — four for public key encryption and three for digital signatures. At the end of a six-year-long process, three of the four chosen standards were developed by the IBM team, in collaboration with several industries and academic partners. They include the CRYSTALS-Kyber public-key encryption and the CRYSTALS-Dilithium digital signature algorithms, which were chosen as primary standards. The Falcon digital signature algorithm was chosen as a standard to be used in situations where the use of Dilithium would be space prohibitive.
Security protocols and standards
As discussed earlier in this series, satellite communications are very exposed to adversary cyberattacks. Many errors and vulnerabilities exist and have been exploited.
Security against communication attacks has become a major issue. The need for safe and correct communication protocols is necessary.
The Consultative Committee for Space Data Systems (CCSDS) has developed a recommendation standard for the Space Data Link Security Protocol (SDLS).
The CCSDS protocols were developed specifically for space use tackling the use of packet telemetry.
The SDLS Protocol is a data processing method for space missions that need to apply authentication and/or confidentiality to the contents of transfer frames used by Space Data Link Protocols over a space link. The Security Protocol is provided only at the data link layer (Layer 2) of the OSI Basic Reference Model.
The purpose of the Security Protocol is to provide a secure standard method, with associated data structures, for performing security functions on octet-aligned user data within Space Data Link Protocol transfer frames over a space link.
Regarding CubeSats, a communication implementation in open source is preferable. CubeSat Space Protocol (CSP) is a lightweight, small network-layer delivery protocol designed for CubeSats communications. CSP ensures encryption and integrity.
The National Institute of Standards and Technology published in December 2022 an interagency report (NIST IR 8401): a cybersecurity framework for the satellite ground segment of space operations.
The purpose of this framework is to assist the operators of the commercial ground segment in providing cybersecurity for their systems, managing cyber risks, and addressing the Space Policy Directive 5 (SPD-5) goals for space cybersecurity. SPD-5 is the nation’s first comprehensive cybersecurity policy for space systems.
The development and deployment of space technology in the New Space age bring with it a new set of cybersecurity challenges. With the increasing number of satellites and spacecraft being launched, it is essential that we ensure their secure design, operation and communication to prevent cyberattacks that could compromise sensitive data or disrupt satellite services.
Looking forward, the future development of New Space technology holds great promise, with the potential for even more significant discoveries and advancements in various areas. So, what are the future development areas and challenges for the New Space industry? The next article in this series will bring the answer to that question.