Introduction

The cybersecurity threat to satellites will continue to increase as state-sponsored hackers, criminal organizations, terrorists, and individual hackers and hacking groups seek to disrupt satellite networks for espionage, financial gain, political objectives, to create disorder, or acquire fame among other hackers. Establishing a strong defense against these threats requires a holistic approach that addresses the different aspects of cybersecurity throughout the satellite control system including computer network security, physical security, personnel security, and satellite production supply chain security. All of these system components create an opportunity for hackers to attack a satellite network. This report will examine how hackers have attacked satellite control networks and discuss priorities and recommendations for defending against this threat.

Current Threats

Hacking components of satellite networks has been an ongoing threat for many years. There have been several documented cases of cyberattacks targeting satellite control networks, personnel, technology, and infrastructure throughout the years.^{[i], [ii],[iii],[iv],[v],[vi],[vii],[viii],[ix]}

• 2003 – 2006: Cyber espionage believed to be originating from Chinese People’s Liberation Army networks targeted NASA and other government and industry networks to gain access to data on US space systems.

• 2006: In congressional testimony, Lieutenant General Robert Kehler stated military communications over commercial SATCOM were interfered with 50 times during a 16-month period, including five attacks by hostile jamming sources targeting the satellite uplink signal in Southwest Asia using a continuous wave carrier signal.

• 2007: The Tamil Tigers in Sri Lanka broadcast propaganda on Intelsat satellites.

• 2007: Hackers gained control of the NASA Terra EOS AM-1 satellite for two minutes on June 20^th.

• 2007: Hackers gained access to the Landsat-7 satellite in October of 2007.

• 2008: Hackers gained access to the Landsat-7 satellite in July of 2008.

• 2008: Hackers again gained control of the NASA Terra EOS AM-1 satellite, this time for nine minutes.

• 2008: Hackers were able to upload a Trojan horse access program onto the International Space Station through infected Johnson Space Center mission control computers.

• 2009: 39 professors, electricians, truckers, and farmers were arrested in Brazil after using amateur equipment to highjack US Navy UHF satellite frequencies. 

• 2012: North Korea jammed GPS signals affecting over 300 commercial aviation flights.

• 2013: Hackers took over Montana and Michigan TV station emergency alert systems and broadcast false zombie invasion alerts by gaining access to satellite and/or internet communications.

• 2013: Iraqi military forces used at least six GPS jamming devices to disrupt coalition satellite navigation and targeting systems.

• 2014: Chinese hackers gained access to the National Oceanic and Atmospheric Administration, disrupting dissemination of National Weather Service satellite data for two days while network administrators secured the network against further intrusions.

• 2014: Cybersecurity expert Ruben Santamarta demonstrated critical cybersecurity vulnerabilities in ten types of military and industry SATCOM terminals at the DEFCON hacker convention.

• 2016: NASA documented 1,484 “cyber incidents” targeting the agency through attacks based from websites as well as stolen or lost NASA computer devices.

• 2016: North Korea again jammed GPS signals near South Korea, disrupting navigation systems in 58 planes and 52 ships using equipment reportedly acquired from Russia.

• 2017: Chinese security researchers from the National University of Defense Technology in Changsha, China develop an inversion attack technique to decrypt GMR-2 encrypted satellite phone communications to create the 64-bit encryption key from the 3.3GHz satellite stream.

• 2018: A cyber espionage operation by Chinese hackers was discovered to be targeting US and Southeast Asia satellite, telecom, and defense organizations.^[x]

These attacks are probably not the only intrusions to have occurred. Skilled hackers have likely gained additional unauthorized access to satellite control systems without being detected. Accordingly, it’s essential to understand the particular vulnerabilities in satellite control networks.

Satellites and their control networks are vulnerable to a variety of cyberattacks and intrusions. Mr. Martin Rutishauser, an authority on penetration testing and satellite cybersecurity, detailed ten categories of satellite vulnerabilities at the Hashdays Security and Risk Conference 2012 in Lucerne, Switzerland. These vulnerabilities range from innocuous tracking and monitoring of satellite orbits through actual physical destruction of a satellite:^[xi]

• Tracking: Orbital monitoring over web data and software
• Listening: Unauthorized intercept of transmission using equipment, frequencies, and locations
• Interacting: Communicating with a satellite using protocols and authentication
• Using: Taking control of a satellite or a telemetry, tracking, and command network to control satellite functions, take orbital pictures, or transmit video or audio
• Scanning/attacking: An anonymous proof of concept explained by Leonardo Nve Egea showing the possibility of scanning, denial-of-service, and spoofing
• Breaking: Exploiting weaknesses in old technologies, i.e. X.25 and GRE
• Jamming: Jamming satellite frequencies
• Mispositioning/Control: Transponder spoofing, direct commanding, command reply, or insertion after confirmation but prior to execution
• Grilling: Activating all solar panels when exposed to sun to overcharge the energy system
• Collisioning: Changing the orbit of a satellite to collide with another object or deorbit the satellite

These vulnerabilities can be exploited by hackers if satellite control networks are not properly secured against cyberattacks.Although comprehensive cybersecurity is essential to protect satellite control networks, a prioritized approach should be implemented to defend against the most pressing and likely threats in conjunction with creating a comprehensive cybersecurity plan to defend against all threats.

Satellite Cybersecurity Priorities

Among the many threats targeting satellites and their control networks, non-kinetic cyberattacks including jamming communications and hacking into satellite control networks are the most significant and prolific threats.^[xii] Defending against these primary threats should be the first priority in developing and implementing cyber defense strategies by using anti-jamming, encryption, and network security tools, technology, and techniques to counter these threats while working with external organizations to collectively pool knowledge and resources regarding the dynamic threat.

Anti-Jamming: US Army Major General Peter Gallagher, Director of Architecture, Operations, Networks, and Space for the Army Chief Information Officer emphasized the importance of protecting satellite communications against jamming during discussions at the MilSatcom USA Conference on June 29^th, 2017. “The biggest thing that we need is protected satcom, anti-jam capability, in the future. Anticipating future threats and making sure we address them, I think that’s the most critical thing.” ^[xiii] Accordingly, current space systems need to be evaluated for suitability for upgrading anti-jamming capabilities and future systems must have anti-jamming capabilities included as part of their design. 

Encryption: The Chatham House satellite cybersecurity report, “Space, the Final Frontier for Cybersecurity” notes the primary need for encryption in space systems. The report asserts that although it is not a comprehensive solution to counter every potential threat, the use of secure encryption is considered to be the best defense for space systems.^[xiv] The challenge, though, is how to get cybersecurity added to control systems that are already in place on the ground and into satellites in orbit. Patricia Lewis, a research director at Chatham House explained “A large part of the critical infrastructure is sitting up there and not a lot can be done about it – it’s very old technology and it has never had any cyber protection built in. So the big question there is how much can they be retrofitted and what happens going forward.”^[xv]

Cybersecurity companies are solving this problem by developing software and hardware solutions that can be retrofitted into existing networks and be a core component in the design of new networks. The cybersecurity company Fornetix has invented an encryption key management system called Key Orchestration that can dynamically distribute encryption keys throughout existing networks. This dynamic encryption capability provides an exceptionally strong layer of cyber defense that can be rapidly changed to protect networks against repeated cyberattacks.

Network Security: State-supported, criminal, and non-state hackers are adept at penetrating networks and infecting systems with viruses and ransomware. Brian Teeple, the Deputy Chief Information Officer for Command, Control, Communications, and Computers (C4) and Information Infrastructure Capabilities at the Department of Defense stated “The need for [network cybersecurity] protection is important because adversaries can attack any point in a system. It comes down to ‘what is the weakest link? What are they going to go after? You have to start looking at terminals and user equipment like they’re computers. There are cyber vulnerabilities and we’ve got to get cyber protections in place.”^[xvi] This weakest link was echoed by Lisa Forte, founder of Red Goat Cybersecurity, when she highlighted the vulnerability of equipment in satellite ground stations, supply chains, and staff that will be actively targeted by hackers employing increasingly sophisticated cyberattacks, social engineering, and new artificial intelligence (AI) hacking tools on a massive scale.^[xvii]

It is vital for network managers to anticipate both deliberate cybersecurity attacks as well as unintentional infections from authorized users unwittingly exposing networks to viruses via infected e-mail attachments, malicious websites, and improperly sanitized removable media from office and home computers. The STUXNET virus in Iran and the agent.btz virus on US CENTCOM military computers spread through systems lacking adequate and current security.^[xviii] Satellite control networks need to be isolated from connections to external networks and require layered defenses that presume cyberattacks and unintentional exposure to viruses by authorized users will occur. Moreover, steps need to be taken to ensure network system suppliers are not providing components that have cyber vulnerabilities or surreptitiously pre-installed malicious software. Hughes Network Systems, for example, is a satellite production company that vets suppliers that use components from sources that have been identified as potential threats by the US government.^[xix] Intelsat also works with independent cybersecurity companies to analyze hardware and software sold by suppliers in order to ensure no cyber vulnerabilities exist in the components being sold.^[xx]

Cooperative Agile Cyber Defense: No single organization can find, fix, and fight all cybersecurity threats. The threat changes too quickly and different threats appear at different locations. Accordingly, organizations need to work with cybersecurity teams outside their own organizations and exchange threat information among these external organizations. Enlisting certified cybersecurity penetration teams from outside an organization who know about satellite control systems and can conduct independent security risk assessments is an essential and continuous requirement to ensure networks maintain strong security.^[xxi] In addition, Inmarsat shares cybersecurity threat information with a variety of organizations including not only business partners, government agencies, and suppliers but also industry competitors.^[xxii] Similarly, industry can work with government and law enforcement agencies that have resources and information available to assist organizations to stay informed of the latest threats.^[xxiii] Working with outside organizations to conduct network security testing and share the latest threat information leverages larger sources of current cybersecurity knowledge to better protect an organization’s network.

Recommendations

Based on the current space cybersecurity threat as identified by experts from industry, military, and government, Intelliwings recommends considering the following actions:

Implement an immediate security review:

• Ensure no direct connection between satellite control network systems and the Internet. The satellite control systems should exist on a closed network isolated from the Internet.
• Disable USB ports and removable media drives – including but not limited to DVD, CD, portable hard drives, SDHC ports, etc. – on satellite control systems with the exception of a select number of computers under strict and logged control of trained network security officers authorized to conduct air gap transfer of mission-essential virus-scanned files from external networks to satellite control systems.
• Permanently disable wireless connectivity such as Wi-Fi, Bluetooth, and cellular data communications for all system devices on the satellite control network.
• Use the most current operating systems commercially available; do not use legacy operating systems such as Windows XP with outdated security vulnerabilities. 
• Ensure all security firewall, antivirus, software, and operating system updates are installed.

Conduct a security policy and operations review:

• Identify organizational requirements for anti-jamming, encryption, network security, and cooperative agile cyber defense
• Meet with encryption key management companies to identify new software solutions that can be implemented on satellite control systems, satellite systems already in orbit, and on hardware systems that can be included in future launch systems. The Key Orchestration cybersecurity technology by Fornetix enables enterprise-wide encryption key management that can be dynamically updated to secure communications among all system devices.^[xxiv]
• Implement a system-wide security control regimen such as the CIS Control Protocol developed by The Center for Internet Security.^[xxv]
• Establish relationships to exchange cybersecurity information with international cybersecurity groups, governments, and law enforcement agencies to share data on the latest cyber threat organizations, intrusion techniques, and defenses. The US Department of Homeland Security and the International Cyber Security Protection Alliance are two of many organizations that promote sharing cybersecurity information and resources.
• Partner with internationally certified White Hat hackers and penetration testers to continuously probe networks for weaknesses.

Conclusion

Planning for security at the inception of system design is absolutely essential to maximize defenses against the ever-growing cyber threat and it also avoids potentially millions of dollars of added expenses that organizations will incur when adding cybersecurity as an afterthought.^[xxvi] Although senior officials responsible for protecting satellite control systems have emphasized the primary importance of anti-jamming, encryption, network security, and cooperative agile defense in satellite systems, it’s necessary to expand from these core components of satellite cybersecurity and ensure a comprehensive and holistic approach is implemented to promote cybersecurity in all aspects of network, physical, personnel, and satellite production supply chain security. 

Cybersecurity is a core priority. This mindset needs to be shared by all team members involved in satellite operations, from initial design through end users, to ensure the safety and security of the system. The threat against the system is real, but organizations can successfully defend against this dynamic threat when given the resources and training necessary and in active and continuous cooperation with internal and external network cybersecurity experts and organizations.

The report was prepared by Intelliwings, LLC. For additional information, please contact info@intelliwings.com.  

---

 

The following sources are recommended for additional research and information:

• Mr. Martin Rutishauser’s satellite cybersecurity presentation, “Satellite Hacking: An Introduction”, Presentation Slides and YouTube Presentation
• US Air Force Major Stephen Bichler’s report, “Mitigating Cyber Security Risks in Satellite Ground Systems”
• The Chatham House report, “Space: The Final Frontier for Cybersecurity?”

Endnotes

^[i] Paganini, Pierluigi. “Hacking Satellites … Look Up to the Sky”, Infosec Institute, http://resources.infosecinstitute.com/hacking-satellite-look-up-to-the-sky/, September 13, 2013. 

^[ii] Bichler, Stephen F. “Mitigating Cyber Security Risks in Satellite Ground Systems”, Air Command and Staff College, Air University, Maxwell Air Force Base, Alabama, www.dtic.mil/dtic/tr/fulltext/u2/1012754.pdf, April 2015. 

^[iii] Flaherty, Mary Pat; Samenow, Jason; and Rein, Lisa. “Chinese Hack U.S. Weather Systems, Satellite Network”, The Washington Post, https://www.washingtonpost.com/local/chinese-hack-us-weather-systems-satellite-network/2014/11/12/bef1206a-68e9-11e4-b053-65cea7903f2e_story.html, November 12, 2014. 

^[iv] Newcomb, Alyssa. “Hacked in Space: Are Satellites the Next Cybersecurity Battleground?”, NBC News, http://www.nbcnews.com/storyline/hacking-in-america/hacked-space-are-satellites-next-cybersecurity-battleground-n658231, October 3, 2016.

^[v] Syeed, Nafeesa. “Outer-Space Hacking a Top Concern for NASA’s Cybersecurity Chief”, Bloomberg, https://www.bloomberg.com/news/articles/2017-04-12/outer-space-hacking-a-top-concern-for-nasa-s-cybersecurity-chief, April 12, 2017.

^[vi] Ibid, Bichler, page 16.

^[vii] Rogin, Josh. “The Top 10 Chinese Cyber Attacks (That We Know of)”, Foreign Policy, http://foreignpolicy.com/2010/01/22/the-top-10-chinese-cyber-attacks-that-we-know-of/, January 22, 2010. 

^[viii] Khandelwal, Swati. “Satellite Phone Encryption Calls Can be Cracked in Fractions of a Second”, The Hacker News, http://thehackernews.com/2017/07/satellite-phone-encryption.html, July 10, 2017. 

^[ix] Evans, Steven. “North Korea ‘Jamming GPS Signals’ near South Border”, BBC News, http://www.bbc.com/news/world-asia-35940542, April 1, 2016.

^[x] “Significant Cyber Incidents”, https://www.csis.org/programs/cybersecurity-and-governance/technology-policy-program/other-projects-cybersecurity, 2019.

^[xi] Rutishauser, Martin. “Satellite Hacking: An Introduction”, DefCon Switzerland HashDays Security & Risk Conference 2012, Lucerne, Switzerland, https://www.indianz.ch/download/IndianZ_SatelliteHacking.pdf, October 31, 2012 – November 3, 2012. Mr. Rutishauser’s complete satellite cybersecurity presentation is also viewable on YouTube at https://www.youtube.com/watch?v=xIsG8GpB67A. 

^[xii] Daniels, Jeff. “Space arms race as Russia, China emerge as ‘rapidly growing threats’ to US”, CNBC, http://www.cnbc.com/2017/03/29/space-arms-race-as-russia-china-emerge-as-rapidly-growing-threats-to-us.html, March 29, 2017.

^[xiii] Swarts, Philip. “Satcom’s Top Priority Should be Better Protection, Experts Say”, Space News, http://spacenews.com/satcoms-top-priority-should-be-better-protection-experts-say/, July 5, 2017. 

^[xiv] Livingstone, David and Lewis, Patricia. “Space, the Final Frontier for Cybersecurity?”, page 14, Chatham House, The Royal Institute of International Affairs, International Security Department, https://www.chathamhouse.org/sites/files/chathamhouse/publications/research/2016-09-22-space-final-frontier-cybersecurity-livingstone-lewis.pdf, September 2016.

^[xv] Burgess, Matt. “Hackers Targeting Satellites Could Cause ‘Catastrophic’ Damage”, Wired, http://www.wired.co.uk/article/satellites-vulnerable-hacking-chatham-house, September 22, 2016. 

^[xvi] Ibid, Swarts.

^[xvii] Holmes, Mark. “Cyber Expert Lays Out Threat to the Satellite Industry”, Satellite Today, http://interactive.satellitetoday.com/via/june-2018/cyber-expert-lays-out-threat-to-the-satellite-industry/, May 2018.

^[xviii] Ibid, Bichler, page 14.

^[xix] Werner, Debra. “Who’s Keeping Satellites Safe from Cyberattacks?”, SpaceNews.com, http://spacenews.com/whos-keeping-satellites-safe-from-cyberattacks/, April 19, 2017. 

^[xx] Ibid, Werner.

^[xxi] Ibid, Bichler, page 25.

^[xxii] Werner, Debra. “Protecting Satellites from Cyber Attacks Isn’t Getting Any Easier”, SpaceNews.com, http://spacenews.com/protecting-satellites-from-cyber-attacks-isnt-getting-any-easier/, March 9, 2017. 

^[xxiii] Pomerleau, Mark. “When it Comes to Cybersecurity, the Satellite Industry Stands Out”, C4ISRNET, http://www.c4isrnet.com/special-reports/satcom/2017/03/08/when-it-comes-to-cybersecurity-the-satellite-industry-stands-out/, March 8, 2017.

^[xxiv] Fornetix Key Orchestration, https://www.fornetix.com

^[xxv] Center for Internet Security, https://www.cisecurity.org

^[xxvi] Lockheed Martin was awarded a $15 million contract on 15 March 2017 to improve the cybersecurity of US Air Force Space-Based Infrared System (SBIRS) ground system components. Swarts, Philp. “Lockheed Martin wins $15 million modification for SBIRS contract”, SpaceNews.com, http://spacenews.com/lockheed-martin-wins-15-million-modification-for-sbirs-contract/, March 15, 2017.

• Leave a comment