With cyberattacks becoming a reality against the space sector's infrastructure in 2022, two groups are aiming to get ahead of future attacks by creating framework initiatives.
The goal of the frameworks is to better understand not only potential threats — in terms of the traditional tactics, techniques, and procedures (TTPs) applied to the space sector — but also to help companies and government agencies create countermeasures against attacks targeting satellites and spacecraft.
On Jan. 3, the US National Institute of Standards and Technology (NIST) and the MITRE Corp., which is also a government contractor, released a version of the NIST Cybersecurity Framework tailored to the ground-based portion of the space sector. The NIST publication complements another effort by nonprofit government contractor The Aerospace Corp., which created in October the Space Attack Research and Tactics Analysis (Sparta) matrix, a version of the MITRE ATT&CK framework applied to threats against space-based infrastructure.
Cyberattacks Are Now Targeting Satellites
Early in 2022, the FBI and CISA warned that attacks against satellite ground-based and space-based infrastructure could become a reality — and it soon did. The year saw nation-state operations targeting Viasat and SpaceX's Starlink satellites, and forcing governments and aerospace companies to create defenses against the attacks.
In the early days of Russia's invasion of Ukraine, for example, Russia-aligned hackers targeted the ground-based segment of Viasat's satellite communications network, taking Internet modems offline throughout Europe. Soon after, Russia also targeted the distributed satellite Internet service Starlink, according to government officials and SpaceX CEO Elon Musk, which has been critical for providing the Ukraine war effort with Internet connectivity.
"Starlink has resisted Russian cyberwar jamming & hacking attempts so far, but [attackers are] ramping up their efforts," Musk stated on Twitter last May.
In November, Starlink was in the crosshairs again, with Russia-linked Killnet APT targeting it with a DDoS campaign that made the service inaccessible for several hours.
As a corollary, satellites have also become proposed targets of non-cyberattacks as well. In the most recent example, Chinese researchers proposed a 10 megaton nuclear blast 50 miles from the Earth's surface as a way to disable Starlink satellites that pass through the radioactive cloud.
Computers, Not Lost in Space
Cyberattackers in this arena are far more likely to be advanced persistent threats (APTs) sponsored by nation-states — often looking to disable satellites and spacecraft. But much of today's ground-based satellite infrastructure uses common computer and communications technologies, which could open the door to other players.
The similarities allow attackers to more easily exploit the systems underpinning satellite systems, while the complex supply chain makes the infrastructure easier to attack, Neil Sherwin-Peddie, head of space security for defense and government contractor BAE Systems Digital Intelligence, stated in a recent column for Dark Reading.
"Satellites are effectively just platforms with embedded systems and interfaces, including radio communications, telemetry tracking control systems, and ground segment connections," he wrote. "These are all essentially enterprise networks, but that also makes them avenues of opportunity for cybercriminals."
The attack on Viasat consisted of two components and underscores that known attack methods can be tailored to ground-based and space-based satellite systems.
First, the attackers exploited "a misconfiguration in a VPN appliance to gain remote access" to the ground-based network, according to a Viasat advisory. The attackers then discovered and compromised the management network for the satellite network and issued commands to the ground-based modems.
"Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable," the company stated.
These commands performed functions similar to a wiper attack, overwriting critical data to disrupt operations, a common approach in cyber-physical attacks, according to a subsequent analysis performed by independent cybersecurity researcher Ruben Santamarta.
New attack vectors are looming for the future, as well.
"We will see more automation on the spacecraft, and therefore we will need more on-board autonomous cyber protection," says Brandon Bailey, a senior project leader for the Cyber Assessments and Research Department at The Aerospace Corp. "This means integrating items like segmentation, authentication, encryption, and intrusion detection [and] prevention on-board the spacecraft will be a must in the future."
Frameworks Cover Both Ground & Space
The NIST Cybersecurity Framework for the Satellite Ground Segment (NIST-IR-8401) builds on a common approach to cyber-defense that includes five major functions: the identification of assets and their cyber-risks, the development of technologies and procedures to protect those assets, the capability to detect attacks, the infrastructure needed to respond to any incident, and the ability to recover from attacks.
"The ground segment is becoming more interconnected and cloud-based ground infrastructures, however legacy space operations and the space vehicles themselves use custom software and hardware that was not generally created to be part of a modern highly interconnected cyber-ecosystem," NIST-IR-8401 states. "This can be especially problematic with legacy components that may have been created prior to the development of security best practices or that use obsolete security measures."
The Sparta framework aims to cover cyberattacks on the space-based components, such as satellites, spacecraft and other systems. The framework will grow and change as the field evolves and the TTPs used by attackers change, says Bailey of The Aerospace Corp.
"Cyber on the spacecraft side is relatively new field; therefore, as vulnerabilities — like PCSpoof — are disclosed, we will add TTPs and countermeasures," he says. "We also intend on working with the Space ISAC, and as it matures ... we will incorporate threat information and TTPs that are identified."