Five months after its launch, Space ISAC has convened a panel at the Cyber Symposium to discuss the challenges of bringing cybersecurity to space.
The nation’s only space-dedicated information sharing and analysis center, Space ISAC is based in Colorado Springs at the National Cybersecurity Center.
At the symposium, Space ISAC VP of Operations Erin Miller said the panel would address how the commercial and international space community can “work with the U.S. military to promote security of space-based assets.”
The Space ISAC panel also included Kevin Coggins, vice president of Cyber & Engineering with Booz Allen Hamilton, and Michele Gaudreault, deputy chief scientist with Air Force Space Command at Peterson AFB.
Supply chain risks
Coggins, who leads Booz Allen Hamilton’s positioning, navigation and timing service and previously directed the Assured PNT Cross Functional Team for the Army, explained how supply chain can pose a threat to the space mission.
Getting the best PNT outcomes for the Army requires digging into potential vulnerabilities in the supply chain, he said.
“It could be in ground control, it could be in a component in the space vehicle, it could be in a component in a piece of military hardware or commercial hardware where you’re receiving something from space,” he said. “As you peel that back, you start to ask questions: Where are the components made? Where does the atomic clock come from in some of these satellites? Is it a French atomic clock? Is it a U.S. atomic clock? Is it from some entity that you’re not really watching?”
It turns out that components for military satellites and commercial satellites come from all kinds of suppliers in the defense industrial base, as well as from international suppliers.
What’s more, Coggins said, “we’ve never really traced that through to figure out: How secure are their networks? How secure are their design teams? What kind of security protocols went in to make sure that — if they’re providing something that passes information — it’s secure enough for the system it’s going in?
“Often, you’re talking about the third- and fourth-tier suppliers — so it’s none. And the challenge [the Department of Defense] has is when we put a space asset up, it stays up for a long time. So we may have really good processes we’re putting in place today or next year, but that GPS satellite that has been on orbit for 10 years won’t see them.”
Think of your iPhone, Coggins said. Right there, you’re relying on a Russian GLONASS signal and two global navigation satellite systems — all three using open signals with zero protection.
“So you’ve got 100 percent trust on that signal coming into your device; your device is designed to accept it if it can receive it. When you start with that at the beginning of the equation, you really want to trace back through the supply chain now and understand, ‘What can cause the satellite to emit a signal that is not safe for my device?’” he said.
And if iPhones and Samsung devices seem irrelevant to military security, “how many of you guys think that soldiers, airmen and marines and sailors around the world are not using these commercial phones during a military mission?” Coggins asked. “When I was looking at GPS, I found everybody was using Garmins. Then you dig a little deeper — well, that picture I’ve got of a soldier using the Garmin was taken with an iPhone. And it’s easier for them sometimes to use the map on the iPhone than it is to use the map on the device we gave them, for whatever reason. …
“So you’ve got to understand how you’re really using it, and you start to trace back: The components I have, who checked the firmware on any of these chips, in the satellite, in the ground control, in my device, that’s tied to my ability to launch missiles on a target — or not launch missiles on a target at a critical time? Well, the short answer is for decades, we never looked at any of that.”
The Department of Defense is working hard now to trace supply chain risks in critical components and critical systems, Coggins said, but no one has the resources to go back and fix systems that’ll stay in place for the next 20 years. And as innovation and cost-cutting gather pace in the commercial space, there’ll be scant resources for weeding out future risks there, too.
Cyber risks in commercial systems
Gaudreault discussed the cybersecurity risks that arise when the military needs to tap into commercial satellites, networks, payloads and sensors.
“That is a big concern for us — we are concerned about the cybersecurity of commercial systems,” she said. “Leveraging existing commercial technology can really help decrease our acquisition costs or development costs, but it could increase our cyber vulnerabilities as well.” Air Force Space Command is working closely with its commercial partners as they develop systems, encouraging them to “bake in that cybersecurity right from the start,” Gaudreault said. “That will help reduce their development costs, which in turn will help us reduce our costs and give us greater security.
“A lot of our unmanned aircraft that we fly, those control links often fly on the commercial Satcom [satellite communications],” she added. “And quite a bit of our routine communications traffic also flies over commercial Satcom, so those are two things that we’re really concerned about.”
To address the risk, military cyber mission teams are working to identify vulnerabilities on commercial Satcom, then sharing the information with the Air Force Space Enterprise Consortium so steps can be taken to mitigate the threat.
“And on the commercial side, you guys stood up the Space ISAC, which will help with the commercial aspect of that [information sharing and threat mitigation] so we’re very, very happy about that, because that will help our systems that go over the commercial side to be more secure,” Gaudreault said. “We’re really excited to see that and help support it in any way we can.”