October is National Cybersecurity Awareness Month, but at Space Systems Command, cybersecurity is top of mind every day, officials said.
That’s because protecting the nation’s space assets — and the capability they bring to bear — is critical.
“Computers are a part of our daily life,,” said Colonel Louis P. Melancon, director of intelligence at SSC. “I can’t think of many people who don’t touch the cyber domain in some form as they go about their day. Every day, we all touch the cyber domain; every day we all touch space. These are two domains that are intertwined and they are absolutely critical to the U.S. way of life.”
Satellites provide everything from GPS to communications to the position, navigation and timing (PNT) used to make financial transactions possible, and the United States’ adversaries are well aware of the financial, defensive and economic advantages unfettered access to space has given the nation.
“Both Russia and the People’s Republic of China pose very real cyber threats to the United States,” Melancon said.
Colonel Jennifer M.
“I think civilians have seen glimpses of cyber- attacks and their consequences — think of ransomware on the oil pipelines, identity theft, internet payment fraud, etc. — but maybe don’t fully appreciate the catastrophic scale and impact in their lives if an attacker were successful in taking down our space and terrestrial systems,” said Col. Jennifer Krolikowski, SSC chief information officer. “What if GPS went down? Sure I’d have to get a physical map to figure out getting from point A to point B again, but it’s also tied to the global banking industry and how that affects access to our money.”
The Colonel added, “What if the power grid was taken down because of exploitations realized in the cyber domain? Sure I’d have to light a candle to see at night, but how would that affect folks in a hospital? I don’t want to give off the impression that it’s all doom and gloom, but this is why we focus on making systems secure, and having that mindset continuously from development, into, and through operations — so we don’t have to experience the results of that catastrophic attack.”
“At SSC, we aren’t developing space capability for the sake of space capability,,,” Melancon said. “We need to deliver something that the Joint Force can use, and because of that, the threat is coming after us. (Our adversaries) see that the U.S. uses the space domain and the capabilities that SSC delivers to execute all of its warfare across the other domains: the U.S. Army, Navy, Marines, Air Force – can’t do everything that they do without what we generate from space.”
Within SSC, the Chief Information Office has a Cyber division with several functions, such as regulatory compliance (ATO/RMF), supply chain management, program protection, and vulnerability assessment including a future cyber-sector operations complex, crypto, intelligence- fusion, and cyber workforce development, Krolikowski said.
“A cardinal principle of cyber is ‘defense-in-depth,,,’” Krolikowski explained. “In that sense, the CIO strives to empower SSC and mission partners to facilitate their cyber missions. For instance, one of our Cybersecurity is a Critical Component of SSC’s Mission Program Executive Offices has a Space Domain Awareness/Combat Power division which focuses on Defensive Cyber for Space. They build agile software capable of logging and monitoring the entire ground- space-user-launch-crosslink ecosystem. Those operators will work beside our Space Operations Command warfighters, enabling cyber protection at the tactical edge.
“All of these efforts come together to try and protect our systems right from the start as part of the design and build instead of trying to bolt on later,” Krolikowski said. “It’s about our being proactive with security instead of reactive. We’re in a prolific era of cyberattacks and people trying to exploit vulnerabilities that we may have,” Krolikowski said. “I can see an increase in those trying to take advantage of the ultimate high ground space offers. As a result, there’s a heightened focus when it comes to our security posturing and how we are working to counter those types of threats.
“Of course, SSC implements military satellite (MILSAT) missions,” Krolikowski noted. “It spreads across positioning, navigation/timing, missile detection, ELINT/SIGINT, reconnaissance/mapping/cartography (land, wavetops, ocean floor), weather, radar/lidar/optical/infrared and other spectra.”
2022 SSC Cyber Expo
The Threat is Real!
Space Systems Command is focused on ensuring cyber and cybersecurity readiness and developing the innovating mindsets required to drive this mission.
Nov, 9-10, 2022 at SSC headquarters at Los Angeles Air Force Base. The event will be held at the Gordon Conference Center and the vendor expo will be in the Schriever courtyard.
This year's theme is The Threat is Real. Subject matter experts from SSC, government, industry partners, academia, and non-profit organizations will share knowledge and awareness to enhance SSC's cyber mission and focus areas.
Select virtual options will be available. However, in-person attendance is encouraged (virtual attendance instructions will be provided on the confirmation email after pre-registering).
She added, “A more recent addition is space surveillance; instead of looking around-and-down, we look around-and-up, including cislunar and beyond,” Krolikowski said. “Each of these has its own classified mission purpose, spectra/frequencies/bands, and warfighter orientation as related to other segments of MILSAT data. In addition, Artificial Intelligence and Machine Learning is engineered into the mix such that in a few years we will have orchestrated not only C2 but C5ISR in ways that frustrate, and demoralize, near-peer adversaries. SSC’s role is to listen to our Fieldcom requirements generation, and help them procure and pay for smart, survivable technology demonstrations, increasingly devised by commercial SATCOM thought leaders and space industrial base writ large.
“Taking all of this into account, we are very interested in exploring the commercial satellite industry,” Krolikowski said. “I believe in ‘buy before build’ for as many cases as we possibly can. If commercial space is readily available, secure enough, and can meet our use cases and outcomes, then it doesn’t make a lot of sense as to why we wouldn’t use these products and technologies.
“Commercial can help us accelerate getting to those outcomes versus our taking years to build the same thing,” Krolikowski said.
“In a lot of cases, commercial already has the capabilities in place, the infrastructure in place, and the maintenance and services there for us to digest and use. I do think there is still a place for government systems, but we can leverage commercial now and learn what to build on the government side to fill any gaps there may be.”
It’s important to think in terms of a spectrum of potential cyber threats, Melancon said. On one hand are the basic measures most people take to practice good cyber hygiene: don’t click suspicious links on emails, avoid going to questionable websites, being aware of and alert to phishing attacks, and be careful about what you post on social media.
There also are reversible and irreversible threats, Krolikowski said. “A threat that is reversible is one where, when realized, can be fixed, hopefully rather easily, and brought back to the originating state. So this could be something like someone denying access to a website because they found a way to exploit admin rights. As soon as that vulnerability is fixed, or patched, they website is made available again.
“A threat that is irreversible usually involves something being affected in a way it can’t get back to its original state,” Krolikowski said. “For example, say there is a system that has to operate at certain temperature. An attacker could infiltrate that system and trick it into thinking it’s cooler than it is. As a result, it doesn’t shut down when it starts to overheat and explodes. That system can’t go back to its original state and has suffered from an irreversible cyber-attack.”
It isn’t just cyberattacks on satellites or the ground systems that control and process the data from space — it also includes things such as the engineers working on new hardware and software prototypes and hardening protections when data moves from a secured U.S. Department of Defense network to one owned by a private industry partner, Melancon said.
“Each time you do that, you’re creating a new attack surface that a threat can go in to attempt to gain access, to gain information about the capabilities being developed or they may be doing it to do something more nefarious, like a denial-of-service attack,” Melancon said. “Broadly, anything with ones and zeros could be an attack surface. The point though, is to make it hard, or undesirable, for a hacker to exploit a vulnerability. This goes back into how you design and build a system in the first place. Are you writing secure code, are you putting controls in place to make accessing a system nearly impossible, are you patching on a continuous basis to plug holes, etc.? This is also why we are working hard at incorporating Zero Trust principles into our architectures - so we can reduce the ability to exploit.”
Recently, Major General Douglas Schiess said that U.S. Space Operations Command is assigning cybersecurity and intelligence specialists to work side-by-side with satellite operators so they’re better prepared to protect U.S. systems from electronic and physical threats.
“You can’t disentangle the two – we must use the cyber domain to communicate with our satellites and to operate those satellites,” Melancon said.
“The cyber domain must rely on the capabilities that space provides in order to exist. If we suddenly lost all the satellites — yes, there are some terrestrial linkages — but the amount of data that flows through would not be what everyone expects.” Intelligence analysts are needed to help interpret the data, Melancon said, quoting Ian Fleming, “Once is happenstance. Twice is coincidence. Three times is enemy action.
“Especially as you’re dealing with things that are highly dispersed – such as a space operator at a ground station, and they’re interacting with something hundreds to thousands of kilometers away, or zeros and ones zipping through the Ethernet – something unusual may happen, and you may attribute that to a flaw in the system or a bug. An intelligence analyst is looking at it through a slightly different lens.”
Captain Elijha J.
Captain Elijha J. Williams is SSC’s program manager for the Space Security Challenge, a portfolio of nontraditional projects that include Bug Bounties, in which testers search for vulnerabilities in software — the Hack- A-Sat challenge and other cyber and space exercises.
Hack-A-Sat is a competition sponsored by SSC and the Air Force Research Laboratory (AFRL), designed to inspire the world’s top cybersecurity talent to develop the skills necessary to help reduce vulnerabilities and build more secure space systems. Participants from more than 75 different countries have participated in the competitions to date, Williams said.
Now in its third year, the event has attracted 2,500 participants on 803 teams from around the world to compete in a series of challenges that will lead up to the final event that will occur from October 22nd. to the 23rd., featuring a digital twin of a satellite, running actual satellite software.
Teams will operate and defend their own space system while attacking opposing teams’ systems. The final event will award $50,000 to the winning team as well as a $30,000 second- place prize and a $20,000 third-place prize.
Space used to be solely the domain of government-funded space programs, and seen as largely secure, Williams noted. However, the commercial sector has become a key player and an important partner and as access to space has become easier and less expensive, cybersecurity is much more critical.
“Space is becoming more democratized and we want to make sure the assets we send up there are secure,” Williams said. “We do need to be careful to design our future systems to be as resilient and as cyber secure as possible. One way to do that is to build that alliance between our industry, academia and public partners and share the challenges we face today and some creative ways to solve those problems.”
The Hack-A-Sat competition generally begins with a qualifying event open to everyone, Williams said. Teams compete through a series of challenges, with the top 8 teams advancing to the final challenge.
At the annual DEFCON hacking conference, Hack-A-Sat has its own booth in the Aerospace Village to further educate the public about the real-world cyber challenges with regard to space.
Williams said the teams have had as few people as 10 on a team and as many as 60, with some competitors as young as 15 years of age. While many people are adept at and interested in the cyber side of the challenges, what makes the competition challenging is that it requires a diverse set of skills — including knowledge of satellite operations, radio frequency communications, astrophysics, reverse engineering, exploit development and vulnerability research, and not everyone has the space operations knowledge.
“You need the cyber SMEs (subject matter experts) who are fond of the binaries, crypto, forensic analysis, TCP IP protocols,,”Williams said, “but part of your team is going to need to be very keen on the space operations side – how to maneuver the satellite, what kinds of commands do you have to send to maybe get your vehicle back into safe mode, the two-body problems and telemetry in general.”
Next year’s competition will take it even further, featuring a capture-the-flag exercise of an actual satellite in space, Williams said. Moonlighter is a small cubesat — about 6 to 8 pounds in weight and about the size of a computer monitor — that will be launched into Low Earth Orbit (LEO) in March of 2023 to serve as a “cyber sandbox in space.”
“Moonlighter is going to be the platform for the final event, allowing the finalist teams to access that on-orbit satellite,” Williams said. “Not a flat satellite, not a digital twin — actually orbiting the Earth.