BRANDON BAILEY

Brandon Bailey is a cybersecurity senior project leader at The Aerospace Corporation. He has more than 14 years of
experience supporting the intelligence and civil space arena. Bailey’s specialties include vulnerability assessments/
penetration testing for space systems and infusing secure coding principles within the software supply chain. Before
joining Aerospace, Bailey worked for NASA, where he was responsible for building and maintaining a software
testing and research laboratory to include a robust cybersecurity range as well as spearheading innovative
cybersecurity assessments of ground infrastructure that support NASA’s mission operations. While at NASA, Bailey
was honored with several group and individual awards, including NASA’s Exceptional Service Medal for his
landmark cybersecurity work, NASA’s Early Career Achievement Award, and NASA Agency Honor Awards for
Information Assurance/Cybersecurity. He has also contributed to teams who have received honorable mention in
the 2012 and 2016 NASA’s Software of the Year competition. Bailey graduated summa cum laude with a bachelor’s
degree in electrical engineering from West Virginia University and currently holds multiple certifications in the
cybersecurity field.

RYAN J. SPEELMAN
Ryan J. Speelman is the principal director for the Cyber Security Subdivision at The Aerospace Corporation, where
he is focused on the security of space-based systems. The organization he leads is involved in many layers of space
cybersecurity from legacy system protection to requirements and program development to advanced research and
development techniques. Prior to joining the Cyber Security Subdivision, Speelman spent more than a decade in
wireless communications, where he worked on many programs focusing on digital signal processing algorithms and
radio frequency–based electronic warfare. He holds both a bachelor’s degree and a master’s degree in electrical
engineering from UCLA.

PRASHANT A. DOSHI
Prashant A. Doshi is the associate principal director of the Cybersecurity Subdivision at The Aerospace Corporation.
Doshi has spent 15 years of experience supporting the DOD, intelligence community, and civil space programs.
Doshi’s focus areas are the application of novel computing technologies to challenging space enterprise problems.
Doshi holds a bachelor’s degree and a master’s degree in electrical and computer engineering from Georgia Tech.

NICHOLAS C. COHEN
Nicholas C. Cohen is a member of the Cyber Defense Solutions Department at The Aerospace Corporation. He
contributes to national space cybersecurity in a range of areas, including defensive cyber operations, spacecraft
cybersecurity, software assurance, and penetration testing. He currently leads a team developing a toolkit called
Eirene Sceptre, which provides targeted space system cyber defense. Prior to joining Aerospace, Cohen operated
his own Internet service provider and learned how to defend servers against attackers on the Internet. Cohen has a
bachelor’s degree from Carnegie Mellon University, and a master’s degree in electrical and computer engineering
from Georgia Tech.

WAYNE A. WHEELER
Wayne A. Wheeler is a senior project leader in the Cybersecurity Subdivision at The Aerospace Corporation.
Wheeler has extensive experience leading space architectures development, with a focus on networks and cyber.
His recent research focuses on space systems resilience to broad range threats, and advanced cyber protections
for spacecraft.

ABOUT THE CENTER FOR SPACE POLICY AND STRATEGY

The Center for Space Policy and Strategy is dedicated to shaping the future by providing nonpartisan research and
strategic analysis to decisionmakers. The center is part of The Aerospace Corporation, a nonprofit organization that
advises the government on complex space enterprise and systems engineering problems.

The views expressed in this publication are solely those of the author(s), and do not necessarily reflect those of The
Aerospace Corporation, its management, or its customers.

Contact us at www.aerospace.org/policy or policy@aero.org

 Summary

Space systems comprise many government and commercial components where

cybersecurity and space operations are inextricably linked. The vulnerability of satellites
and other space assets to cyberattack is often overlooked in wider discussions of cyber
threats to critical national infrastructure. Neither space policy nor cybersecurity policy is
prepared for the challenges created by the meshing of space and cyberspace, especially for
the spacecraft. With the emerging cyber threats to spacecraft from nation-state actors,
additional spacecraft defenses must be implemented. Historically spacecraft have been
considered relatively safe from cyber intrusions; however, recent emerging threats have
brought spacecraft into play as a direct target of an adversary. While space-centric
cybersecurity standards and governance are lacking, utilizing defense-in-depth techniques
for spacecraft protection will help ensure the spacecraft is resilient to a cyber intrusion. To
meet the space cyber challenges, government, industry, and international action is needed.
The way forward and potential solutions will include increased cooperation across all
sectors and will require a blend of policy and technical solutions. This paper focuses on
principles (e.g., onboard intrusion detection and prevention systems, hardware/software
supply chain, and onboard logging) that aim to provide decisionmakers, acquisition
professionals, program managers, and system designers alike with considerations while
acquiring and designing cyber-resilient spacecraft.

Introduction
From commercial markets to militaries, the western intertwined nature of commercial and military
world is dependent on space systems. This assets. Nation-states and non-state actors alike are
dependence has led nation-states to develop targeting space systems via cyber. While research
offensive capabilities targeting those systems.1 and open source intelligence on the vulnerabilities
Although many emerging threats to space exist, this of space systems increases, so are the attacks. In
paper focuses on cyber for several reasons: the recent years, researchers have published proof of
potentially high impact relative to cost, the ability to concepts attacking satellite communication and the
simultaneously target multiple missions, the Iridium satellite network.2,3 Abstaining from action
difficulty of attribution, and the potential to reduce is not an option, and it is necessary for all national
defensive reaction time. These reasons make a critical space systems to be appropriately hardened
cyberattack on a spacecraft enticing to bad actors. against cyber threats.
Further complicating the problem is the increasingly

1
The U.S. federal governance structure for general should have cybersecurity protections applied to all
information technology (IT)-based cybersecurity four segments: space, ground, link, and user (see
has made strides in recent years with the maturation Figure 1); however, most work in this area focuses
of the National Institute of Standards and on the ground segment with little research or
Technology (NIST) Risk Management Framework guidance on securing the space segment (i.e.,
and Cybersecurity Framework. However, the same spacecraft).
cannot be said for the space domain. NIST
cybersecurity maturity standards and guidelines Table 1 outlines some of the known initiatives and
help organizations to improve their cybersecurity standards that have been published relating to
measures and best practices, but these are not cybersecurity within the space domain. Limited
directly applicable to the space domain. While published work is available for reference; however,
efforts have been made to mold these frameworks the report Cyber Enhanced Space Operations
for space systems (e.g., Committee on National recommends several strategies for more secure
Security Systems [CNSS] Instruction [CNSSI] space systems and operations.4 Other nonpublished
1253F), uniformity is lacking, and updated initiatives are underway within the federal
standards and guidelines for spacecraft are likely government (e.g., Jet Propulsion Laboratory’s
warranted. There are pockets of initiatives across the Cybersecurity Improvement Project), but at this
space community that are addressing cybersecurity point all these initiatives are too early to reference
for space systems. A space system comprises and as adopted practices and mostly focus on the ground

Figure 1: Cyber threats identified by the National Air and Space Intelligence Center (NASIC).12

2
 Table 1: Known Cybersecurity Initiatives and Standards

Applicability/
Organization Title of Standard Link to Standard Description of Standard
Scope
CNSS CNSSI 1200 National Ground and https://www.cnss.gov/CNSS/issuanc This standard elaborates on how to
Information Assurance spacecraft for es/Instructions.cfm appropriately integrate information assurance
Instruction for Space Systems National Security (IA) into the planning, development, design,
Used to Support National System (NSS) only launch, sustained operation, and deactivation
Security Missions of those space systems used to collect,
generate, process, store, display, or transmit
national security information, as well as any
supporting or related national security
systems.
CNSS CNSSI 1253F Attachment 2 Unmanned https://www.cnss.gov/CNSS/issuanc This overlay applies to the space platform
Space Platform Overlay spacecraft for NSS es/Instructions.cfm portion of all space systems that must comply
only with CNSS Policy No. 12. The controls
specified in this overlay are intended to apply
to the space platform after it is launched and
undergoing pre-operational testing and during
operation. This overlay attempts to mold NIST
800-53 for the space segment.
Consultative 352.0-B Cryptographic Civilian space https://public.ccsds.org/Pubs/352x0b This standard provides several alternative
Committee for Algorithms communications 2.pdf authentication/integrity algorithms that may be
Space Data chosen for use by individual missions
Systems depending on their specific mission
(CCSDS) environments. It does not specify how, when,
or where these algorithms should be
implemented or used. Those specifics are left
to the individual mission planners based on
the mission security requirements and the
results of the mission risk analysis.
Consultative 355.0-B Space Data Link Civilian space https://public.ccsds.org/Pubs/355x0b This protocol provides a security header and
Committee for Security (SDLS) Protocol communications 1.pdf trailer along with associated procedures that
Space Data may be used with the CCSDS Telemetry,
Systems Telecommand, and Advanced Orbiting
Systems Space Data Link Protocols to provide
a structured method for applying data
authentication and/or data confidentiality at the
data link layer.
Consultative 356.0-B Network Layer Security Civilian space https://public.ccsds.org/Pubs/356xb1 This standard provides the basis for network
Committee for communications .pdf layer security for space missions utilizing the
Space Data Internet protocol (IP) and complying with IP
Systems over CCSDS space links.
Consultative 357.0-B Authentication Civilian space https://public.ccsds.org/Pubs/357x0b In the CCSDS space environment, credentials
Committee for Credentials communications 1.pdf are needed to allow communicating entities to
Space Data authenticate each other to determine potential
Systems authorization and access control actions.
CCSDS recommends two types of credentials
in this standard: X.509 certificates and
protected simple authentication.
Aerospace NAS9933 Critical Security Department of http://www.aia-aerospace.org/wp- The goal of this standard is to align the
Industries Controls for Effective Capability Defense (DOD) content/uploads/2018/12/AIA- fragmented and conflicting requirements that
Association in Cyber Defense Aerospace Cybersecurity-standard- the DOD contracting process imposes on
contractors onepager.pdf industry. Rather than different DOD
enterprise/ground organizations using different tools to assess a
infrastructure company’s security across different contracts,
this standard is designed to apply common
and universal elements of cybersecurity
across each enterprise.

3
 Committee on National Security Systems (CNSS) published in 2018, provided any mention of
provides a forum for the discussion of policy issues improving cybersecurity in the space domain.
and is responsible for setting national-level
cybersecurity policies, directives, instructions,
Similarly, research from Chatham House describes
operational procedures, guidance, and advisories for the deficiencies on a global scale in relation to the
U.S. government departments and agencies for the North Atlantic Treaty Organization (NATO) and
security of National Security Systems (NSS) through
the CNSS Issuance System.
how it needs to establish a NATO Space Policy.6 As
Consultative Committee for Space Data Systems
these and others have pointed out policy and
(CCSDS) develops communications and mission governance challenges, few publications are
operation standards that support inter- and intra- solutions oriented as related to reducing cyber risk
agency operations and cross support. CCSDS
standards include elements of flight and ground
to space systems, specifically the spacecraft. In lieu
systems that are developed and operated by different of structured governance and standards being
agencies and organizations. The security working available, this paper discusses a threat-based
group within CCSDS believes the security risks to
both spacecraft and ground systems have increased
approach to managing cyber risk to spacecraft,
to the point where CCSDS must adopt existing or including examples of how to apply defense-in-
develop (as necessary) information security standards depth (DiD) principles to reduce the risk of
in order to protect both flight and ground mission-
critical resources and protect sensitive mission
cyberattack on a spacecraft. These principles should
information. provide decisionmakers, acquisition professionals,
Aerospace Industries Association (AIA) represents program managers, and system designers alike with
manufacturers and suppliers of civil, military, and considerations while acquiring and designing cyber-
business aircraft, helicopters, UAVs, space systems,
aircraft engines, missiles, material, and related
resilient spacecraft.
components, equipment, services, and information
technology in the United States. AIA receives its Figure 2 shows the continuum of reversible to
policy guidance from the direct involvement of chief nonreversible attack types against spacecraft.
executive officers of companies of all sizes across all
levels of the aerospace industry. Cyberattacks on spacecraft could come in many
flavors and depend greatly on the adversary’s access
and goals. Potential attacks targeting ground
segment. The published security standards listed in
stations could result in a breach of the
the table range from high-level compliance controls
confidentiality or integrity of the downlinked data or
to low-level communication protocol standards and
potentially the satellite being disabled, destroyed, or
are not overarching engineering principles for a
deemed unreliable. Attacks against the supply chain
spacecraft which is the focus of this paper.
could result in a different, more limited set of attacks
In addition to standards, overarching governance against the satellites. A range of scenarios exists,
and policies lack the necessary integration between and each would have unique impacts on the
cybersecurity and the space domain. As described adversary’s options. Some of these scenarios result
by the University of Maryland – School of Public in irreversible damage while others result in loss of
Policy, governance efforts in the space and cyber mission time and/or degraded future operations. The
domains are highly siloed, which may limit more an adversary can sow doubt in our space
meaningful progress.5 In their research only one systems, the greater the impact on our
strategy document, National Cyber Strategy, military/economic systems.

4
 Figure 2: Counterspace continuum showing range of attacks to spacecraft including cyberspace attacks.1

Traditional View and Current supply chains were developed before current cyber
Design Practices threats were envisioned. Traditionally,
Many assume that DOD satellites are generally well cybersecurity for space systems has concentrated on
protected against cyberattacks (depending on their the ground segment with minimal, if any, cyber
age, orbit, and access). In the commercial satellite protections onboard the spacecraft. There are
world, this is thought to not be the case, even though several reasons why spacecraft themselves have
increasingly they are being used for military been assumed off limits for cyberattacks:
purposes.7 Commercial satellites do not require the
same level of governance as satellites in the DOD  Spacecraft architectures are built using unique
and civilian sectors, and they do not have hardware/software that is not susceptible to
standardized security. Traditionally within the common computer malware.
DOD, civilian, and commercial space sectors,
 Spacecraft have communications only with
complacency and misunderstandings about cyber
protected ground infrastructure that is “air
vulnerabilities for spacecraft are widespread. In all
gapped” from the commercial Internet, so they
three sectors, spacecraft have been built assuming a
cannot be cyberattacked by external adversaries.
very limited range of cyber threats. Furthermore,
most spacecraft architectures, subsystems, and

5
 Physical access to spacecraft once launched is cyberattacks due to some of the same reasons as
highly unlikely. spacecraft: closed supply chains, unique embedded
hardware/software systems, “air-gapped,” and
 DOD spacecraft are developed, manufactured, physical protections. These same misconceptions
and launched by cleared defense contractors, have resulted in vulnerabilities in ICS, which have
with closed supply chains presumed to be documented intrusions using similar attack vectors
inaccessible to potential adversaries. that are mentioned in subsequent sections of this
Additionally, strong National Security Agency paper. These ICS cyberattacks have not only
(NSA)-approved encryption on DOD spacecraft resulted in millions of dollars in physical damages,
uplinks/downlinks means that data cannot be they have also resulted in the loss of life.
exposed to or manipulated by adversaries. Compromising the hardware and software supply
chains, jumping air-gapped networks, and
Due to these factors, cyber concerns have compromising cryptography have been
historically focused mostly on electronic warfare successfully executed in the ICS-embedded world,
threats such as jamming, which is a classic denial of and space systems could fall victim to similar
service attack; spoofing, where adversaries attack attacks if proper protections are not taken.8
sensors and/or position receivers; or replay attacks,
where a valid command or telemetry sequence is
recorded and replayed to cause an effect. Jamming
can be partially mitigated by such techniques as “There is a clear trend toward lower
hardening the physical layer communication barriers to access, and widespread
waveform or increasing the link margin. Spoofing
and replay attacks, on the other hand, have been vulnerabilities coupled with reliance on
traditionally dealt with by utilizing proper relatively unsecured commercial space
authentication. systems create the potential for non-
Better understanding of cyber threats has led to a state actors to carry out some counter-
realization that systems may be vulnerable despite space cyber operations without nation-
the traditional assumptions. For example, motivated
adversaries may develop highly targeted malware, state assistance. However, while this
assumptions about isolated networks may be threat deserves attention and will likely
invalid, and adversaries may breach development
grow in severity over the next decade,
environments and supply chains.
there remains a stark difference at
Similar misconceptions with cyberattacks were present between the cyber attacks
made with industrial control systems (ICSs). An
ICS consists of combinations of control capabilities of leading nation-states
components (e.g., electrical, mechanical, hydraulic, and other actors.”
and pneumatic) that act together to achieve an
industrial objective (e.g., manufacturing and —Global Counterspace Capabilities:
transportation of matter or energy). ICS An Open Source Assessment10
environments were thought to be unsusceptible to

6
The Emerging Threat in Cyberspace space systems. Although this paper focuses on the
Cyber capabilities of nation-states have increased in spacecraft, it is important to understand the broader
recent years.1 Cyber threats pose a significant and context and attack vectors.
complex challenge due to the absence of a warning
and speed of an attack by an adversary, the difficulty With the everchanging threat landscape within the
of attribution, and the complexities associated with space domain, it is important to rethink the
carrying out a proportionate response.6 The “2019 assumptions that civilian, commercial, and DOD
Global Threat Report” from CrowdStrike® says, spacecraft are safe from cyberattacks. Spacecraft
“Nation-state adversaries were continuously active being developed today need to be resilient to attacks
throughout 2018—targeting dissidents, regional 10 to 20 years in the future.13
adversaries and foreign powers to collect
In the supply chain alone, several potential entrance
intelligence for decisionmakers.” In terms of sheer
points exist. For example, spacecraft may utilize
speed, Russian hackers are now able to complete a
third-party intellectual property and/or open source
major system breach in less than 19 minutes, 8 times
software or firmware with unknown vulnerabilities
faster than their nearest competitors in North
or implants. As spacecraft become more complex
Korea.9 While this data is not space system-specific,
and timelines for development shrink, less attention
it points to the fact of increasing speed and
and scrutiny may be applied to the software supply
capabilities. With the adversaries’ increasing desire
chain. It is true that spacecraft are not flying and will
and capabilities to disrupt our space systems
not fly traditional commercial IT components such
accompanied with our dependence on space for
as servers and Ethernet switches and, therefore, are
critical capabilities, spacecraft cybersecurity
not susceptible to most forms of malware. However,
protections should be a high priority. In fact, various
nation-state actors have the motivation and means to
open source reports exist suggesting that nation-
fund development of specially designed malware to
states and other actors are already attempting cyber
target the components that are flown on spacecraft.
intrusions into government spacecraft assets.1,11
Nation-state actors have already demonstrated this
Government assets are not alone in being a target;
in the ICS realm with the malicious computer worm
given the reliance of the military on commercial
called Stuxnet, which targeted Iran’s nuclear
satellites to augment bandwidth, cyberattacks on
program. It was specially crafted malware for a
commercial space systems are also a concern. As
particular embedded logic controller that was
stated by Secure World Foundation, “A growing
connected to uranium centrifuges.
number of non-state actors are actively probing
commercial satellite systems and discovering cyber The hardware supply chain is another high-
vulnerabilities that are similar in nature to those probability entrance point for an adversary. Due to
found in non-space systems. This indicates that the economy of silicon manufacturing, hardware
manufacturers and developers of space systems may fabrication has been outsourced overseas with little
not yet have reached the same level of cyber oversight. Inserting a backdoor into a part or parts is
hardness as other sectors.”10 With the expanding list a significant threat to space systems. In the best case,
of threat actors and increase in awareness of an adversary will only know a part is military grade
vulnerabilities and adversary capabilities, all sectors and may not know exactly what system or
of the space domain need to invest in improving the subsystem it will end up on. In the worst case, they
cybersecurity of space systems, especially onboard may have access to a developer’s supply chain and
the spacecraft. Figure 1 (presented earlier) provides be able to place a part into a critical subsystem,
an overview of the current cyber threat landscape for

7
knowing the interfaces in great detail. Regardless, were providing the only protection from intrusion.
the hardware supply chain must be protected and This approach proved to be faulty, and well-
“trojan” backdoors must be mitigated. Fortunately, protected IT systems are now designed with DiD
some research and development is already principles. Similarly, current and future space
underway to address this problem as outlined in system designs must overcome the risk of an
ASIC/FPGA Trust Assurance (AFTA) Framework.14 adversary breaching the boundary and operating
unhindered inside the system using these principles.
Additionally, insider threat is a significant concern. Both large traditional developments and more
Several other mechanisms exist that could modern rapidly developed space systems should
potentially be utilized to breach a space system, such ensure that they have a cyber-hardened design with
as a replay attack as discussed in Mitigation of DiD throughout.
Command-Link Replay Attacks against Satellites.15
In addition to various known entrance points, For a space system, a DiD strategy relies on multiple
spacecraft are often operated with lifecycles layers of security to protect mission-critical assets.
spanning a decade or two, and it is impossible to This approach arches over acquisition, secure
predict all offensive cyber techniques many years in supply chains, space system hardening and
the future. Systems must be resilient to threats that monitoring, secure software development, intrusion
have not yet been considered. detection and prevention, culture, people, etc. to
create multiple layers as a security control.
As large constellations composed of relatively Recalling the earlier NASIC graphic in Figure 1 and
inexpensive and networked small satellites are applying a DiD strategy, security controls would
considered as an alternative to traditional large need to be applied at the user segment, ground
exquisite spacecraft, further cyber concerns emerge. segment, link segment, and space segment to ensure
To keep manufacturing speeds high and costs low, the space system has a robust security architecture.
small satellites will rely on more commercial parts The next section outlines how to apply DiD on the
as opposed to military grade. Taking steps to ensure space segment only. Ground and wireless link
a safe supply chain is advisable, but development architectures are out of scope of this paper, though a
schedules may not allow for a perfect supply chain secure spacecraft is dependent on secure ground and
scrub. Because various non-cyber threats (e.g., wireless security.
kinetic and electronic warfare) to space systems are
largely mitigated by many small satellite
Principles of a Cyber-Resilient
constellations, adversaries may look for offensive
Spacecraft
cyber as a mechanism to attack a large constellation.
A cyber vulnerability could affect all nodes in a When designing a cyber-resilient space system,
constellation if they share the same design, which many different security control implementations
could render that whole constellation unreliable. exist that will improve civilian, commercial, and
DOD space systems’ security. However, this paper
Defense in Depth focuses on the following DiD principles: onboard
intrusion detection and prevention systems,
The fundamental problem for space systems is that
hardware/software supply chain, and onboard
they are designed assuming protection at their
logging. Additionally, other considerations will be
boundaries will be enough. Little internal protection
mentioned to complement these main three
exists if the boundary is breached. Similar schools
principles, which will also bolster the spacecraft’s
of thought existed in the beginning days of
cyber protections. Selection of which DiD
traditional cybersecurity, where border firewalls

8
principles to employ should be driven by sound risk violation, the raw data that caused it, and a
management processes. To manage risk, recommended course of action. If a severe rules
decisionmakers should assess the likelihood and violation occurs or a higher threshold is crossed, the
potential impact of a cyberattack against the spacecraft’s intrusion prevention system (IPS) will
spacecraft and then determine the best approach to take automated actions, which may include
deal with the risks: avoid, transfer, accept, or swapping to a redundant side, quarantining
mitigate. To mitigate risks, decision makers must command sequences, reloading flight software,
ultimately determine what kinds of DiD principles and/or halting suspect units. An example of the first
(i.e., security controls) to apply. Not all risks can be scenario may be a command receiver locking up
eliminated, and no decisionmaker has unlimited when the spacecraft is not in view of a valid ground
budget or enough personnel to combat all risks. station. If the potential intrusion does not pass the
decryption and authentication stage, immediate
Intrusion Detection and Prevention Systems action is not needed, but the ground should be
The backbone of a cyber-resilient spacecraft should notified with relevant log data as soon as possible.
be a robust intrusion detection system (IDS). The An example where an immediate and automated
IDS should consist of continuous monitoring of response would be required is a known malware
telemetry, command sequences, command receiver behavior being detected in the memory contents of
status, shared bus traffic, and flight software the flight computer.
configuration and operating states. From a telemetry
monitoring perspective, several parameters exist The IPS system should be integrated into the
that have the highest likelihood of indicating a existing onboard spacecraft fault management
cyberattack against a spacecraft and should be system (FMS) because the FMS has its own fault
actively monitored on the ground and looking into detection and response system built in. Typically,
the future onboard the spacecraft with the IDS.16 the FMS is a relatively simple system looking for
specific conditions and taking specific prescribed
The IDS should implement both signatures- and actions. Some of the rules-based detection
machine-learning-based anomaly detection techniques of the IPS may be similarly simple. The
techniques, an approach recommended by NIST.17 machine-learning techniques do not necessarily
Signatures should be derived from known threat need to be overly complicated; relatively simple
information and weaknesses in the system, which techniques can look for command sequences, which
have been identified by analysis. Machine-learning are far out of line with what has been previously
algorithms should be trained on a dataset that seen in operations. The reason that both the IPS and
includes a variety of typical system operations. FMS systems should be integrated is that they are
Space operations in general lend themselves well to essentially performing the same functions but are
machine-learning approaches for anomaly looking for different anomaly signatures. In fact,
detection. Space operations tend to be highly there may be scenarios where each of them detects
structured and predictable: operators rarely deviate an anomalous condition and attempts to take an
from vetted procedures and scheduling is performed action. Having them integrated ensures they do not
well in advance. take conflicting actions.

Responses to detected events may vary depending The spacecraft IPS and the ground should retain the
on the nature of the threat. Violating nonsevere rules ability to return critical systems on the spacecraft to
or crossing a low-scoring threshold will trigger an known cyber-safe mode. Cyber-safe mode is an
alert in telemetry to the ground operator with the operating mode of a spacecraft during which all

9
nonessential systems are shut down and the weaknesses or nonconformance to coding standards
spacecraft is placed in a known good state using in source code that might lead to vulnerabilities.
validated software and configuration settings. The This may also be achieved through manual code
default cyber-safe mode software should be stored reviews, but using automated tools is much more
onboard the spacecraft in memory with hardware- effective. Another option is dynamic analysis,
based controls and should not be modifiable. which is the testing and evaluation of a program by
executing data in realtime. The objective is to find
Supply Chain security errors in a program while it is running
It is critical that spacecraft developers implement a versus autonomously analyzing source code. These
supply chain risk management program. They must analysis tools should be a part of the development
ensure that each of their vendors handles hardware pipeline and should automatically run on a regular
and software appropriately and with an agreed-upon basis. Issues are much less costly to fix if they are
chain of custody. Critical units and subsystems discovered quickly, and feedback from the tools
should be identified and handled with different rigor encourages developers to be security minded.
and requirements than noncritical units and
subsystems. Parts should be sourced from reputable When performing static analysis, a multitude of
vendors and checked for signs of counterfeiting. static code analysis tools should be used to
Proper configuration management must be maximize the ability to detect security defects.
implemented for all software and firmware residing Static analysis tools, like many other security tools,
in any system on a spacecraft. have strengths and weaknesses and by applying
multiple tools the likelihood of detecting defects is
All software on the spacecraft should be thoroughly increased.20 However, not all defects (i.e., buffer
vetted and properly handled through the overflows, race conditions, and memory leaks) can
configuration management and secure software be discovered statically and require execution of the
development processes. Leveraging secure coding software. This is where space-centric cyber testbeds
standards or principles will aid in the reduction of (i.e., cyber ranges) are imperative as they provide an
nonintended weaknesses. For example, software environment to maliciously attack components in a
developers for safety-critical software at the Jet controlled environment to discover these
Propulsion Laboratory follow the Power of Ten – undesirable conditions. Technology has improved
Rules for Developing Safety Critical Code.18 to where digital twins for spacecraft are achievable,
Additionally, others follow coding standards from which provides an avenue for cyber testing that was
the Software Engineering Institute or adhere to often not performed due to perceived risk to the
government regulations for avionics (e.g., DO-178C, flight hardware.21
“Software Considerations in Airborne Systems and
Equipment Certification”).19 While standards are Software often leverages third-party code, which
important during development, verification and may introduce vulnerabilities into the system. The
validation are equally important. Both static and prime integrator must take responsibility for all
dynamic source code analysis tools should be run on security weaknesses introduced via the use of third-
flight-critical software. party code. At a minimum, that means obtaining the
code via trusted means and updating to new versions
Static code analysis is a method of debugging by that fix security weaknesses and ideally includes
examining source code against a set (or multiple scanning and testing third-party software for
sets) of coding rules. This type of analysis addresses security weaknesses.

10
Logging radiation-tolerant burn-in (nonprogrammable)
Logging is the process of collecting and storing data equipment. With RoT, a device can always be
over a period of time in order to analyze trusted to operate as expected. RoT functions, such
events/actions of the system. It enables the tracking as verifying the device’s own code and
of all interactions through which data, files, or configuration, must be implemented in secure
software is stored, accessed, or modified. Both the hardware (i.e., field programmable gate arrays). By
spacecraft and ground should independently checking the security of each stage of power-up,
perform command logging and anomaly detection RoT devices form the first link in a chain of trust
of command sequences for cross validation. that protects the spacecraft.
Commands received may be stored and sent to the
ground through telemetry and automatically Wherever possible, lightweight cyber protection
checked to verify consistency between commands functions should be implemented and best practices
sent and commands received. Alternatively, applied in subsystems/firmware throughout the
command sequence hashes can be used to verify spacecraft. Software and firmware updates should
consistency if telemetry link bandwidth is a concern. be verified with cryptographic signatures.
Cryptographic signatures provide the means to
Logging of other onboard indications of an intrusion protect the privacy of the content and to verify its
attempt should be performed as well and may be integrity and authenticity.
spacecraft design specific. For example, parameters
at the input to the command receivers may be of use Communication buses that bridge critical and
for anomaly investigations. Legacy spacecraft have noncritical spacecraft systems should either be
not traditionally kept logs of the fidelity needed for separated or explicitly protected. Within
forensic analysis. Often, onboard anomalies do not government spacecraft, the commonly used military
have sufficient logging to make a determination, standard 1553 (MIL-STD-1553) was designed
especially if the anomaly occurs between passes and before the term cybersecurity was invented, and the
the data has been lost due to a side-swap. concern is that this bus, which was designed with no
Experimenting with the creation or adoption of a infiltration protection, could be easily corrupted or
security information and event management tool for manipulated if any unintended data made it onto the
space vehicles would be prudent. data bus. Therefore, if the MIL-STD-1553 bus is
used to communicate between the flight computer,
Other Standard Cyber Protections attitude control system, thrusters, and various
In addition to the three main principles previously payloads, the payload communication should be
mentioned, several other complementary separated or encryption, authentication, and anti-
considerations can bolster spacecraft cyber babble protection should be applied in front of each
protections. unit.

It is important for the computing module to be able Small Satellite Considerations

to access a set of functions and commands that it Due to the increased usage and capabilities of
trusts; that is, that it knows to be true. This concept smaller satellites, both the complexity and
is referred to as root of trust (RoT) and should be availability of satellite technology are growing,
included in the spacecraft design. The RoT serves as making the space infrastructure even more
a separate compute engine controlling the trusted vulnerable.7 The future of the space enterprise is
computing platform cryptographic processor. The moving toward large constellations of small
RoT computing module should be implemented on satellites in low Earth orbit. As designs are being

11
developed, several considerations should be made. flight processor. As depicted in Figure 3,
Many of the aforementioned DiD principles apply architectures leveraging systems on a chip are
to small satellites, but with these new technologies particularly well suited for this application because
come new security considerations. they contain both core processors as well as
programmable logic. Note that these platforms
These smaller vehicles impose additional weight typically are not radiation hardened but may be seen
and size constraints as compared to traditional space in small and low-cost spacecraft designs of the
vehicles. NSA hardware-based cryptography has future.
been a cornerstone for protecting the command link
on DOD missions; however, utilizing software As the smallsat marketplace matures alongside the
cryptography should be considered as an acceptable embedded security community, commercial and
solution moving forward for all spacecraft. This open source solutions will be developed that can
paradigm shift will require proper approvals for bolster the security implementations of smallsat
DOD missions as NSA hardware type-1 encryption constellations for commercial and government use.
has been a long-standing requirement. As capabilities mature, the space community will
need to be agile in its verification, validation, and
As previously described, onboard intrusion acceptance to reap the benefits. Hardening
detection and prevention should be deployed on smallsats, using a variety of methods and
traditional spacecraft; for smallsats, cyber technologies, will be possible as long as the space
monitoring functions, such as flight software community is willing to be agile and shift their
memory monitoring, may be co-resident with the mindset from the traditional ways of thinking.

Hardware-enforced separation

Processing System Programmable Logic

SpaceWire
Serial
Security monitor Block
Serial Flight software RAM
Microblaze
Ethernet Core 1 Core 2
Mailbox interface

DDR RAM Flash storage

Figure 3: Example architecture.

12
Conclusions
The vulnerability of satellites and other space assets  A supply chain risk management program to
to cyberattack is often overlooked in wider protect against malware inserted in parts and
discussions of cyber threats to critical national modules
infrastructure. Neither space policy nor
cybersecurity policy is prepared for the challenges  Software assurance methods within the software
created by the meshing of space and cyberspace, supply chain to reduce the likelihood of cyber
especially for spacecraft. In the absence of formal weaknesses in flight software and firmware
policy and regulations, industry and government
alike can begin to apply defenses at all segments  Logging onboard the spacecraft to verify
within the space system to build a more robust legitimate operations and aid in forensic
security posture. To mitigate risks, decisionmakers investigations after anomalies
must ultimately determine what kinds of DiD
principles to apply. Not all risks can be eliminated,  RoT to protect software and firmware integrity
and no decisionmaker has unlimited budget or
 A tamper-proof means to restore the spacecraft
enough personnel to combat all risks. However,
to a known good cyber-safe mode
decisionmakers, acquisition professionals, program
managers and system designers can consider the  Lightweight cryptographic solutions for use in
following key principles when acquiring or smallsats
designing a cyber-resilient spacecraft:

 Intrusion detection and prevention leveraging

signatures and machine learning to detect and
block cyber intrusions onboard spacecraft

13
References
1
Defense Intelligence Agency; Challenges to 10
Weeden, B; Samson, V; Global Counterspace
Security in Space, February 11, 2019, pages 9, 20, Capabilities: An Open Source Assessment, April
29, and 36, 2018, page 7-1,
https://www.dia.mil/Portals/27/Documents/News/ https://swfound.org/media/206118/swf_global_cou
Military%20Power%20Publications/Space_Threat nterspace_april2018.pdf.
_V14_020119_sm.pdf. 11
London Cyber Security LTD; Space
2
Porup, J; “It's Surprisingly Simple to Hack a Cybersecurity’s Final Frontier, June 2015, pages
Satellite”, August 21, 2015, 18–23,
https://www.vice.com/en_us/article/bmjq5a/its- https://static1.squarespace.com/static/56d0212027d
surprisingly-simple-to-hack-a-satellite. 4bded627db544/t/56deb84c3c44d8eb68c68083/14
57436755011/LCS+June+Report-web.pdf.
3
Eddy, M; “Satellite Communications Hacks Are
Real, and They're Terrifying”, August 9, 2018, 12
National Air and Space Intelligence Center;
https://www.pcmag.com/news/363004/satellite- Competing in Space, December 2018, page 18,
communications-hacks-are-real-and-theyre-terrify. https://media.defense.gov/2019/Jan/16/200208038
6/-1/-1/1/190115-F-NV711-0002.PDF.
4
Ewart, R; Wheler, W; Betser, J; Cohen, N;
Knobbe, R; Horejsi, J; Gonce, J; Cyber Enhanced 13
Harrison, Todd; Johnson, Kaitlyn; Roberts,
Space Operations from Frameworks to Enterprise Thomas; Bergethon, Madison; Coultrup,
Evolution, September 2016, Alexandra; Space Threat Assessment 2019, April
https://arc.aiaa.org/doi/pdf/10.2514/6.2016-5474. 2019, page 5, https://aerospace.csis.org/wp-
content/uploads/2019/04/SpaceThreatAssessment2
5
Symonds, E; Comparing and Contrasting Space
019-compressed.pdf.
and Cyber Governance in Multilateral Forums and
U.S. Policy Initiative, May 2019, page 2, 14
Rao, V; ASIC/FPGA Trust Assurance (AFTA)
https://swfound.org/media/206442/symonds_space Framework, The Aerospace Corporation, El
_cyber_governance_may2019.pdf. Segundo, California (August 20, 2019). Restricted
Distribution.
6
Unal, B; Cybersecurity of NATO’s Space-based
Strategic Assets, July 2019, pages 4 and 20, 15
Martin, Jon; Mitigation of Command-Link Replay
https://www.chathamhouse.org/sites/default/files/2 Attacks against Satellites, The Aerospace
019-06-27-Space-Cybersecurity-2.pdf. Corporation, El Segundo, California (August
2019). Restricted Distribution.
7
Livingston, D; Lewis, P; Space, the Final Frontier
for Cybersecurity?, September 2016, page 21, 16
Martin, Jon; Satellite Telemetry Indicators for
https://www.chathamhouse.org/sites/default/files/p Identifying Potential Cyber Attacks, Aerospace
ublications/research/2016-09-22-space-final- TOR-2019-02178, The Aerospace Corporation, El
frontier-cybersecurity-livingstone-lewis.pdf. Segundo, California (August 16, 2019). Approved
for Public Release; Distribution Unlimited.
8
Ginter, A; “The Top 20 Cyberattacks on Industrial
Control Systems,” January 25, 2018, 17 Scarfone, K; Mell, P; Guide to Intrusion Detection
https://waterfall-security.com/blog/top-20- and Prevention Systems, February 2007, page 2-4,
cyberattacks-ics. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistsp
9
Crowdstrike; 2019 Global Threat Report, March ecialpublication800-94.pdf
2019, pages 2 and 15, 18
Holzmann, G; The Power of Ten – Rules for
https://www.crowdstrike.com/resources/reports/20 Developing Safety Critical Code, June 2006,
19-crowdstrike-global-threat-report/. http://spinroot.com/gerard/pdf/P10.pdf.

14
19
“SEI CERT Coding Standards,” Software 21
Glaessgen, E; Stargel, D; The Digital Twin
Engineering Institute, last modified February 5, Paradigm for Future NASA and U.S. Air Force
2019, Vehicles April 2012, page 1-2,
https://wiki.sei.cmu.edu/confluence/display/seccode. https://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.go
v/20120008178.pdf.
20
Center for Assured Software National Security
Agency; CAS Static Analysis Tool Study –
Methodology, December 2011, page 24,
https://samate.nist.gov/docs/CAS_2011_SA_Tool_
Method.pdf.

15