Insight by Raytheon

Space is not the final frontier for cybersecurity

Interconnectivity and Security

One recent command and control system we fielded for the Air Force’s global positioning system, the navigation and timing that is use for positioning. It’s ubiquitous. We worked with the U.S. Air Force to harden that system, to help make it more cyber resilient. In fact, we fielded a system that adheres to 100% of DoD’s information assurance standards.

Addressing the Supply Chain

Much like what we do with the code that is developed internally on our team, we put [open source software and commercial products] through a pretty rigorous vulnerability assessment. It’s not to say they are any more or less vulnerable than the code we build, but we are taking the same level of scrutiny across the entire system.

You can’t talk about technology in any regard without cybersecurity coming up as a main discussion point.

Whether it’s your smartphone or laptop or car or toaster oven, concerns about hacking or turning your device into a bot is real and at the top of mind of most federal executives.

The one area that hasn’t received as much focus and attention are those systems in space because just like planes, phones and computers, space systems – both on the ground and in orbit — are now potential targets for hackers.

These systems are complex so vulnerabilities can be introduced at almost any point of the supply chain, and even while spacecraft are in orbit.

A recent paper from the Royal Institute of International Affairs at the non-profit think-tank Chatham House said the reliance of space-based systems and satellites could face greater risks of attack, especially during rising tensions that don’t reach the level of real conflict.

The Chatham paper found both China and Russia are using cyber attacks as part of their military and strategic doctrine, and they have increased their presence in space.

NATO has had to deal with everything from GPS jamming to cyber attacks against satellite systems during military exercises, the report states.

And this problem isn’t new. A 2011 report from the U.S.-China Economic and Security Review Commission highlighted two U.S. government satellites that have experienced interference, which experts say is a similar result that would come from a cyber attack on their control systems.

Now the difference is, of course, if your phone is hacked and your map takes you in the wrong direction, that’s a little annoying. But if satellite is hacked and is feeding bad data to a plane, that’s a real problem.

Agencies need to understand that these space systems face the same risks and they can apply the same mitigations to those risks, but also face way bigger implications if we get it wrong.

Todd Probert, the vice president for command, control, space and intelligence with Raytheon’s Intelligence Information and Services organization, said as the world is becoming more interconnected and space is becoming more democratized across the globe, the threats are increasing.

But it’s satellites that are the biggest concern. It’s the ground systems that run the satellites and other systems that are in space.

“When a satellite is actually flying, there are very few touch points in terms of how you can get into it. It’s that ground point that is of the most concern,” Probert said on the Every Side of Cyber: Protecting Space from Hackers program. “Once upon a time the ground system was simply an antenna and a command and control node that talked to a single satellite. But as these satellites and moreover these constellation of satellites become more complex, it’s all these mission planning activities that go into it, it’s all the data exploitation activities and across the board. Just like anything else, there are a number of touch points you have to worry about.”

This means the Defense Department, the intelligence community and so many other agencies have to worry about supply chain risks because of how many pieces and parts make up the new command and control systems.

Additionally, the more software code that runs these systems means the more room for error.

Probert said this is why Raytheon has taken extra steps to address supply chain risks, and to add much more rigor to the software code it develops and the code it borrows from open source providers.

He said a good example of this is the work Raytheon did with the Air Force to harden the service’s global positioning system (GPS).

“It’s an important system. We worked with the U.S. Air Force to harden that system, to help make it more cyber resilient. In fact, we fielded a system that adheres to 100% of DoD’s information assurance standards,” Probert said. “If you unpack that, it’s significant. It’s the software itself that builds that system. It’s all the component parts. To do that, we had to basically reinvent how we did software development. We worked with a number of companies to do that, to build into our processes new standards, new practices to allow for cyber resiliency.”

He said protecting GPS systems is an onion-like defense where the layers upon layers that are always changing to address new and evolving threats.

“This was a first of its time software endeavor so there was a lot of learning that went into it on both the Air Force’s side and Raytheon’s side,” Probert said. “We are at a point now where we can say, ‘we’ve done this. We’ve fielded this and it’s proven.’ It’s gone through a number of vulnerability assessment in Raytheon and more importantly across DoD.”

In the future, Probert said this type of cyber assurance and resilience will the standard by which all space systems and command and control systems will be defined going forward.

He added other agencies, including Homeland Security Department and the National Weather Service, could take advantage of this approach.

This methodology for software development also addresses many supply chain risks because all code, whether open source or commercially developed, will go through this assessment.

“Much like what we do with the code that is developed internally on our team, we put [open source software and commercial products] through a pretty rigorous vulnerability assessment,” Probert said. It’s not to say they are any more or less vulnerable than the code we build, but we are taking the same level of scrutiny across the entire system.”

 

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.