4. Technical Aspects of Cyberthreats to Satellites
Jamming
Jamming is an attempt to degrade and disrupt connectivity by interfering with the signals that are the means for communication. It is normally associated with intentional interference in signal transmission and reception, and has been used for many decades by harnessing the deliberate use of radio noise and electromagnetic signals in an attempt to disrupt communications. A jamming device normally transmits electromagnetic energy in the same radio frequency bands as the desired transmitted signal, disrupting the ability of a receiver to accurately recover the transmitted signal. Simple jammers transmit ‘noise’ that takes no account of the signal or receiver characteristics and may be indiscriminate in action, while more sophisticated devices deploy techniques designed to take advantage of the properties of either the signal or the receiver, and can block specific types of networks on one or more frequencies simultaneously.
All wireless communication systems are susceptible to electromagnetic interference or jamming; the only consideration with regard to vulnerability is the degree of protection designed into the communication system to deal with particular interference or jamming scenarios. In the specific case of satellite services, signals can be jammed on the ‘downlink’ between satellites and receivers (termed ‘terrestrial’ jamming in this paper), or on the ‘uplink’ between transmitting ground stations and satellites (termed ‘orbital’ jamming here).
Terrestrial jamming affects the operating ability of receivers located in specific geographic regions, and is a well-known technique that has been used over many years by, for example, authoritarian governments attempting to prevent people from accessing unauthorized radio or television broadcasts. During periods of unrest and political control, radio and television reception has been blocked in several countries through electromagnetic terrestrial jamming for long periods of time, so that the governments maintained significant domestic controls over available information and mass communication. Terrestrial jamming of signals has also been used in more recent times to block access to mobile phone networks and the internet. This is sometimes called a wireless ‘denial-of-service’ attack and can take many forms.
Cases of mobile phone jammers have been documented with handheld units being able to block calls within a range of approximately 3 to 5 kilometres in urban areas. Higher-powered jammers, such as those used by military formations, can shut down service within a range of tens of kilometres.
Jammers may be inexpensive (some GNSS jammers can be bought on the internet for less than $50) and are simple to use; they are also becoming smaller and easier to hide. The range of a jammer depends on its power, the atmospheric conditions, topography (for instance the level of reflective surfaces in the area), and the performance of receivers. In general, the jamming signal needs to be more powerful than the desired signal at the input to the receiver in order to deny service or significantly degrade communications system performance. As an example, cases of mobile phone jammers have been documented with handheld units being able to block calls within a range of approximately 3 to 5 kilometres in urban areas. Higher-powered jammers, such as those used by military formations, can shut down service within a range of tens of kilometres. This is especially the case in rural areas, where terrestrial base stations are widely separated and where jamming power can be focused on very specific frequencies in order to avoid impact on ‘friendly’ frequencies while also achieving an advantage in terms of range.
Jammers of various types are readily obtainable through commercial sources. Sometimes they are used to block GSM connectivity in public spaces and thereby eliminate irritating mobile phone calls, but they can also be used for more malicious intent, denying access to communications to avoid alerting emergency services while another crime is being committed, for example. Other documented uses of jammers include the blocking of GNSS signals – thereby rendering ineffective surveillance techniques that are dependent upon reporting the position of a sensor. Terrestrial GNSS jammers have been known to interfere with emergency service response units’ position reporting systems.
Orbital jamming interferes with the signal that is transmitted by a ground station towards a satellite. The jammer does not necessarily need to be in the vicinity of the transmitter, but could be located anywhere within the receiving beam of the satellite. (For certain types of satellite, this could be anywhere within the area on the Earth that the satellite covers – its ‘footprint’.) The jamming signal degrades the quality of the wanted signal received at the satellite. For ‘bent pipe’29 satellites this results in the jamming signal being transmitted together with the wanted signal to overwhelm the terrestrial receivers, while for regenerative30 satellites the jamming signal could result in failure of the satellite receiver to function correctly. The geographic extent of orbital jamming activity is not restricted to the physical location of the jammer, but instead affects the entire geographical region in which the satellite is intended to offer service.
In addition, depending on the nature of the jamming signal, there could be unintended collateral consequences if other signals being transmitted by the same satellite are also affected. For example, if a broadcaster for an Asian television channel is subject to an orbital jamming attack, then would-be viewers in North America are also unable to receive the broadcast signals. In addition, channels that are close in frequency may be affected if the bandwidth of the jammer is broader than absolutely necessary. For example, for several years, Iranian business entities, thought to be acting on behalf of the government, aimed signals of specific frequencies at the Telstar 12 satellite which was broadcasting Persian-language television from California. The jamming signals came initially from Cuba, and later (in 2005–06) from Bulgaria and Libya.31
Beyond physical cyberattacks
In recent years, it has become apparent that a new range of sophisticated methods is being developed, deploying cyber techniques to attack vulnerabilities in communications and navigation systems. Such vulnerabilities are particularly concerning, as they may not only be hard to detect and counter, but also have very significant consequences, ranging from wide-area denial of service (equivalent to orbital jamming), to specifically targeted integrity failures (equivalent to spoofing), causing unsafe behaviour in satellite-based applications.
A significant fraction of all infrastructure requiring precise positional, navigation and timing (PNT) information to function effectively is becoming increasingly reliant on GNSS. In particular, the GNSS satellites contain very precise clocks and broadcast timing information to allow receivers to determine their location, and this timing signal is also used by a host of applications that are vital to day-to-day functions, such as the synchronization of terrestrial wireless and fixed communications networks. The signals from GNSS satellites operate over a narrow range of frequencies and are very weak at the input to a GNSS receiver, making them vulnerable to jamming attacks. Jamming attacks on the GNSS signals can degrade or (over time) deny mobile phone network service in a given geographical area.32 Over the past few years North Korea has conducted a series of coordinated jamming attacks that have affected GNSS signals in the Seoul area for up to a week at a time, leading to degradation of infrastructure, including mobile phone networks.33
Public-service and military-grade GNSS receivers are less vulnerable to jamming as they use a range of techniques including:
- Receiving signals on multiple frequencies – for instance, military/civil global positioning system (GPS) and Galileo waveforms;
- Receiving signals from multiple GNSS systems – GPS/GLONASS/Galileo/BeiDou;
- Employing higher-specification receivers with more complex architecture;
- Deploying physical structures that mask signals received from terrestrial directions;
- Exploiting multiple receiving antennae and interference cancellation techniques.
Such techniques certainly improve the resilience of the GNSS receivers, but mission-critical systems must (and do) combine GNSS with other technologies such as inertial systems for positioning and local atomic clocks for timing, to mitigate the effects of any intermittent terrestrial jamming attacks.
Spoofing
Spoofing manipulates the information being exchanged in communications and hence reduces its integrity. Spoofing goes beyond jamming to distort or replace the wanted signal with a false signal. For spoofing to work, the receiver must continue to function correctly, and for a successful attack against a sophisticated receiver, the spoofing signals must both jam the wanted signal and be indistinguishable from it, containing false but apparently true information. A successful spoofing attack could potentially be used to target and directly damage critical infrastructure such as a national power grid by introducing erroneous timing signals, or cause indirect economic damage by, for instance, targeting high-frequency trading systems in the financial services sector.
One possible sophisticated attack scenario on a power grid might involve an attacker taking control of a wireless communications system and masquerading as a genuine controller, before creating a dangerous or destructive power surge by targeting distributed automatic power control systems devices that are used to accurately synchronize interconnected electrical grids. Potentially, this type of manipulation could trigger catastrophic overload currents, leading to cascading equipment failures. Such events could trigger power grid blackouts over a sizeable geographic area, causing significant economic damage.
As with jamming, spoofing can be applied at the both the receiver and the transmitter (satellite) end. In a dramatic demonstration in 2013, Dr Todd Humphreys, heading a team of scientists from the University of Texas, Austin,34 used a lab-built device to broadcast counterfeit GPS signals that were slightly stronger than the real ones. Under controlled conditions, he took control of a luxury yacht’s navigational system, resetting the vessel’s satellite navigations system in a way that was not visible to the captain. The yacht’s navigation system locked on to the fake signal, and the scientist hackers seduced the yacht’s system to make it report that it was off course, although it was actually on the right track. The captain, not realizing that the GPS signal was incorrect, adjusted course so that true track of the vessel was inaccurate by a few degrees. The implications of this form of attack, perhaps on a laden, very large crude carrier manoeuvring in confined waters, are only too clear.
Alternative attack scenarios might occur on banks and stock exchanges, with a conventional man-in-the-middle attack being employed to intercept and manipulate content to extract financial gain. A further sophisticated attack would not require the transmitted content to be manipulated, but would instead target GNSS timing functions in order to exploit the automated insertion of time-stamps on transactions for fraudulent purposes.
International incidents and awareness of vulnerabilities
In 1997 the prescient 20-person US President’s Commission on Critical Infrastructure Protection stated that ‘the most significant projected vulnerabilities are those associated with the modernization of the National Airspace System (NAS) and the plan to adopt the Global Positioning System (GPS) as the sole basis for radio-navigation in the US by 2010’, and that ‘exclusive reliance on GPS and its augmentations, combined with other complex interdependencies, raises the potential for “single point failure” and “cascading effects”’.35 This analysis led to a thorough investigation of the threats and vulnerabilities associated with GPS deployment, and to Presidential Decision Directive (PDD) 63, Critical Infrastructure Protection,36 which set out the roles, responsibilities and objectives associated with protecting US utility, transportation, financial and other critical infrastructure. PDD 63 focused on cooperation and intelligence-sharing within government agencies and with the private sector, and protecting individual sectors such as energy, banking and transport.
The GNSS networks currently available are the US GPS, Russia’s Global Navigation Satellite System (GLONASS) and Europe’s satellite-based augmentation system (SBAS), EGNOS and the new Galileo GNSS. China has developed a regional satellite navigation system, the BeiDou Navigation Satellite System (BDS), and is now developing a GNSS (BeiDou-2) with the aim of global operation by 2020. The seventh satellite in India’s regional system NAVIC (Navigation Indian Constellation, formerly called IRNSS), IRNSS-1G, was launched in April 2016, and the system is set to become fully operational in the latter half of 2016. Japan is also developing a regional system, the Quazi-Zenith Satellite System (QZSS).
One example of inadvertent mutual interference in GNSS systems occurred in early 2016 when 15 GPS satellites broadcast signals that were inaccurate by 13 microseconds, and telecom companies that are clients of the provider Chronos were hit by 12 hours of thousands of system errors. The GPS errors were also blamed for disturbances in BBC radio broadcasts.37 The US Air Force, which manages the GPS satellite network, had earlier encountered problems in the GPS ground system software when decommissioning a satellite (SVN 23). This led to errors being transmitted to the GPS satellites, which negatively affected one signal from the satellite constellation, but the GPS core navigation messages and clock were not affected. The incident demonstrates several issues: that the software – as with all software – is vulnerable to error (or to a hack); that the 13-microsecond misstep had significant impact for several hours; that there is resilience in the GPS system, although infrastructure operators have apparently little knowledge of what to do in the event of a system degradation; and, more importantly, reversionary modes for infrastructure systems that rely on GNSS capability appear to be lacking.
Not all countries or government agencies have had the foresight or the resources to emulate the US in analysis of critical infrastructure vulnerabilities. However, until recently so much of the international system has been highly dependent on the US GPS. The advent of other GNSS satellite constellations helps to mitigate some of the risks, and is starting to raise awareness of the vulnerabilities beyond jamming and spoofing.
In these types of conventional electromagnetic attack, whether on communications systems or positioning systems, the jamming or spoofing device generally needs to be in the vicinity of the receiver, or in a position to intercept and manipulate communications between the transmitter and the receiver. The exception is orbital jammers, which, as noted above, need to be located within a satellite footprint but typically create disruption to communications services over a wide area. Organizations such as the Satellite Interference Reduction Group (IRG) coordinate the industry response to identifying, locating and responding to such attacks.
Military vulnerabilities
If left unattended, cyber vulnerabilities in the national and international critical infrastructure could be a conduit for attacks with highly dangerous consequences. Military technologies that provide situational awareness, observation and connectivity are increasingly dependent on cyber technologies. In the event of an escalation of an international crisis, cyber vulnerabilities could be exploited as part of diplomatic or military campaigns. Such attacks would increase the uncertainties in intelligence gathering and analysis and introduce uncertainties and delays in attributing actions and attacks to potential perpetrators, increase the risks of misperception, and thus further complicate decision-making at times of crisis.
Military strategic and tactical missile systems rely on satellites and the space infrastructure for navigation and targeting, command and control, operational monitoring and other functions. However, insufficient attention has been paid to the increasing vulnerability of space-based assets, ground stations, and associated command and control systems. Cyberattacks on satellites would undermine the integrity of strategic weapons systems, destabilize the deterrence relationships and obfuscate the originator of the attack without creating the debris problem that a physical attack would cause. Because cyber technologies are within the grasp of most states (no matter how small or impoverished) and non-state actors, they level the strategic field and create hitherto unparalleled opportunities for small belligerent governments or terrorist groups to instigate high-impact attacks. As stated in the 2011 US International Strategy for Cyberspace, international approaches and cooperation are needed in order to address and mitigate the full range of cyberthreats to military systems.38
Vulnerabilities in commercial satellite systems
In October 2014 a cyberattack on the US weather satellites system demonstrated the cyber vulnerabilities of strategic space-based assets.39 While military satellites are generally well protected against such attacks (depending on their age, orbit and access), this is often not the case for commercial platforms, even though increasingly they are being used for military purposes. Both the complexity and availability of satellite technology are also growing through the development of small satellites in constellations – a trend that makes the space infrastructure even more vulnerable.
In general, complacency and misunderstandings about these vulnerabilities are widespread. A recent report by the US NOAA identified ‘significant security deficiencies’ in its own information systems, and a technical white paper from IOActive Labs provided what it asserted should serve as a ‘wake-up call for SATCOM security’.40
There is a much higher potential for disruption than may be apparent from the direct mapping of cyber vulnerabilities to jamming (denial of service) and spoofing (malicious misdirection) scenarios. While electromagnetic attacks exploit physical vulnerabilities and may be characterized as ‘external’ to the systems under attack, cyberattacks that exploit non-physical vulnerabilities should be more closely characterized as ‘internal’ to such systems. Cyberattacks may have a deliberately delayed effect: latent threat vectors remain dormant within a system until activated at a critical juncture, when the level of damage they cause will be higher.
For a successful cyberattack to occur, the threat vector needs to be inserted within the system. This could take place during the manufacture, distribution or operation of the products and services that characterize the system. During the manufacturing and distribution phases, conventional physical security controls need to be applied to minimize the risk of cyberattacks. However, during operation, the conjunction of electromagnetic and cyber vulnerabilities becomes critical. As telecommunication systems integrate complex technology to improve performance, flexibility and efficiency, they are increasingly dependent on software that can be modified during operation rather than hardware or firmware that remains relatively unchanged once it has been designed and deployed. One example is the C-RAN (Cloud-Radio-Access-Network) concept being developed as part of the evolution of terrestrial mobile networks, and this type of software will be integrated into future satellite systems. Commercial tools such as SIM-toolkits are increasingly used to perform over-the-air provisioning and denial of service. Over-the-air software (both operating system and application) upgrades will be familiar to everyone using smart devices.
The ability to emulate a network, and to access, configure and control communications devices via wireless interfaces during normal operations also offers opportunities to an attacker to launch a large-scale cyberattack that remains latent within a system indefinitely, until activated at a time of the adversary’s choosing.
There exists, therefore, a need to create infrastructure and procedures that allow full system vulnerability assessment to be undertaken and mitigation strategies to be developed, taking into account both electromagnetic and cyber techniques. Such facilities need to be available during the design, development and operational phases. As the internet has become near-ubiquitous, as devices become ever more interconnected and as critical infrastructure becomes more complex, vulnerability to cyberattacks is increasingly becoming the focus of network security, risk management, mitigation and resilience techniques. A multidisciplinary approach to vulnerability assessments and the design and implementation of mitigation strategies is required, while cybersecurity and wireless professionals alike require both greater awareness and sophisticated tools. Assuring the space-based capability must be the principal driver of the agenda. The industry needs to take stock of the GNSS vulnerabilities and develop pragmatic approaches to countering them,41exploring and adapting new technologies, and building in redundancies.42 This will include ascertaining the prevalence of unintentional jamming and interference, and how jamming and spoofing play out in the realm of offensive state-initiated cyberattacks or may be used by terrorist groups.
Hijacking satellites to destroy or deactivate them
The technical challenges associated with cyberattacks that aim to take physical control of satellites, though great, are not insurmountable, and such a route may prove very attractive to attackers, who would most likely target industrial control systems (ICS), and specifically their vulnerable supervisory control and data acquisition (SCADA) systems. There are three components of SCADA systems: computers that control and monitor plant operations, and send signals that physically control the system; field devices such as programmable logic controllers, which control the sensors, motors and other physical components; and human–machine interface (HMI) computers, which display data on operations.43 SCADA systems rarely have inbuilt cyber protection, and are vulnerable to a wide range of cyberthreats. Reports on the vulnerabilities of SCADA systems are well documented,44 and states are actively developing the capabilities to be able take unauthorized remote control of satellites or other space-based assets with the purpose of destroying or deactivating them.
For example, it was reported in 2014 that Russian security researchers had found over 60,000 internet-connected exposed control systems with exploitable vulnerabilities that could allow malevolent actors to take ‘full control of systems running energy, chemical and transportation systems’.45
The vulnerabilities of satellites to cyberattack include attacks that are aimed at ground stations. Most satellites launched in recent years rely on computers that are installed in the satellite themselves and that require regular upgrades through remote access. In addition, the technology is often off-the-shelf and, just as with all electronic devices, a ‘back door’ could be present in one of the many thousands of components in a single satellite, allowing cyberattackers hidden access. An attack could arrive via a ground station with the intent of causing a satellite to manoeuvre, ‘decaying’ or lowering its orbit so that it re-enters the Earth’s atmosphere and burns up. Even if there is no ‘back door’, current encryption is not always strong enough to deter determined, sophisticated attacks.
It is possible that a sophisticated attack could manoeuvre a satellite so that it collides with another satellite or space object. Alternatively, an attacker could activate all of the satellite’s solar panels, deliberately over-exposing them to highly energetic ionizing solar radiation causing irreparable damage.
States are actively developing these capabilities. As previously noted, two US government Earth observation satellites were hacked in 2007 and 2008.46 The attackers gained entry into the system but stopped short of issuing commands. However, they are believed to have acquired ‘all steps necessary’ to do so. In March 2014 Russia accused Ukraine of attempting to decay the orbit of a Russian television satellite.47 In the event of conflict, one country’s ability to disable or destroy one or more of another country’s satellites would give it a significant tactical advantage.
The dangers of cyberattacks that aim to take physical control of satellites have received far too little attention, even though such attacks would be of great global strategic importance. The main focus of concern has been the networks rather than the satellites. Consequently, experts and policymakers have not understood the full implications and the range of potential consequences of a satellite takeover.
Any satellite that can change orbit can be considered a space weapon. If the orbit changes so as to enter the pathway of another satellite then a collision will ensue, destroying one or both of the satellites and creating space debris that will continue to pose severe risks for other satellites far into the future. In addition, the more satellites there are, the greater the possibility of collision with debris, leading to a cascade effect known as the Kessler Effect, mentioned above, as the spatial density of debris increases.48
For military satellites, the security of ground stations and their operations has been and continues to be addressed. The communications links are well secured, and physical infrastructure is well protected. Although commercial satellite operators are becoming more sensitive to the potential physical vulnerabilities of ground stations, in reality few people are required to actually manage these systems on a day-to-day basis. Ground stations – or satellite control centres – are highly automated systems, with very few operatives physically present at a control centre. However, the ability of commercial satellite operators to secure their datalink communications through automation is limited. Because of the way satellites orbit, a global network of ground stations is needed for fleets of satellites, and both uplinks and downlinks can be sent from a multiplicity of stations in many countries. This creates major confidentiality issues and difficulties in sharing system information with local partners. Nevertheless, despite these risks, the need to know and the need to share are fundamental to effective space security operations.
29 In which uplink and downlink frequencies are different.
30 In which satellites simply amplify and rebroadcast the incoming signal via a single frequency.
31 Small Media (2012), Satellite Jamming in Iran: A War Over Airwaves, London: Small Media, https://smallmedia.org.uk/sites/default/files/Satellite%20Jamming.pdf.
32 This occurs through the interruption of time division multiple access (TDMA) slots.
33 BBC, North Korea ‘jamming GPS signals’ near South border, 1 April 2016 http://www.bbc.com/news/world-asia-35940542.
34 Couts, A. (2013), ‘Want to see this $80 million super yacht sink? With GPS spoofing, now you can!’, Digital Trends, 30 July 2013, http://www.digitaltrends.com/mobile/gps-spoofing/#ixzz429c2kQMH.
35 President’s Commission on Critical Infrastructure Protection (1997), Critical Foundations: Protecting America’s Infrastructures, http://permanent.access.gpo.gov/lps15260/PCCIP_Report.pdf.
36 Presidential Decision Directive (NSC-63) (1998), Critical Infrastructure Protection, Washington, DC: The White House, http://fas.org/irp/offdocs/pdd/pdd-63.htm. The White House, Presidential Policy Directive (PPD -21) (2013), Critical Infrastructure Security and Resilience, Washington, DC: The White House Office of the Press Secretary, https://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil; Barack Obama, Executive Order (EO) (2013), Improving Critical Infrastructure Cybersecurity, Washington, DC: The White House Office of the Press Secretary, https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.
37 Baraniuk, C. (2016), ‘GPS error caused ‘12 hours of problems’ for companies’, BBC, 4 February 2016, http://www.bbc.co.uk/news/technology-35491962.
38 The White House (2016), International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World, https://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf.
39 Flaherty, M., Samenow, J. and Rein, L. (2014), ‘Chinese hack U.S. weather systems, satellite network’, Washington Post, 12 November 2014, https://www.washingtonpost.com/local/chinese-hack-us-weather-systems-satellite-network/2014/11/12/bef1206a-68e9-11e4-b053-65cea7903f2e_story.html.
40 Santamarta, R. (2014), A Wake-Up Call for SATCOM Security, IOActive Labs, http://www.ioactive.com/pdfs/IOActive_SATCOM_Security_WhitePaper.pdf.
41 Spirent’s GSS100D Detector, developed in collaboration with Nottingham Scientific Ltd, enables detection, characterization and analysis of real GNSS threats. GPS World staff (2015), ‘New Spirent Test Framework Evaluates Threats to GPS’, GPS World, 14 September 2015, http://gpsworld.com/new-spirent-test-framework-evaluates-threats-to-gps-gnss/.
42 For example, PNT that is independent of GNSS such as Long-Range Navigation (LORAN) systems. See http://www.techweekeurope.co.uk/workspace/gps-jamming-eloran-failover-109868.
43 Baylon, Brunt and Livingstone (2015), Cyber Security at Civil Nuclear Facilities.
44 Zhu, B., Joseph, A. and Sastry, S. (2011), ‘A Taxonomy of Cyber Attacks on SCADA Systems’, published in the proceedings of the 2011 International Conference on the Internet of Things and 4th International Conference on Cyber, Physical and Social Computing, http://bnrg.cs.berkeley.edu/~adj/publications/paper-files/ZhuJosephSastry_SCADA_Attack_Taxonomy_FinalV.pdf.
45 Storm, D. (2014), ‘Hackers exploit SCADA holes to take full control of critical infrastructure’, Computer World, 15 January 2014, http://www.computerworld.com/article/2475789/cybercrime-hacking/hackers-exploit-scada-holes-to-take-full-control-of-critical-infrastructure.html.
46 US-China Economic and Security Review Commission (2011), 2011 Report to Congress of the U.S.-China Economic and Security Review Commission, Washington, DC: US Government Printing Office, http://www.uscc.gov/sites/default/files/annual_reports/annual_report_full_11.pdf.
47 Russia Today (2014), ‘Attempt to jam Russian satellites carried out from Western Ukraine’, 14 March 2014, https://www.rt.com/news/ukraine-attacks-television-satellites-990/.
48 European Space Agency (2012), ‘The Kessler Effect and how to stop it’, 13 November 2012, http://m.esa.int/Our_Activities/Space_Engineering_Technology/The_Kessler_Effect_and_how_to_stop_it.