Defending space data against the dark side

From the signals needed for global satellite navigation to the data satellites collect about the Earth, other planets, and the distant Universe – as well as communication with our astronauts – everything must be transferred and stored with great care. In some cases, such care involves putting in place protective measures against uncontrolled access to information or malicious manipulation of data. ESA also needs to ensure that assets such as satellites themselves, ground systems, data centres and networks that support the real-time operation of space missions and services are kept secure, as these become increasingly critical for the daily lives of European citizens.

Not only do we rely on space data for Earth-based services but cyberattacks on space systems also have the potential to be incredibly dangerous. For example, in a very unlikely worst-case and extreme scenario, under very specific conditions, a hijacker could send a satellite on a collision course with another spacecraft. But attacks can also take many more subtle forms, including any attempt to expose, alter, disable or destroy a satellite or ground system.

To protect ESA's missions from such attacks, security measures are already in place. But whilst we can protect against known threats, knowledge is becoming more accessible, computers more powerful, and people more imaginative. More affordable small satellites mean a growing number of spacecraft in orbit that could be the subject of attack. Furthermore, current measures mostly focus on simple data communication between a single spacecraft and a ground station, but we are now entering the realm of multiple-satellite missions leading to the extreme case of mega-constellations. With satellites increasingly communicating between each other and multiple ground stations, we need a cleverer and more automated approach to protect them.

To anticipate how security threats and mission security needs will change in the future, ESA Discovery & Preparation recently supported a study that evaluated how known and emerging dangers are likely to evolve, and assessed the suitability and maturity of potential candidates for future security technology. The study was carried out by three ESA security experts in collaboration with Thales Alenia Space. 

Authenticating and encrypting information

Currently, the control of spacecraft can be protected through authentication, which involves verifying the identity of the sender of control messages. Some missions also make use of encryption, where a cryptographic key is used to transform data sent between ground mission control systems and satellites into apparent nonsense so that a would-be interceptor cannot understand it. At the other end, the authorised recipient can use either the same key, or a specified partner key, to unscramble the information.

"Because computer power is increasing, and networks are enabling the power of individual computers to be combined, attackers are improving their ability to brute force, or guess, encryption keys. So we have to update cryptographic systems to stay ahead in the 'race' against attackers," explains Ignacio Aguilar Sánchez, a Communication Systems Engineer at ESA who was one of the experts involved in the study. "But now we are seeing quantum computers that will substantially improve the efficiency of attacks against cryptography, rendering our current security protocols less secure in a quantum world."

One option could be to increase the length of keys – which take the form of binary strings – to make it more difficult to decode them. But quantum technology could also be used to improve data security thanks to quantum cryptography; for the first time ever, two parties sharing secret information would know immediately if an attacker gains access to it. Quantum cryptography can already be used to securely distribute cryptographic keys between parties using classical cryptography.

An 'unhackable' alternative

Quantum cryptography can be seen as a type of physical layer security – a collection of techniques that attempts to exploit the fact that the physical characteristics of a radio communication system between two specific parties are unique. The unique characteristics leave a 'radio fingerprint' on the modulated data – for example, the transmitter hardware produces slight distortions that could be detectable in the received signal. In theory, it would be possible to use this to identify the origin of the signal to prevent an attacker from controlling a satellite. Unfortunately, it is very difficult to do so considering the amount of signal-degradation that takes place between a satellite and a ground station, and the limited processing capability of the spacecraft receiver.

"Whilst we are sceptical about whether physical layer security would be a viable option for data security, we believe that it is worth analysing because of the significant benefits it could bring," adds Ignacio.

The software era

In the past, hardware has played the predominant role in the functioning of a satellite, and a lot of care is always taken to ensure this works properly. But with more computing power comes more powerful software, as well as more software-driven hardware. This increases options for a system to be attacked, as software can be maliciously modified during development or flight maintenance if no precautions are taken. This highlights the need for stronger defences.

One type of software-heavy technology that could change the space mission scene is artificial intelligence.

"We saw that on one hand, artificial intelligence could help us develop better solutions and stronger defences against attacks, but artificial intelligence has a dark side," explains Ignacio. "It is still a novel concept for space systems, so we are not always certain how it will react in certain situations, and it could be maliciously trained to perform wrongly."

For these reasons, mission developers are currently cautious about putting artificial intelligence into critical functions, and this study suggests that more research would be required to determine how best it could fit in to space systems.

Keeping missions secure in the long term

"One critical issue is that some missions take twenty years or more from their inception to the end of their operations, but security threats will evolve substantially in that time, potentially making longstanding missions susceptible to attack," continues Ignacio. "We are now looking into whether we could re-programme cryptography in flight so that it could be evolved to stand up against future threats."

The team found that it is indeed possible to fit spacecraft with a kind of long-term root cryptography that can be embedded into the system. Lasting 40–50 years, this would enable the lighter cryptography to be replaced, if necessary. This Discovery study confirmed ESA's view that this technology should be explored further by the Agency in 2020.

Coming next…

Based on expected developments in cyberattacks and mission needs, the team behind the study came up with a list of ten recommendations for areas that ESA should investigate further.

These include moving from conventional cryptography to post-quantum cryptography, being able to upgrade satellite cryptography systems in flight, using conventional cryptography more securely, exploring physical layer security – including onboard artificial intelligence – and setting up an independent 'know-how centre' that shares information about attacks and security developments for space missions.

"In other disciplines, it's possible to plan carefully for the long-term future, but data security is extremely unpredictable – who knows, there may be a huge breakthrough tomorrow, for the good or the bad. This means that we need to constantly be on the lookout for new evolutions, threats and attacks," concludes Ignacio.

To find out more about protecting future missions from attack, read the executive summary of this study.