Security Analysis of Satellite Command and Control Uplinks

This document attempts to perform an analysis of security methods used by Government/Military Ground Stations. This information is a summation and review of open-source non-classified information taken from the Internet and other printed sources. Most information is from NASA operations proceedures, however, references from those proceedures influence/are influenced by military SATCOM standard operating proceedures.

There are two methods of compromising a satellite by an external threat vector.* One is an attack directly on the Satellite by a rogue Ground Station. The second is an attack on the Master Ground Station (MGS), which houses the command and control (C&C) Uplink, and various access control equipment. An outside attacker may not have all the resourses necessary to attack the C&C uplink such as the eqiupment that encodes the commands and the transmission to the spacecraft. This driving factor makes the assult on the MGS all the more appealing.

A great deal of work has been put into securing the C&C Uplink. The spacecraft command processor authenticates every command sent to it. The C&C data is often encrypted and decrypted in the spacecraft. The downlink is often unencrypted, however, in the military arena, this is often encrypted as well. Various transmission modes can be used but in the military/government arena spread spectrum (SS) or frequency hopping (FH) is generally employed using secure spreading or hopping sequences. SS and FH are used due to thier anti-jamming and low probability of intercept characteristics.

In the unlikely event a rogue Ground Station actually acquired the sequence to get a command burst to the satellite, the MGS would begin to receive telemetry indicating that a command channel is being accessed. Responses from the satellite to the rogue Ground Station would be received at both locations. The MGS would see a response to a request it did not send and a flag would be raised at which point contingency plans would be set in motion. It would also be very difficult for a rogue Ground Station to supply the proper command sequence field, unless the MGS is being monitored. Highly unlikely in the case of the armchair hacker, point and clicking his way to telecommunications Godhood.

By far the path of least resistance is obtaining control through compromising the security of the MGS. While long term control may not be achievable, there is the possibility of spoofing a command message to the uplink operators and having them pass that information to the satellite. Scientific Exploration and commercial satellites usually conform to the CCSDS telecommand frames and the military/government uses something similar. Information on these command frames and command syntax are available through the Internet.

A set of checks and balances exist within the MGS. If a command request exceeds pre-defined parameters, the command is flagged and escalated to an authority to determine the nature of the exception. Interception, modification, and re-submission of a command message is of the greatest risk. However, the attacker would require an indepth knowledge of the target system and have knowledge of the normal operational parameters so exceptions would not be flagged, reveling his presence. Once a command is determined valid by the spacecraft command processor, the command is sent back to verify the proper command was indeed received and awaits acknoledgement. Further analysis of the command processor and actual checks performed on the sequence and syntax of commands received are beyond the scope of this document.

Due to these checks, one command sending the satellite spiraling out of orbit is just not possible without the addition of catestrophic equipment failure. Remember that satellite position is also tracked by third parties. In the event that a satellite makes a change in course, the MGS of that satellite would be immediately notified. There are other checks in place that monitor the heartbeat of a satellite. Should that satellite move, its associated beam spot would become disturbed resulting in loss or degredation of communications.

There are overrides to the normal safeguards for emergency spacecraft commanding. As long as an override provision exists, there is the possibility of the exploitation of that provision. However, the override can only be engaged by onsite MGS personel. Manual overrides are a requirement for every MGS. In the event that the computerized frontend is compromised in some fashion, be it of malicious intent or equipment failure, commands can be relayed to the spacecraft directly from manual command consoles.

The nature of Satellite communications often dictates that Ground Stations are not necessarily located in the most convient locations. Quite often they are located in remote regions and/or at sea. This requires a distributed networking architecture as well as interoper- ability definitions. NASA in particular has been moving from its highly proprietary legacy systems to more commercial-off-the shelf (COTS) hardware. One must realize this obscurity once provided additional security to the network. The current trend in commercial security offerings is a reactionary role to security management. Holes remain to be identified until the units are shipped to the end user and often not found until the device is in operation.

Some MGS's are known to be connected to live internetworked nets. These nets are often treated as sensitive, yet unclasified, to support interoperability. Security policy governing the nature of the systems which are hosted by the satellites define the security of the MGS network. Where interoperablity is not an issue, without physical access to the MGS, your chances are remote to compromise the system.

Institutional security policy sets directives in employing firewalls and restrictive routers. Intrusion detection system may also be employed between closed networks. SecurID, kerberos, and biometric access controls are found throughout the commercial/government/military access controls. Access is usually restricted by IP address. Firewalls and routers have been known to be accidentially misconfigured, and often remain that way for lenghty periods of time due to inadequate penetration testing and security fault analysis. An offline proof-of-concept security prototyping lab is a requirement for integrating a new access control system into the operational environment. A good institutional security policy will require such facilities.

Many safeguards have been built into the existing C&C uplinks. Key management systems are classified, as is information on implementation of cryptographic systems used. There may be holes in the implementation, but with the other safeguards, the chances of successfuly undermining the o security mechanisms is slim. One can never under estimate the human factor in these systems. To poke holes in security policy is human.

Hopefully this article shed light onto the criteria which may lead to MGS compromise and direct satellite C&C uplink attack. The chances of something along these lines actually happening without new techniques or heretofore unknown methods being employed, is remote, but not impossible.

----------------------------------------------------

* A third attack vector could be an attack from within. Poisoning the flight software on the satellite, or the software used to interact with the satellite, bypassing required security provisions.

Code review could diminish this threat.