Satellite-based networks: At risk from hackers

by Staff Reporter | May 8th, 2012

Stuart Daughtridge, Vice President of Advanced Technology, Kratos Integral Systems International

To offer an accurate risk assessment for satellite-based networks would be difficult. Halvar Flake, a Germany-based computer security researcher and mainstay of the BlackHat security conferences said: “Predictions are hard – especially if they concern the future”.

The migration of satellite ground networks to IP-based technologies is delivering tremendous benefits in cost, performance, and interoperability, but also introduces increased cyber security risks

But going by past history, Felix ‘FX’ Lindner, Head of Berlin-based Recurity Labs believes that satellites are targets, albeit collateral. As the technical and research lead of Recurity Labs that consults on security issues, he believes satellites are targets because “high-end attackers focus on high profile targets. High profile targets make ever increasing use of satellite communications. Everything in the satellite infrastructure is a perfect vantage point for the attackers. Ultimately, satellites will be attacked to hit their customers.”

Concurring with this, Stuart Daughtridge, Vice President of Advanced Technology, Kratos Integral Systems International, a US-based security solutions provider, says, “There have been several highly visible incidents of cyber security [infiltration] affecting satellite and space resources, including: additional background information released about disruptions of the Landsat 7 and Terra imaging satellites; news reports about breaches in several countries of the government agencies including those involved in space, defence and communications operations; and disruption of BBC satellite signals reported just recently.”

Heavy reliance on IP-based devices
Daughtridge observes:  “Use of Internet Protocol (IP) based devices have been increasing throughout commercial and government satellite ground networks for a variety of reasons including cost savings, performance advantages and better interoperability. The migration of satellite ground networks to IP-based technologies is delivering tremendous benefits in cost, performance, and interoperability, but also introduces increased cyber security risks ranging from sophisticated reverse engineering, tampering, and cyber attacks, including zero day exploits, execution of unauthorised code, and high-risk insider threats.”

While IP has played a role for some time, and is commonplace especially in commercial networks, its presence is increasing as many operators look toward end-to-end IP in the ground segment.

“The benefits of IP are real and valuable, but they come with additional risk that terrestrial networks have had to counter for years. Satellite ground networks have typically relied upon specialised equipment, thus enabling satellite network operators to rely on ‘security through obscurity’.

Threat surface also increases as some satellite operators move from dedicated lines to leasing commercial telecommunication lines

“However, today there is a much heavier reliance on IP-based servers, workstations, modems, recorders and other equipment that creates an additional “attack surface” for cyber threats. Additionally, some satcom systems have connectivity to commercial IT infrastructure and even connect to the internet for ‘‘data access and file transfers’’, as NASA has reported. Threat surface also increases as some satellite operators move from dedicated lines to leasing commercial telecommunication lines.

Felix ‘FX’ Lindner, Head of Berlin-based Recurity Labs

“As a result, satcom professionals are not always current on the latest issues in IP or cyber security technologies because they have historically worked mostly within isolated satcom-based networks. Now these satcom networks are becoming integrated parts of the larger overall communications infrastructure, integrating IP-based systems with satcom.”

Satcom professionals are not always current on the latest issues in IP or cyber security technologies because they have historically worked mostly within isolated satcom-based networks

Hacking risks for satellites
Commenting on the history of hacker interest, Felix Lindner, Head of Recurity Labs, states: “Generally, hackers are interested in everything that is technologically challenging. I was introduced to hacking by people who broke into Russian military/spy satellites for imagery. The Astra signals were decoded by hackers using Commodore C64 home computers. In those days, satellite Pay-TV used to be the driver of interest.”

“Most satellite hackers come from the DVB background,” observes Lindner. He adds, “Accordingly, they keep the hardware as it is and explore the networks. An incredible 32% of all easily observable satellite traffic is now some corporation’s network traffic (TCP/IP). The satellite downlinks provide the most convenient attack path into corporate networks. The ability to see one part of all the communication enables many attacks that are otherwise a lot harder.”

Simple case of reverse engineering
Underscoring the vulnerability of satellite-based networks, Lindner gives an instance of the breaking of a satellite phone encryption.

“Secret encryption algorithms were developed by European Telecommunications Standards Institute (ETSI). Researchers from Ruhr University Bochum (Germany) simply obtained the respective phones and reverse engineered them.

“GMR-1 turned out to be similar to GSM A5/2. The Cipher text was only vulnerable to an attack due to a design flaw. The design weaknesses allow for known plaintext attacks. It requires a mere 30 minutes on a standard PC.”

According to Lindner, GMR-2 is only slightly better.

The Telemetry Tracking and Control (TT&C) system is vulnerable
Going by past trends, Lindner analyses possible future targets. All satellites must have a method of storing and analysing the data collected by the satellite, and a way of controlling its various systems. The satellite subsystem that stores, analyses data collected by the satellite and controls its various systems – the Telemetry Tracking and Control (TT&C) – Lindner believes – is vulnerable.

The satellite subsystem that stores, analyses data collected by the satellite and controls its various systems – the Telemetry Tracking and Control (TT&C) – Lindner believes – is vulnerable

TT&C is the brain of the satellite and its operating system, states Lindner.

“Telemetry, Tracking and command (TT&C) intrusions are probably undertaken in order to obtain control when it is needed. However, with increased IP routing in satellite payloads, the chances of successful direct attacks rises removing the need to attack the TT&C.”

An extreme example, not entirely improbable, considering the increasing hostility between nations, is when individual countries could consider attacks on launch control systems in order to prevent new military satellites from reaching orbit, says Lindner.

Daughtridge believes that “all systems are vulnerable. Although military systems may be targeted more by certain types of threats, many countries including the U.S. have designated satellites as “critical infrastructure,” making the networks subject to additional cyber security and information assurance regulations. As military and government missions increasingly rely upon commercial service providers, those vendors will be subject to compliance regulations as well.

As military and government missions increasingly rely upon commercial service providers, those vendors will be subject to compliance regulations as well

“In the U.S., for example, the Future Comsatcom Services Acquisition (FCSA) contract vehicle requires service providers to comply with Information Assurance 800-53 of the United States National Institute of Standards and Technology (NIST) and the DOD Instruction 8500.2 controls. Solutions that support an organisation’s ability to comply with these regulations provide both significant cost and security advantages.”

Myths around security compound apathy
Lindner believes that not learning from past attacks on networks could result in more devastating attacks against satellite systems. Compounding the general state of apathy are myths.

“One of the commonly held myths is that the domain specific knowledge required to attack our stuff is not readily available. This has been disproved countless times in all domains. We are no longer talking about bored teenagers.

“Another assumption is that the attacker needs specifications of your system in order to attack it. This is wrong. Reverse engineering is what drives many people. You are providing an incentive, not a deterrent!”

One of the commonly held myths is that the domain specific knowledge required to attack our stuff is not readily available. This has been disproved countless times in all domains. We are no longer talking about bored teenagers

And while the most bandied word in any satellite conference especially for the military and government sector is encryption, Lindner believes it gives the creators a false sense of security. He says, “Secret encryption is the worst form of the secrecy myth.”

Common Weakness Enumeration (CWE-656): Reliance on security through obscurity
Daughtridge reiterates, “Satellite ground networks have typically relied upon specialised equipment, thus enabling satellite network operators to rely on ‘security through obscurity’.”

Security through obscurity refers to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security. The technique reportedly stands in contrast with security by design and open security, although many real-world projects include elements of all strategies.

Security through obscurity has reportedly never achieved engineering acceptance as an approach to securing a system, as it contradicts the principle of “keeping it simple”. The United States National Institute of Standards and Technology (NIST) specifically recommends against security through obscurity. “System security should not depend on the secrecy of the implementation or its components.”

In cryptography proper, the argument against security by obscurity dates back to at least Kerckhoffs’ principle, put forth in 1883 by Auguste Kerckhoffs. The principle holds that design of a cryptographic system should not require secrecy and should not cause “inconvenience” if it falls into the hands of the enemy.

Lack of threat modelling
Lindner cautions against what he calls a false focus.

“People tend to look at potential security threats to their system by how they would attack it. In addition, lack of formal threat modelling uses up all the time and budget in the wrong place such as firewalls, anti-virus, intrusion prevention and the like. Astoundingly, even most penetration tests are done wrong. Unfortunately, the hidden agenda is often to limit the scope of a penetration test to the maximum level of ineffectiveness, in order to look good to higher management and customers.”

Unfortunately, the hidden agenda is often to limit the scope of a penetration test to the maximum level of ineffectiveness, in order to look good to higher management and customers

Lindner defines the concept of threat modelling as “a well established process to holistically determine possible attacks, mitigations and defences of a complex system. It involves identifying processes, external actors, data stores and data flows. Threat modelling necessitates systematically working though all threats automatically determined from the data flow diagrams (DFDs) models. The process will ensure efficient investment of the scarce defence resources.”

Insider threats, as potent as external ones
Daughtridge says, “It is important also to take insider threats into account as well as external ones. A survey by Cybersecurity Watch found that 21% of security breaches were caused by insiders and that 33% of CSOs viewed the insider attacks as more costly. Many, possibly most, insider threats are actually accidental rather than intentional, such as clicking on a malware infected link, but damaging. Use of recorders to monitor user actions at a workstation and the provision of a video record is a strong counter to the insider risk.

A survey by Cybersecurity Watch found that 21% of security breaches were caused by insiders and that 33% of CSOs viewed the insider attacks as more costly

‘Hardening’ of the network devices to prevent against malware and other problems can help prevent both external and insider threats.

Distinguishing between threats
Kratos Defense & Security Solutions, Inc. announced recently that its RT Logic subsidiary has released CyberC4, a family of cyber security products designed specifically for the satellite industry.

The new products reportedly address the increased vulnerabilities as satellite networks continue to become more netcentric, filling the major cyber security gaps that can disrupt missions.

The product suite includes: CyberC4: Armor for hardening Satcom equipment against exploits; CyberC4: Capture for protecting against insider threats; CyberC4: Alert for network-wide, real-time cyber security situational awareness; and CyberC4: Guard for communications across black and red domains within secure networks. Each, according to Daughtridge, is available for standalone use, while also integrated together as a unified and layered, “defence in-depth” solution for information and mission assurance.

Commenting on the sensor that acts as the eye of the network, Daughtridge explains: “CyberC4:Alert sensors are strategically deployed on the network to gather log data, net flows and observe network traffic. Sensors are capable of both passive monitoring, and active scanning.

Malicious events are detected through signature, protocol and anomaly-based inspection and correlation of data collected from sensors. Once deployed, Alert establishes a baseline of system and network usage patterns, which are used to trigger anomaly alarms. Some examples of anomaly alarms include unusual bandwidth usage, the introduction of a new host on the network, a network outage, or the absence of a critical host or service.

Daughtridge underlines the fact that the CyberC4 system is a Security Event Information Manager (SIEM) that is tailored specifically for satellite ground networks.

“It accommodates many of the devices that are unique to satellite ground networks, such as satcom modems and TT&C servers, and supports important compliance requirements.”

Testing and auditing systems
On the critical issue of testing and auditing systems, Lindner is of the view that the “only way to really know is to try it. Use people with a track record in such things. They may be harder to get, but they are worth it. “ He also advises companies to follow their threat model and not exclude components from third parties. “Once you know what you can rely on and what not, you have won half of the battle.”

With solutions, Lindner says the environment dictates everything.

“There is no “one size fits all”. From areas ranging from automotive, aerospace to medical environments, there are specialised cryptography protocols and multiple secure fallback mechanisms with zero maintenance scenarios.”

Criticality of the issue and effective responses
Commenting on the critical nature of the problem, the industry’s response and the need for compliance standards, Daughtridge says, “A report from the conference on ‘Securing Space Assets for Peace and Future Conflict’ at the National Defense University in November 2011 stated: ‘There was a consensus among participants that an attack on space capabilities will almost certainly be preceded by a Cyber attack.’

The NIST advises all network-centered organisations to develop an overall cyber security risk management framework and has published recommendations for processes and compliance verification.”

One of the most important parts of an effective response is achieving better situational awareness across the network security infrastructure using a Security Event Information Manager (SIEM)

Daughtridge adds, “One of the most important parts of an effective response is achieving better situational awareness across the network security infrastructure using a Security Event Information Manager (SIEM) that monitors and consolidates information across devices, including Intrusion Detection Systems (IDS) and firewalls. While used frequently in enterprise networks, they are far rarer in the satellite industry.”

Top five (recent) hacking incidents:
• Stuxnet: Using a highly specialised computer worm to delay the Iranian uranium enrichment programme
• Aurora: Using O-day attacks on client computers, attacking Google and several other Fortune100 companies over 1-2 years to extract their intellectual property
• RSA: Breaking the security of the most widely used and trusted one-time password token system in the world to break into US defence contractor networks
• HBGary Federal: Breaking into all relevant email accounts of a defence contracting  consultancy and publishing the contents
• LulzSec hacktivism: Spending 50 days to break into Fox News, PBS, Nintendo, pron. com, the NHS, Infraguard, the US senate, Bethesda, Minecraft, League of Legends,  Escapist magazine, EVE online, the CIA, The Times, The Sun

Information courtesy: Recurity Labs GmbH, Berlin

 

 

Copyright 2017 SatellitePro Middle East. All rights reserved. Product of CPI Media Group. For more information e-mail us at webmaster@cpimediagroup.com.
Privacy Policy