Non-cyber Threat to Confidentiality

The traditional specter of theft is a common risk over the confidentiality of any design but especially so in sensitive and competitive space systems. Physically breaking into and stealing design materials such as hard drives, computers, or even papers and presentations is a real threat to the confidentiality of a space system design. We do not often hear of a space company or government organization being physically broken into, unfortunately this type of design theft is typically the result of an insider threat. This might be a disgruntled employee or a foreign national working on a research program, perhaps at a university or research center, who is there with ulterior motives and intent on bringing such designs back to their home country and compromising their confidentiality.

Cyber Threat to Confidentiality

The benefit of stealing something such as a space system or SV design via the cyber domain is that it can simply be copied, there need not be overt evidence of a computer compromise break-in (if one was even necessary) and the original file is left in place. A remote malicious actor gaining interactive access can exfiltrate a copy of important design information via their access to anywhere in the world thanks to the Internet, and on some operating systems, there wouldn’t even be evidence tied to the original file that it had been duplicated. Inside threats can also leverage the cyber domain; instead of having to copy papers or try and walk out of a facility with a hard drive or even thumb drive, they could just plug their phone into a computer and steal data over cell networks.

Non-cyber Threat to Integrity

Accidently or intentionally any alteration to design plans for a SV at this point impacts every sequential operation in the pre-operational vector past it. If the design is altered to result in the ordering of an incorrect part or something is changed that will make the SV fail early or completely, it poses a huge risk to the space system. Given that verifications will be made as the system is created and tested back to such designs, there is a chance that an integrity issue at the design phase will be incorporated and even validated down the line if it is not something that will be detected by test and evaluation procedures.

Cyber Threat to Integrity

The cyber domain is a far more dangerous and effective way of altering design files or documents in a way that will impact the integrity of the design. Where in the non-cyber sense there is plenty of opportunity to notice mistakes or even maliciously intended changes to design documents, cyber has the opportunity to alter the files and documents after they are created and validated. For example, let’s suppose an attacker with access to the computer where 3D print designs were created for a 3D printer off of design specification documents.

The design document that the 3D print file was created off of could be accurate and as intended but once the file is sent to the printer to ingest it may not even be human readable. An attacker could alter or replace it at this stage between creation and ingestion with one that will result in parts being created that are not up to specification in some way and the creator would have no idea what was ingested by the printer was inaccurate. Unless this was identified in testing prior to launch, even a referencing of the design files would show that they were still as intended and yet the integrity of the design has been attacked.

Non-cyber Threat to Availability

Non-cyber impacts to design resource availability are as numerous as an imagination could come up with, but mostly the impact of that availability loss comes down to poor or improper redundancy planning. Things like off-site backups and redundancy resources can mitigate the impact of anything from a natural disaster to an arsonist destroying the facility or a facility where system design is taking place. Planning for physical impacts to facilities and personnel can help avoid loss of availability of design resources and should be in line with acceptable risk of losing such resources and probability of such threats.

The risk also changes as the system life cycle iterates through phases. During the actual design phase and following development, design resources are integral. Losing the design resources at this point means that they need to be completely recreated and once again made available before design or development can continue. Once the system is operational, the impact is lessened. Where such design resources might not be available for troubleshooting or problem solving there may be an impact to the operation of the space system. However, at this phase design resources are no longer inherently preventative to the overall success of the space system.

Cyber Threat to Availability

One thing that is important regarding multiple backups of design resources in multiple locations from a cyber attack perspective is that the more locations a design resource is in, the more potential attack surface exists for an attacker to exploit and go after the confidentiality of such resources. On the other hand, if a design resource is in many locations and as a cyber attacker, I am trying to affect its availability, I now have to impact multiple potentially diverse cyber targets simultaneously to create a non-availability effect. This effect is likely to be the simple deletion of design files and resources stored on computing platforms; as such to completely deny availability, all copies would need to be deleted, easier and less surreptitious for a remote interactive attacker than a non-hacker insider threat who may need to physically travel to each site to delete files.

Non-cyber Threat to Confidentiality

More likely than maliciously intended, loss of confidentiality for a developmental system like this is simply the loss of the people that have the confidential knowledge in their minds from working on a program to develop a space system. Highly skilled and specialized engineering and other professionals involved in space systems are very much sought after and are a much smaller pool than is represented by the industry need. This means that halfway through developing a program, another organization or company can come in and offer more money, a cooler project, or better location to draw talent and institutional knowledge away from one space systems development to another.

When this institutional knowledge leaves, so too does some semblance of confidentiality. There is legal recourse and documentation to prevent such confidentiality loss when someone like an engineer leaves, such as nondisclosure and noncompete agreements. Such preventative measures rely on being legally appropriate and binding and assume the losing organization has the stomach or resources for a legal battle. Loss of knowledge via loss of team members is a probable and realistic non-cyber compromise of development phase confidentiality and requires non-security-related retention and legal efforts to combat.

Cyber Threat to Confidentiality

There is no need in cyber for relying on observations and knowledge gained through them by poaching a team member for employment. A cyber actor could compromise enough systems within an organization to essentially achieve the same level of observational persistence and inherently gain their own hacker-enabled institutional knowledge of a development effort.

Imagine a compromise of key systems used to document assembly and part ordering, what microphones on board those computers or team members’ phones might be able to record, or what cameras on laptops, security systems, or phones might divulge of an organization’s institutional development process. Worse than the loss of a team member, there is no obvious indicator aside from catching the cyber intrusion that there is a potential for confidentiality loss during the development phase. At least when a team member is poached, the original organization can be on the lookout for copycat or similar work and products coming out of the poaching organization and sue accordingly.

Non-cyber Threat to Integrity

Mistakes are one of the greatest threats to the integrity of the development process. Where complacency or happenstance cause the development of the space system to not be done in accordance with plans and expectations, the integrity of that development has been compromised. As an example, imagine a human carrying out the torquing of various screws and fasteners across a SV component cranked several of them too tightly.

Because the procedural integrity of the development process, here an assembly section, was not maintained, there is a risk to the actual integrity of the physical SV during launch, deployment, and upon operation. Too much torque means the screws are tighter than expected, and during vibration testing, vibrations from launch or material warping due to temperature extremes, the vehicle could be partially or completely destroyed physically.

Cyber Threat to Integrity

We already discussed how a cyber actor with interactive access to design computers might be able to alter the files that feed into 3D printer configurations to alter the physical measurement specifications of a part. In the development phase, there is a more creation-related issue that could be created via the same attack surface. If the attacker instead had the part printed with a slightly different mixture of composite materials, it may result in a part that matches the dimensions of the required piece for the SV but that would not stand up to the stresses of test, launch, and operation.

Non-cyber Threat to Availability

Though quickly growing, the space industry is a relatively small production and vendor base. This means that a given type of equipment may only be made by one of a few companies, and those companies may be small or backlogged with orders. The expertise needed to assemble space-capable equipment and integrate various pieces is also limited and provides another potential bottleneck to the development process. This means that if a vendor goes out of business or has a physically damaging scenario happening at a production plant or assembly location, there may not be time left to resource the same item from another vendor, if one even exists. Exacerbating the small vendor and integrator pool is the fact that many space-ready and hardened components have extremely long lead time, in some instances over a year, and any issue toward the end of that timeline that makes a part unavailable could cripple a development process for a space system, setting it back over a year as well.

Cyber Threat to Availability

Where our non-cyber example cited physical issues impeding the producers and assemblers of space components, the cyber domain affords a much less overt option for attackers and risk to system owners. An attacker could target a small vendor with much less security than the large corporation or government organization building the SV and cause havoc to the whole operation by targeting small innocuous attack surface.

Why would a hacker bother trying to remotely compromise a large federal organization to impact a space systems development when all he or she would have to do is hack the mom and pop vendor providing a long lead time product and cancel it or reprioritize it behind several other fake orders. In fact, a scary situation presents itself where the space industry of one nation could be severely impacted by another with a large enough pocketbook who simply ordered huge amounts of long lead products from the limited subset of vendors, meaning any new or further orders would be on the magnitude of years away from delivery.

Non-cyber Threat to Confidentiality

The easy example for a non-cyber threat to supply chain confidentiality is obvious physical theft of items which portray the logistics information for various aspects of a systems supply chain. There are though easier and more legal means by which a non-cyber attack attempt can be made to compromise the confidentiality of a supply chain. There is nothing illegal or particularly special about simple observation. Monitoring and taking pictures either at a vendor sight or at a targeted space organization site could potentially be highly indicative of what types of parts are going to and from locations.

Paying off delivery and shipping personnel for information is also a possibility as is simple open source research on the Internet about what second- and third-party vendors support the larger ones. This type of resource also expands the supply chain attack surface as interdiction attempts could be made against simple parts, assembled parts, and assembled devices along the supply chain path. The vendor the organization bought a radio from may get its circuit boards from another company who sources some of the capacitors and chips and a third and fourth. Depending on the goal of the interdiction and subsequent alteration, the supply chain could be attacked at its most basic or most complex logistic locations.

Cyber Threat to Confidentiality

Logistics, shipping, and delivery systems are just as digitized as anything else these days. A cyber attack against small third- or fourth-party vendor or even just the shipping service would allow a remote cyber attacker to compromise the confidentiality of supply chain information likely without notice. Information gained through this cyber intelligence collection enabled via cyber exploitation can provide the same information necessary for interdiction as any non-cyber effort can.

Non-cyber Threat to Integrity

Traditional supply chain interdiction is the process of physically finding an item or component along its shipping or storage path and altering it in some way, if not replacing it, before it moves along the logistics pipeline to the next stop along the way to a final assembled product. There are entire industries built around anti-tamper technology and tamper detection as well as international competitions at hacker conferences on defeating them. Breaking into a warehouse and replacing a space component–assembled circuit board with one which has a hardware implant on it to enable a remote attacker or kill power after so many hours of successful operation are a couple out of innumerous types of things that can be altered or replaced with physical access to an item along the supply chain.

Cyber Threat to Integrity

The cyber domain allows for an easier-to-achieve result with some instances of supply chain interdiction. Instead of having to break into a warehouse in the cover of night to replace a good part with an altered one, an attacker can simply alter some of the onboard programming of a previously completed part of the SV while working on another. Imagine a programmer finalizing operating system installation and configuration of a payload on a SV who also takes a few minutes to plug into and access the already installed and configured flight computer to alter behavior of the SV once it is deployed in space. This required no clever tradecraft to unseal and reseal a physical wrapping or casing. This is a clear example of why cyber testing and evaluation to ensure that what was intended codewise is what gets shot into space are needed just as much as the environmental and other types of test and evaluation a SV undergoes.

Non-cyber Threat to Availability

Non-cyber effects against the supply chain availability do not need to be sophisticated in nature at all. There is not necessarily the goal of sneakily replacing a good part with a compromised one, here the attack against the supply chain is simply to effect timely delivery or prevent delivery all together.

Instead of risking something as involved as an effort against the integrity of the supply chain, the damage to the space system life span could be the same if a certain part were to accidently or purposefully fall off the back of a delivery truck in transit. Imagine multiple copies of a long lead component for a constellation of SVs were all in the same box and that box happened to not complete the trip from vendor to customer due to being lost along the way. The whole program might altogether be scrapped if multiple launches were missed and a year or more added to the development timeline of a product.

Cyber Threat to Availability

As with confidentiality, the digitization of the production and shipping business means that a remote cyber attacker has the ability to impact the supply chain by altering destination and return addresses as a package travelled. Worse than the non-cyber example, there is a huge compromise to a space system program if its long lead, expensive, or sensitive parts were to, say, be shipped to the middle of Alaska and arrive with incorrect return addresses and tracking numbers. Scarier still what if those parts somehow ended up being shipped to a competitor organization or enemy country.

Non-cyber Threat to Confidentiality

During test and evaluation, it is often a good idea to make sure that the way in which the SV and the ground are intended to communicate functions as intended. Software defined radios, modulators, demodulators, and other communication equipment may need to be tweaked and configurations altered to ensure that communications are working between the ground-based antennas and the SV antennas while they are both still physically accessible and not hundreds or thousands of miles apart.

Calibration and observational data used in this process, if stolen or collected by other parties’ nearby antennas, could be used to tailor and enable electronic warfare capabilities such as jamming. There is some unavoidable risk to this as the transmissions between the SV and the ground will be across the air regardless of whether during test or operation, but specific data on the detailed configurations of communications settings on the radios would certainly give an attacker a leg up on jamming or otherwise interfering with said communication signals.

Cyber Threat to Confidentiality

What could be considered a cyber validation of some settings on a SV would be running scans of open ports and protocols on what computing devices were networked to each other on board the space system. Doing this allows for a mapping of potential communication pathways but also informs the developers of what vulnerabilities are remotely accessible to the onboard computers of a SV. A remote cyber attacker who can get access to the results of this type of validation would not only have a roadmap for eventual attack delivery and pivoting across the SV computers but would allow them to know specific versions of software on the SV which could feed into an effort to research and weaponize unknown zero-day vulnerabilities for said computers that would not be addressed by the validation results because they are yet to exist threats.

Non-cyber Threat to Integrity

In this sense of test and evaluation integrity in the pre-operational threat vector, there are plenty of situations that could come from any of the various test and evaluation procedures space systems undergo which would provide the creating and/or operating organization with a false sense of security and risk avoidance. As an example, let’s say that a SV is being sent for emanation testing or radio frequency (RF) self-compatibility testing, to make sure that the emanations from the SV itself won’t impede the ability of a signal sensing payload to do its mission in space.

To evaluate this an anechoic chamber is utilized to dampen any terrestrial-based signals that would skew results and provide an essentially quiet environment to measure only those signals leaking from the SV. If the sensing equipment in the anechoic chamber was not sensitive enough to detect all the various signals that might interfere with the sensing payload, or if the SV and payload themselves were not exercised through the full gamut of activities they may perform which would produce signal leakage, these tests could provide the operators with a false sense of security that once in space, no operations from the SV would provide incorrect results or interference to the sensing payload.

Cyber Threat to Integrity

Cyber attacks can affect any test and evaluation data that is created and stored on a computer. Whether testing emanations, temperature tolerance, or any number of other scenarios, if the device recording the data has it altered by malware placed there by an attacker, it would also provide improper data to the testers and ultimately the owners and operators of the SV. This might mean that the space system goes into launch and operation without knowing what its weaknesses are or likely failures will be.

Such malware could also be used to sending the development team chasing ghosts. Reporting emanation failures or other sensitive test failures that require many hours to track down, repair, and retest could hinder SV operations if not make it miss launch windows and cause parts to be reordered as they are assumed to be the issue causing an emanation or other reported failure. All of this is time wasted which can have huge impacts to the life span or even cause the space system to fail before it starts.

Non-cyber Threat to Availability

Accidents happen and they can happen during test and evaluation. As we just discussed, even accurate test and evaluation done properly can ground a space program and for good reason. The threat that can come about due to testing a SV for space operations is that many accidents by test equipment operators may irreparably damage or completely destroy the SV. During temperature testing for cold and hot environments likely to be exposed to in space, the SV could be destroyed if the equipment operator didn’t pay attention or safety and sanity checks fail.

Though space has extreme temperatures, the transition between hots and colds is not immediate, and equipment does not need to nor is designed to undergo near immediate temperature change. In the lab equipment that generates these temperatures to expose the SV to however such change is possible and if the operator accidently switched from hot to cold extremes nearly instantly, it could cause all sorts of hardware failures and damage across the SV.

Cyber Threat to Availability

Again, with cyber, it is the result of a malicious cyber attack that causes the equipment to be damaged during test and evaluation and not an accident. During a vibration test, the SV is shaken in a way that replicates the ride it will undergo aboard whatever launch vehicle it is intended to travel into space upon. These launch vehicles have their own unique vibration strengths and rates, and SVs are often designed to a specification with the vibrations of the intended launch vehicle in mind. This does not mean that the vibration testing equipment can only operate at such a resonance, and if a cyber attacker gained remote access and altered the way the test equipment for a vibration test were calibrated, it might mean that a SV meant to ride into space on a smoother launch option is shook apart on the test platform by being shaken to evaluate a much rougher launch vehicle ride that it was not designed or built for. This damage could make the SV unavailable for launch, and it could also send the testers and evaluators down an invalid rabbit hole looking for why the SV failed a test it should have passed.