Securing Space: Cyber Defence For The Final Frontier

cool thank you so much and uh thank you all for coming out and uh and uh watching me this afternoon um so I thought I'd just kick off a little bit just talking about myself as you know um so my name is rosin I am head of security services at a software development firm called opencast we are based in the Northeast and we do kind of uh people-led software development um I'm also uh kind of a friend of sides I've previously presented uh back in November at Bristol bides where I spoke about everyone's favorite buzzword which is artificial intelligence don't worry we won't be playing any AI Bingo here I won't be talking about that um

throughout this talk um but instead I'm going to talk a little bit about uh cyber defense for the final frontier or securing the space industry so you might be asking yourself kind of why space and I think the answer is kind of quite obvious uh space is cool it is something that's quite close to my heart in terms of uh growing up as a child doing kind of amateur astronomy with my dad um in my kind of my day-to-day with my work in the Northeast we have a lot of like kind of space centers around us there's a lot of investment in space Tech so it's something that's particularly interesting and also as a as a woman in

stem um people like uh Margaret Hamilton who designed the Apollo guidance system for for the Apollo 11 which landed um buz Aldren and Neil Armstrong on the Moon um she is someone who was like kind of a key role model for myself um this picture in particular is her in 1969 next to all of the lines of code that she wrote for the Apollo 11 Mission and I also believe that the greatest kind of gift that humans have is curiosity and um space is kind of that you know Limitless field of possibility and curiosity and the the frame I've included down here is actually recently in order to test long range communication methods NASA fired a video

of a cat playing with a laser pen um about 15 million miles away so all in all space is cool I want to talk about it so I thought I'd talk a little bit around the role of computer science in space travel and now I'm not looking to kind of go through this all in its complete in kind of its complete form if you are interested I would highly recommend um reading or listening to Tim Peaks space which kind of lists out all of the different uh aspects of space travel all the way from the 1950s the early Mercury programs things like the soyes rocket that took gagar into the moon um it kind of works through each of

those stages so I would really highly recommend if you're interested if you're passionate if you've got a slight hyper fixation on it like I do that you go and you uh you kind of research more around it but in short the Advent of space travel started in the 1950s and for the past 70 years has developed across various different programs internationally collaboration is like a kind of a key factor of that and then all the way up into the 2000s and 2010s where we're seeing advancement we're seeing private space travel and we're also seeing space tourism so as you can kind of see we're getting kind of from these early Space Systems the the shift in the level of Technology

with these Space Systems is kind of um has been quite exponential over the past 70 years now I've just included this slide um just to kind of outline systems engineering as a whole I would highly recommend um if you are interested in launching your own rocket or simulating launching your own rocket that you um follow the link here for the Apollo 11 uh the the git repo where you can create your own simulation um that's based off of the system that you can see above so this is the app poent guidance computer and uh disy which is the two key um systems that were used uh during all of the Apollo launches so these are

guidance this is for both first and second stage rocket so as you can see lot of information a lot of data now really what I want to talk about is I want to talk about this blend that we need to recognize when we work with operational technology and information technology if you come from like a cyber security background like I do data is incredibly important and that is consistent across all Industries whether it's Healthcare energy or whether it's things like the space industry in particular for space travel we have to consider what purpose the data is uh is being used for and that then informs the level of risk that is carried around that particular piece

of data so things like trajectory less your mechanics how are we going to get there how fast how are we going to get into orbit are particularly important being able to communicate in real time from your space operations and ultimately the IP that sits around your spacecraft design in the in the first place are all valuable data points that we have to consider when we're looking to protect that information now I think all of us will probably be quite familiar with a CIA Triad so for those who aren't aware this is confidentiality integrity and availability and when we talk about data security or information security what we're really talking about is maintaining the confidentiality integrity and availability of that

information what we can do is we can actually take this a step further and we can kind of break it down into more kind of granular parts and actually what we see is the addition of non-repudiation authentication privacy and safety and if you think about in the context of space travel Aerospace any manufacturing energy systems for example nuclear wind water whatever that end piece around safety is actually the thing that drives us predominantly when we think about information security and cyber security for Space Systems and this is no small task it's really quite difficult actually to combine Safety and Security um and this is for kind of a variety of different reasons so they tend to be quite

Divergent priorities although they'd have the same mission of wanting to protect users protect data they quite often have different Roots there uh there's also kind of a bit of a I guess cultural difference between those two topics in terms of how we deal with kind of Legacy systems you know it's all it's always been this way so why would we change it why should we focus on security what is cyber security anyway I just launched the rocket let's just send it up and also the fact that space itself has a unique environment with a unique set of variables which means that actually managing security and managing the control of information in these environments is particularly

difficult um what I've just included here is uh if you're interested um there is a really great talk that was run by Dr Emma Taylor um it was last November at Bristol bsides and she actually is a visiting Professor from Cranfield University um and a doctor of engineering and she speaks really quite well about this particular top topic and so if you're interested in how you kind of balance those two pieces around security and safety um I'd really implore you to to check around so what are some of the key challenges for cyber in space so we have a lot of communication CH challenges so we have long communication delays it's no surprise that if we send a rocket up

and it's really far away we're going to have a slight bit of latency around our communication we also have limited bandwidth as well so transmitting large amounts of data securely actually means that there is uh the need for efficient data management and efficient encryption strategies as a result you tend to get quite a lot of space system that have a lot of insecure protocols because we need the availability is far more important than maybe the Integrity or confidentiality of the data that we're sending so we're having to make a bit of a balance between that operational latency and then actually the security of the data that we're transmitting we also have a lot of operational risks that we have to

balance so the vast distances themselves means that it's quite hard to actually you know you can't just ssh in and fix a thing you have to think about these these Pro problems ahead of time and kind of R retrofit there's also dependency on automation as well so you know increasing the resilience of these automated systems we've just seen had that wonderful talk around Jurassic parts and those automated intellect systems it's it's all really important that they work cohesively together and that the data Integrity is preserved so that a decision being made by one system isn't um that has a KnockOn effect on another system isn't the incorrect decision basically and also things like radiation exposure physical access

limitations we also have as well kind of even more kind of I guess power constraints in terms of actually what we can take on a rocket with quite limited in our space so we have limited processing power so we need to make sure our systems are efficiently built and uh are not using too many resources I wanted to talk a little bit as well around some of the challenges around actually creating a a proper threat model for space travel I think what's really important to note is there's uh there's kind of Divergent priorities when it comes to space travel um and protecting the information that we have and that we use for these particular you know these

particular systems is really important but just some key questions that we can begin to build out is you know if safety is the utmost priority where does cyber security sit on the ladder of risks to prioritize how do we quantify and communicate that risk to our investors our stakeholders if you think about the the space tourism industry there's huge volumes of money that are going into that how are we balancing that level of the the investment and the priorities of the investors with with the reality of the of the vulnerabilities that sit Within These systems and also where does the threat model begin and where does it end as you might expect if you're building a space travel or you know a

satellite you've kind of got a long list of suppliers really long Supply Chain by which you know you'll have your initial blueprints that are then engineered all the way up to your final product so actually thinking about third fourth and fifth party risk is something that needs to be actively considered and we'll see on the next SL um a lot of these kind of threat actors and potential disruption come from um mismanagement of these risks and not understanding exactly where our threat model are so I've just included up here um some of the uh you know the threat actors that we can consider um it should be no surprise that things like SP State sponsor

attacks are particularly important if you think about the Space Race as a whole it's always been a bit of a dichotomy um and a bit of a battle and it's resulted in a lot of the time you know intellectual property being kind of a key Target but also as well disrupting realtime um like flight coordination data so commercial Espionage as well I mentioned the huge volume of money that sits behind space tourism um much like the Jurassic Park example there's usually a strong motivator there for actually gaining those Trade Secrets and actually um being able to to breach into these systems is is quite financially viable and then once again that kind of pivots quite easily down into cyber

criminal activities and just people doing it for fun so um NASA was hacked in 1999 by a not anyone surprise a 15-year-old kid who managed to get access to one of their main systems breached a lot of like information on you know uh potential kind of astronaut Crews and loads of pii um since then it hasn't gotten that much better to be honest I think just the the defenses are more complex but also so are the adversaries that Target them but we can kind of see um some of the potential impacts so disruption of satellite operations this is going to be really key and critical over the next couple of years um where we're seeing

the you know the Advent of like Cube SATs and and using you know satellites for kind of committing I guess um like nation states using them maliciously and disrupting kind of satellite communication is particularly important so there's a there's a big potential impact in terms of that disruption of that satellite information compromised space missions I mean this is something that's fairly obvious if if my data is not accurate I can't s my rocket into orbit I can't get it out of the atmosphere there's all sorts of things that could go wrong and also things like data man manipulation can also lead to complete failure of of space missions so we can see examples of that recently with SpaceX they've been

trying to launch and uh launch Ro rockets and get them to basically land back where they launch them from and that's requiring a huge volume of a lot of kind of inertia momentum loads of physics that sits behind that um and compromising that data obviously leads to rockets falling over and exploding so what are some of the common threats that we can experience in the space system to be honest not none of these should be that surprising um a lot of the challenges and the issues but also a lot of the key measures of success in terms of embedding cyber security for a space system are very similar to the common threats uh that we

see in kind of other Industries so number one at the top there is that unauthorized access Peach you know is is the person accessing the information like they're supposed to that authentication piece um it also leads into like manipulation and that non-repudiation point I talked about when I talked about U CIA plus PS um supply chain vulnerabilities shouldn't be a surprised 80% of uh cyber security incidents are usually supply chain vulnerabilities ransomware malicious Insider and denial of service all of these things are very very common throughout all of our experience in in terms of cyber security controls and risks that we're trying to sit against but there are some other kind of specific um space

specific uh risks so debris management spoofing and electromagnetic interference all of these present potential risks to life if they go wrong that's why ensuring that we have kind of you know accurate tracking data that we're we're alleviating our systems of navigation errors that's caused by um cyber breaches or that you know communication is maintained means that we can uh prevent these kind of risks crystallizing and impacting our systems so I've spoken a little bit about risk a bit about threat models and how we kind of build that out um I'm going to talk a little bit now about the kind of the types of vulnerabilities for Space Systems um it should kind of come as no

surprise that space systems are quite complex code bases which means that the Integrity of the code to begin with is incredibly important um flaws within software can lead to exploited uh it leads to exploits and then unauthorized access um once we're kind of using software and code bases it's very difficult for us to change them so if there's a fundamental flaw and you've already sent your rocket up that's it's going to be quite tough to actually uh remediate any of those issues um compromise components so this is something that's particularly prevalent when we're thinking about our third party fourth party fifth party due diligence and that whole piece around you know with building this uh you know

we're building this rocket using our IP one has that IP comp been compromised in the first place but two are the people that are building it have we vetted them accurately do we understand the risk that they they carry um and that leads into kind of you know really maintaining that third party security also things like Network vulnerabilities um a lot of the protocols that we use when we talk about operational Technologies are things like modbus which are inher ly vulnerable and they're vulnerable for a reason um but that then leads these systems to be particularly vulnerable um you know as they're being used which means that you know they're they're way more prone to

getting attacked they they and then that means that there will be like a compromise of mission critical data and then ultimately on the kind of the ground level authentication weaknesses if we have someone who's able to manipulate um you know like ground kind of flight control information then we have a really significant risk there that the system itself will completely fail so what's next there's a lot of um talk about kind of collaboration and standardization across the space industry and I think that this is quite important when we consider how do we manage an industry or manage uh a particular sector that has such wild wildly varying levels of risk uh attributed with it um and I think all of

us may be familiar with like various standards like nist and ISO 70001 things like that and they're actually the European uh space agency and NASA are working together to kind of formalize this uh their own framework for um spacecraft not only design but the cyber security controls that need to be in place on these on these ships in order to maintain um the Integrity of the data that's stored on them so a lot of international collaboration is happening at the minute to understand what the path looks like in order to get from you know the current state which is you know we we're seeing hacks like every so often someone will breach into like a

particular satellite um and basically implementing like a lot more of a robust governance around uh cyber security so it maybe something that comes up and is more heavily regulated in the future I'd also like to talk a little bit around some of the future Trends as well um so Quantum comp Computing is particularly interesting um there's the impact of the fact that we can do you know Quantum resistant encryption which means that transmit of that encrypted data is more secure um it's challenge it presents more challenges and opportunities as well much like Ai and machine learning um AI hijack like data hijacking is quite a a common is issue in the Aerospace and um the the space

industry and this is mainly due to kind of like poisoning of like data sets and things like that all of the things that we're we're quite comfortable with when we talk about Ai and some of the limitations that we have um but there's also kind of kind of as I previously mentioned like the emergence of uh different kind of Space Traffic management um installations which is focusing on kind of prioritizing the quality of those that space travel information and making sure that there's effective Communications in place and also failovers as well at the same time so there's a level of resilience um so we're avoiding collisions we're avoiding collisions of of satellites when satellites come to end of life um we've

got like a plann kind of recycling well releasing them back to the Earth in a in a controlled Manner and also as well Cube set security so Cube sets are becoming ever increasingly more popular um by using kind of you know addressing a number of challenges uh by using the kind of small small satellites um which means that they're more accessible they're kind of they're easier and they're smaller and they're more cost effective so really alleviating some of the some some I guess resource limitations in terms of the the industry itself But ultimately it comes down to a lot of the Ingenuity and the Curiosity and uh cyber security for Space Systems is quite similar in

terms of uh the the the different industries that you you guys all probably work in and It ultimately comes back to that that final piece which is around the confidentiality Integrity availability of that information being protected cool and that's everything thank you I'll take any [Applause] questions

hi sorry what was that oh the space debris yeah so we're getting to the there's yeah there's been a bunch of papers that have been released around um reaching that like critical mass um and I think that yes basically we're getting to a point of no return definitely um but that equally there's a lot of work that's happening currently specifically in the European space agency around mitigating um and putting restrictions on those satellites going into a new satellites going into orbits and actually recommissioning some of the old ones so I think we are becoming at a as you said like a critical kind of Tipping Point with it but also equally I think it's something

that we've been aware of for years since we first started sending satellites up um and you know the European Space Agency is working quite proactively in order to mitigate that risk so who's to say hopefully they don't all fall out all at once so that's the M thing cool any other questions hi um space has always like toed the line between this military thing Andress do you think that like affects how we view threats uh currently do you think we're going to see like a greater divide between those kind two Realms as more place be existed absolutely I think there's always going to be like geopolitical pressures when we look at any emerging technology there's always a

level of you know you have those like kind of the innovators that are really pushing for the use cases that they're pushing it for you know which in most cases like if we look at like the origins of AI it's kind of like um you know for betterment of humanity and for solving problems and for like people first but ultimately there with the development of any kind of new technology or any new industry there is that geopolitical tension that usually sits alongside it and we have seen an increase in the number of attacks on um kind of satellite Communications over the last couple of years since 2022 so there's definitely as it's becoming more prevalent we're also getting more

investment into different Space Systems um there's definitely going to be like a bit of a yeah a bit of a balance that needs to be struck I think something you know working towards like regulation is is particularly important in those scenarios so you're you have at least rules that at least you know the majority work to basically hi um so I guess a level of Reliance on industry

systemc concy yeah yeah absolutely so um the so going back to like Apollo 11 and uh Margaret Hamilton and the system she built that was seven systems in contrast you have around about 200 to 250 systems on like modern uh spacecraft all of which are kind of independently you know maybe not AR built in an architecture independently but they'll be independently developed and but will have dependencies on other systems so there is probably as is with lots of large kind of Monolithic architect es the the risk that as you said Legacy systems are particularly are are used um I mentioned as well things like using like insecure protocols like things like modbus that's like fairly if

you look at operational technology as a whole we tend to use insecure protocols specifically for the reason of we want to be able to see who's saying what to our um to our tooling so yeah it's definitely it's definitely a problem I think what we're getting though is as we're getting more and more investment especially in the private um private sector around like space tourism you'll probably see kind of a bit of a push um away from these kind of Legacy systems but ultimately yes they yeah there there'll definitely be a mix in there cool thank you