sign in sign up
<<
Home , Titan Rain

Trans. JSASS Aerospace Tech. Japan Vol. 12, No. ists29, pp. Tv_1-Tv_10, 2014

Topics

Waking Up to a New Threat: Cyber Threats and Space

1) By Paul Kyle KALLENDER

1)Keio University Global Security Research Institute, Tokyo, Japan (Received June 28th, 2013)

Revelations surfaced publicly in November 2011 that unknown had over 2007-8 breached the command links to both Landsat 7, and NASA’s Terra EOS AM-1, and, on June 20, 2008 “achieved all steps required to command” Terra. In February 2012, NASA reported to U.S. Congress a list of pervasive and deep-seated cybersecurity problems, confirming that hackers had gained access to and downloaded sensitive data from several of the agency’s major centers. While attention on satellite security currently and rightly focuses more traditional threats to space systems, the issue of cyber security is now a major concern. Following a summary of some of the main suspected cases of known significant cyber attacks on several space agencies, highlighting the findings of the NASA report, this paper shows that sophisticated APTs are presenting a new and major threat to data assurance and space systems and analyses the response of NASA, ESA and JAXA to the issue, concluding that cyber security concerns are presenting new challenges and forcing new policy initiatives by space asset holders.

Key Words: Cybersecurity, Cyberwar, Space Organizations

1. Introduction growing cyber threats. For example, it pointed to “significant weaknesses” that resulted in PCs and hard drives being sold or This paper was primarily stimulated by the work of Jan prepared for sale even though they still contained sensitive Kallberg and his article “Designer Satellite Collisions from NASA, noting data on 10 PCs sold to the public that had Covert Cyber War,” Strategic Studies Quarterly, Spring 2012 failed sanitization testing, and that between April 2009 and and the growing issue of cybersecurity threats that space April 2011, NASA reported the loss or theft of 48 Agency agencies and operators face. This paper is the first, to the mobile computing devices, some of which resulted in the author’s knowledge, to compare the experiences and policies unauthorized release of sensitive data including of three different major civilian space agencies, the National export-controlled, Personally Identifiable Information (PII), Aeronautics and Space Administration (NASA), the Japan and third-party intellectual property. The March 2011 theft of Aerospace Exploration Agency (JAXA) and the European an unencrypted NASA notebook computer resulted in the loss Space Agency (ESA) in discussing cyber security and space of algorithms used to command and control the International security issues. Space Station, the report noted. Other lost or stolen notebook PCs contained sensitive data on NASA’s Constellation and 2. Cyber Attacks on Space Agencies Orion programs. The report also identified: In November 2011 the U.S.-China Economic and Security (i) Systemic internal control weaknesses in NASA’s IT Review Commission reported that over 2007-8 the command security control monitoring and cybersecurity oversight; links to both Landsat 7, and NASA’s Terra EOS AM-1 had (ii) That the Chief Information Officer (CIO) lacked been penetrated by cyberattacks, agents unknown, and, on visibility of and oversight authority for key NASA IT Assets June 20, 2008 “achieved all steps required to command” Terra. and limited ability to direct NASA’s Mission Directorates to In February 2012, NASA reported to U.S. Congress a list of fully implement CIO-recommended or mandated IT security pervasive and deep-seated cybersecurity problems, including programs (based on the fact that IT staff responsible for 5,408 computer security incidents, the fact that only 1% of implementing security controls on mission IT assets report to NASA’s laptops were encrypted, and that hackers had gained the Mission Directorate and not the NASA CIO); access to and downloaded sensitive data from several of the (iii) “High-risk technical vulnerabilities” in NASA’s agency’s major centers. 1) mission support to manned and unmanned spacecraft; 2.1. Findings of the NASA report (iv) Failure by Directorates to consistently implement key In Testimony before the Subcommittee on Investigations IT security controls (one audit found only 24% of applicable and Oversight, House Committee on Science, Space, and PCs on a mission network monitored for critical software Technology, February 29, 2012 on NASA Cybersecurity, Paul patches and 62% monitored for technical vulnerabilities and; K. Martin, Inspector General National Aeronautics and Space (v) “Significant weaknesses” in NASA’s internal controls Administration, identified a series of serious issues with for sanitization and disposal of excess Shuttle IT equipment at NASA’s IT governance. 2) four NASA Centers. The report also highlighted shortcomings The report noted a wide range of areas for NASA to in implementing continuous monitoring of IT security improve its cybersecurity policy and practice in the face of required by The Federal Information Security Management

Copyright© 2014 by the Japan Society for Aeronautical and Space Sciences and ISTS. All rights reserved.

Tv_1 Trans. JSASS Aerospace Tech. Japan Vol. 12, No. ists29 (2014)

Act (FISMA). to a cyber intrusion at Goddard with information sent to The report noted that NASA needed to take significant steps servers in Russia (suspected remote access/control of to ensure its successful implementation of improved cyber satellite). security policy. On a positive note, the OIG found that NASA 1997: NASA: reported as infecting major NASA had completed 51 of 69 recommendations in IT audit reports centers stealing sensitive data. over the last 5 years. As the list suggests, while attention on satellite security 2.2. Major cyber security incidents reported in media currently and rightly focuses more on Space Situational The following is a brief list of cybersecurity incidents Awareness (SSA) orbital debris and kinetic impact issues, reported in the media, with the nature of the suspected breach jamming, blinding and interference, the issue of cyber security, or issue noted in parenthesizes if not obvious: is becoming more prominent with the increased sophistication Nov. 2012: JAXA: suspected espionage of Epsilon/ H-2A/B, of attacks. HTV, M-V LVs (PC spyware). Jan. 2012: JAXA: HTV-related PC; suspected leakage of 3. Cyber Threats and Cyberwar information on spec and operation, login information and stored e-mail addresses dating back to Jul.- Aug. 2006 Beyond attacks by individuals or groups of hackers and (PC-based virus). DDoS attacks to slow servers and websites, at least of the May 2011: NASA: JPL website compromised due to a attacks suffered by NASA and perhaps the publicized attacks cyberattack by unknown hackers. Goddard: Earth Observing on JAXA, may fit the category of advanced cyber espionage System penetrated by Romanian TinKode. of cyberwar. Cyber espionage is the act or practice of Apr. 2011: ESA: “TinKode” penetration of 13 FPT servers. obtaining secrets from individuals, competitors, rivals, groups, Mar. 2011: NASA: Codes to control the ISS may have been governments and enemies also for military, political, or compromised through stolen PC; 48 other NASA PCs stolen/ economic advantage using illegal exploitation methods on lost Apr 2009-2011. internet, networks, software and/or computers. If cyber Jul. 2010: ISRO: Problems INSAT-4B via Siemens espionage is connected to a particular state or state authority, software shut down transponders (suspected, though not this can become an example of , when confirmed Stuxnet penetration). cyberwarfare refers to politically motivated hacking to 2011: IntelsatONE identifies 300,000 denial-of-service conduct sabotage and espionage. attacks on its network. If we can assume that many of the threats, defined by ISO 2010-11: NASA: 5,400 incidents in 2010-11; unknown 27005 as the “…potential cause of an incident, that may result hackers gained “full functional control” of important systems in harm of systems and organization” were sophisticated 13 times (remote access). enough to presume direct or indirect state involvement, then 2009: NASA: JPL: OIG reports hackers compromised a key many of the attacks documented in this paper fit Richard A. mission network stealing export-restricted data (hacking). Clarke’s definition of cyberwar. In his book Cyber War (May Sep. 2008: NASA: Goddard was affected networks that 2010), cyberwar can be classified as “actions by a nation-state process data from the Earth Observing System; linked to to o penetrate another nation's computers or networks for the China under the code name “Avocado’ (spear phish attack). purposes of causing damage or disruption.” 3) Conversely, for Jun. 2008: NASA: Terra AM-1: minutes of remote cyber example, U.S. Director of National Intelligence James Clapper control / interference reported. divides cyberwar into cyber espionage and cyberattacks. Oct. 2007: NASA: Landsat-7: Possible 12+ minutes remote 3.1. Cyber espionage & cyberwar cyber control / interference. At least two attacks on NASA have been linked to large- Oct. 2007: NASA: Over a dozen PCs penetrated including scale cyber espionage programs. One, Titan Rain, which ran that of CFO Gwen Sykes (spear phish attack). from 2003, is credited informally to Chinese military hackers, Dec. 2006: NASA: Facing network hacks; NASA blocked saw infiltration Lockheed Martin Corporation, Sandia all e-mails with attachments before STS launches. National Laboratories and the Redstone Arsenal, as well as Dec. 2005: NASA: Johnson; 2 GB of ISS-related data NASA. running from 1998-9 is suspected to stolen (PC virus). have been Russian in origin. Apr. 2005: NASA: stame.exe; Kennedy Space Center and 3.2. Operation Olympic, Stuxnet VAB, data transferred to server in Taiwan (PC virus). Discovered in June 2010, Stuxnet is a complex worm that May 2004: NASA: Ames; forced to disconnect two penetrated Siemens supervisory control and data acquisition supercomputers to limit the loss of secure data (Titan Rain). (SCADA) systems that are configured to control and monitor Feb. 2001- Mar. 2002: NASA: Marshall hacked. Gary specific industrial processes. Different variants of Stuxnet McKinnon accused of hacking into 97 U.S. military and targeted five Iranian organizations, with the probable target NASA computers using the name “Solo.” widely suspected to be uranium enrichment infrastructure in 1999: NASA: Simulated incursion succeeds in penetrating Iran, which was subsequently damaged. While the U.S. and C2 systems. Thomas Talleur, senior investigator for cyber Israeli governments have not formally acknowledged their security details attacks on the design, testing, and transferring respective roles in U.S. in the design and release of Stuxnet, a of satellite package command-and-control codes, implicating a 1 June 2012, an article in The New York Times identified mainframe computer in Russia. Stuxnet is part of a U.S. and Israeli intelligence operation Sep. 1998: ROSAT suddenly turned toward the sun. Linked called “Operation Olympic Games” started under President

Tv_2 P. K. KALLENDER: Waking Up to a New Threat: Cyber Threats and Space

George W. Bush and expanded under President Barack second priority behind Information Technology with Satellites Obama. If true, this would be the first known case of and Telecommunications coming third out of 20 categories. inter-state cyberwar where the government of one nation Mandiant said APT1’s sophisticated methods in covering its specifically targeted the strategic military infrastructure of tracks, other factors including the reluctance of targets to another and actually damaged it. In any case, Stuxnet admit serious breaches, the time lapse between actual graphically illustrates how it is now possible for one state to infiltration and discovery and the fact that APT1 is only one of surreptitiously control or sabotage even the protected, 20 or more groups suspected of such activities in China alone air-gapped critical/ strategic infrastructure of another state. mean that the report probably grossly underestimates the 3.3. The growing threat of APTs activities of APT1, one of 20 groups that may be associated In recent years, the nature of cyber threats has metastasized with the PLA in conducting cyber espionage and/or cyberwar. into an arms race between organizations and those who would 3.4. The case of NASA like to breach IT networks led by the growth of Advanced The February 29, 2012 report mentioned above found that Persistent Threats (APTs). APTs refer to groups, such as NASA has become the target of APTs, noting that in FY 2011, foreign governments, with both the capability and intent to NASA reported it was the victim of 47 APTs, 13 of which persistently and effectively target a specific entity. successfully compromised NASA computers. It noted in one In February 2012 a U.S.-based cybersecurity consultancy, of the successful attacks, intruders stole credentials for more Mandiant Corporation, exposed the massive growth of cyber than 150 NASA employees, data that could have been used to espionage spear phishing APTs, which it attributed to Unit gain unauthorized access to NASA systems. An ongoing 61398 of the People’s Liberation Army (PLA) by an investigation of another such attack at JPL involving organization it labeled “APT1.” It suspects APT1 is one of 20 Chinese-based Internet protocol (IP) addresses confirmed that groups associated with the PLA engaged in pervasive global the intruders gained full access to key JPL systems and cyber espionage programs, although the company maintains sensitive user accounts. that while circumstantial evidence of state (i.e. PLA) The report also noted with full system access the intruders involvement is strong, no absolute or conclusive direct link could: (1) modify, copy, or delete sensitive files; (2) add, can be made. 4) modify, or delete user accounts for mission-critical JPL Mandiant found that APT1 had gained entry into at least systems; (3) upload hacking tools to steal user credentials and 141 organizations spanning 20 industries stealing as much as compromise other NASA systems; and (4) modify system logs with 6.5TB from one target over a 10-month period. In the to conceal their actions. In other words, according to the first month of 2011, APT1 successfully compromised at least report, the attackers had full functional control over these 17 new victims operating in 10 different high value industrial networks. The report noted that even after NASA fixes the sectors. Controlling at a minimum 1,000 Command and vulnerability that permitted the attack to succeed, the attacker Control (C2) servers, APT1’s sophisticated spear phishing may covertly maintain a foothold inside NASA’s system for emails have been used since at least 2006 to steal broad future exploits. categories of IP, including blueprints, process and production 3.5. Japan techniques, strategy, planning and other high-value and Beginning with a July 2009 large-scale DDoS attack confidential data. APT1’s masking techniques and had grown targeted against South Korean Internet services in conjunction so sophisticated that APT1 will even reply within 20 minutes with similar attacks against the United States, both Japan and to queries of targeted individuals questioning the authenticity Korea have been subject to a sharply increasing volume of of mails, masquerading as the legitimate correspondent. APTs. For example, in August 2011, Mitsubishi Heavy The report shows just by itself APT1 is known to have Industries discovered viruses on its systems in 11 locations penetrated 115 organizations in the U.S., and one each in across Japan, finding 45 servers and 38 PCs were infected by Luxembourg, France, Belgium and Japan since 2006. Within at least eight types of viruses when employees unwittingly these, starting in mid-2008, Mandiant found at least 11 opened emails containing malware. IHI Corp. and Kawasaki Satellites and Telecommunications organizations had been Heavy Industries, also major space, defense and engineering penetrated, accruing the next 10 targets at regular intervals contractor also confirmed they had been targeted. In October with the last target breached in mid-late 2012, the next two in that year it was revealed that the foreign ministry and several early 2009, the next two in mid-late 2009, then early-mid Japanese embassies had been under attack since June, as had 2010, then 2010 year-end, and then five new targets at 2-3 Japan's Lower House. month intervals through 2011. The report showed attacks on The Cybersecurity and Economy Study Group Report of 14 International Organizations and Scientific Research and August 5, 2011 by the Ministry of Economy, Trade and Consulting organizations starting in early 2009. In the latter Industry (METI) noted waves of attacks specifically against category, APT1 breached targets in late 2009, mid-2010, at Japan beginning September 2010 against high-value Japanese the start of and in early 2011, two targets in fall of 2011, and targets, including Government agencies noting a six-fold one in early 2012. Of the 12 Aerospace sector targets breached increase in sophisticated spear phishing attacks on leading beginning mid-2009, three organizations were penetrated in corporations, research institutes and Government between early, mid- and year-end 2010, the next at the beginning of 2007 and 2011. In 2011, such attacks accounted for one-third 2011, 3 in a group in summer 2011 and then three more in of all recorded attacks, with nearly 37% of APTs focused on mid-late 2012. The report indicated that Aerospace was the on Japan's infrastructure, especially control systems such as

Tv_3 Trans. JSASS Aerospace Tech. Japan Vol. 12, No. ists29 (2014) those used in power plants and the manufacturing industry. increased ability to defeat secure authentication, bridge ‘‘air 3.6. U.S.-China economic and security review gaps,’’ and target deployed platforms at sea and in space. commission In conjunction the Annual Report, “Occupying the Two recent reports, “Occupying the Information High Information High Ground: Chinese Capabilities for Computer Ground: Chinese Capabilities for Computer Network Network Operations and Cyber Espionage,” noted that the Operations and Cyber Espionage,” prepared for the PLA’s strategic priority on creating modern command, control, U.S.-China Economic and Security Review Commission and communications, computers, intelligence, surveillance, and the other by the Commission itself note China as both a major reconnaissance (C4ISR) infrastructure has catalyzed the cyber espionage and cyberwar threat, each pointing to a development of an integrated information warfare (IW) growing awareness of the importance of protecting space capability both to defend China’s military and civilian related assets. 5) 6) networks and seize control of an adversary’s information  The first, the Annual Report to Congress of August 13, systems, and that the PLA is focused on an IW strategy to 2012 notes that U.S. industry and a range of government and achieve these goals. military targets international organizations face repeated Further the report stated that PLA is reintegrating its exploitation attempts by Chinese hackers of various stripes, previous strategies to combine various kinetic, computer citing a 2012 Trend Micro report highlight that released case network operations (CNO), electronic, IW and psychological studies on the China-linked campaigns that targeted warfare strategies into a unified concept that integrates all government ministries, including military institutions in India elements of information warfare—electronic and and various military and industrial institutions in Japan. It also non-electronic—offensive and defensive under a single showed that in January 2012, security researchers identified an command. It noted that this goal “has effectively created a apparently China-based cyber espionage operation targeting a new strategic and tactical high ground,” and that China’s U.S. Department of Defense’s network authentication growing capabilities to attack and degrade both critical standard. Directly pertinent to this paper, it called NASA’s infrastructure and military capabilities of technologically reporting of 47 APTs was the most disturbing example of advanced nations poses “a more complex risk calculus” when what it called “malicious Chinese cyber activity.” considering the pros and cons of conflict, covert or overt, with The report called into question the integrity of the U.S.’s China. defense and telecommunications supply chains, noting that a The report identified 3PLA and 4PLA as entities that will 2012 Senate Armed Services Committee investigation found be responsible for directing cyber warfare at an adversary’s numerous instances of suspect parts used in a variety of logistics and C4ISR infrastructure in the event of conflict. military systems and identified China as ‘‘the dominant source Similarly to the Annual Report, the subsidiary report noted country for counterfeit electronic parts that are infiltrating the potential risks posed by the close relationship between the defense supply chain,” and asserting that malicious supply PLA and China’s largest telecommunications hardware chain attacks have already taken place in the U.S. manufacturers to penetrate microelectronic supply chains U.S. In accordance with the growing sophistication of APTs, as military, civilian government, and high-value civilian industry noted in this paper, the Annual Report also pointed to the such as defense and telecommunications through growing volume of exploitation attempts, calling China “the modification/tampering of semiconductors, microelectronics, most threatening actor in cyberspace.” It noted materials routers, etc. to place logic bombs and back doors and malware submitted to the Senate Armed Services Committee by into products. Samuel J. Locklear III, commander of U.S. Pacific Command Specifically for space, the report notes that joint PLA and stating that China’s military is “building capability to target civilian research into Computer Network Attack and U.S. military space-based assets and computer networks using Computer Network Exploitation tools and techniques may network and electronic warfare.” provide a more advanced means to penetrate unclassified The report identified The Second Department of the PLA networks supporting U.S. satellite ground stations and that as General Staff Department (2PLA) is responsible for military part of PLA’s focus on seizing information control of intelligence, the Third Department of the PLA General Staff adversary C4ISR systems, the 4PLA’s primary research Department (3PLA), responsible for signals intelligence and institutes have supported work on GPS jamming, Joint the Fourth Department of the PLA General Staff Department Tactical Information Distribution System countermeasures, (4PLA) which engages in electronic warfare as actors in jamming of frequency ranges associated with communication various elements of cyber espionage and warfare. satellites commonly used by Western militaries, and synthetic Aside from breaches at NASA, the report noted case studies aperture radar jamming. In the event of inter-state conflict, showing the deliberate targeting of the F–35 Joint Strike electronic warfare platforms and capabilities developed by Fighter program built by Lockheed Martin in conjunction with these and similar research institutes will be coordinated with Northrop Grumman and BAE Systems, and some 900 computer network attack tools against key command and subcontractors, noting that Lockheed Martin officials control nodes and networks for comprehensive “full spectrum reportedly acknowledged that six to eight F–35 subcontractors attack,” (meaning the five realms of air, sea, land, space and were “totally compromised” in 2009 alone. cyberspace) the report notes. The report identified increasingly advanced types of operations or operations against specialized targets with

Tv_4 P. K. KALLENDER: Waking Up to a New Threat: Cyber Threats and Space

4. Cyber Security Policy at NASA, ESA and JAXA Plan and the Agency’s Information Resources Management (IRM) Strategic Plan which identified the Agency’s IT goals The next part of this paper summarizes some of the next three to five years. NASA is focusing on: (i) improving approaches and responses by three main space agencies, its prediction, prevention and containment of IT security NASA, ESA and JAXA, with a brief mention of some repose incidents; (ii) better identifying and protecting mission from industry. information targeted by adversaries such as nation-states, 4.1. NASA cyber criminals, and hackers; (ii) better integrating IT security NASA spends over $1.5 billion annually on its IT-related solutions across NASA (iv) establishing a risk-based approach activities, including $58 million for IT security. NASA owns a to managing IT security; (v) turning NASA’s abilities to a little less than half of the U.S. government’s non-Defense predictive and preventative security stance rather than a websites. There are approximately 3,400 NASA controlled reactive stance; (vi) improving the defense of the Agency’s IT websites and nearly 1,600 of these are linked to the outside security posture and building security into the System world. There are an estimated 176,000 individual IP addresses Development Life Cycle (SDLC). assigned to NASA’s IT systems and networks. NASA also The strategy noted additional IT trends impacting the possesses more than 120,000 computer or related devices protection of NASA's IT infrastructure include cloud located at its centers and facilities that are connected to the computing, social networking and Web 2.0+, the speed of Agency’s IT networks. NASA’s IT assets includes more than technology changes, and mobile computing. 550 information systems and hundreds of thousands of The Information Security Strategic Plan: In response to individuals, including NASA personnel, contractors, FISA requirements, NASA also released its Information academics, and members of the public use these IT systems. Technology Security Division's (ITSD) 2012-2014 Federal law and NASA policy designate the Information Security Strategic Plan for the next two years, Headquarters-based Chief Information Officer (CIO) as which requires SOC to adopt metrics to measure performance. responsible for developing IT security policies and procedures NASA is also focused on active mitigation activities including and implementing an Agency-wide IT security program. The scanning, patching, vulnerability management, Information Technology Security Advisory Board (ITSAB) communication, and user training and awareness. NASA also serves as the main governing body for information security at states it has closed 16 of 37 recent recommendations made by NASA. The ITSAB consists of Chief Information Security OIGs most recent Semi-Annual Report to Congress, and has Officers (CISOs) and senior cybersecurity professionals from developed a corrective action plan to mitigate the remaining NASA Centers and Missions. NASA’s IT Security Division is open recommendations. located in the Office of the Chief Information Officer (OCIO), NASA says it is scanning and remediating outstanding which strategically manages Agency-wide security projects. It vulnerabilities on Internet-connected devices, has conducted a is joined by the Capital Planning & Governance Division third-party external assessments of networks and implemented which promotes the CIO’s policies, principles, standards, and a Web Application Security Program. The Agency has guidelines and the Technology and Innovation Division, led correlated data for analysis of 130,000 connected devices to by the Chief Technology Officer for Information Technology, assess vulnerabilities and security patch status, identified and and guides NASA’s IT strategy and investment decisions. The monitored mandatory critical security controls to continuously Enterprise Service and Integration Division is responsible for assess real-time vulnerabilities, and entered a two-year the design, implementation and delivery of NASA’s Memorandum of Agreement with the Department of Energy Enterprise Architecture, infrastructure elements, networks, to continue penetration test services of mission networks to data centers, Web services, desktop PCs, and etc. identify network vulnerabilities and required credentialed Evolution of NASA’s cyber security response: To improve scans to increase the detection of vulnerabilities on its capability to detect and respond to cyber threats, in Internet-connected devices. November 2008 NASA consolidated its Center-based Regarding incident response, the NASA says it has computer security incident detection and response programs completed a NASA-wide incident response handbook to into a single, Agency-wide computer security incident standardize incident response procedures, updated an Incident handling capability called the Security Operations Center Management System reporting tool to provide a greater ability (SOC) at Ames Research Center. SOC provides NASA with: to analyze and respond to incidents and instituted new (i) continuous NASA-wide incident monitoring and detection; technologies to better contain APTs. (ii) security bulletins to share incident and threat information It says it has also conducted internal program assessments with NASA incident responders; (iii) a centralized Incident using the Strengths, Weaknesses, Opportunities, and Threats Management System for storing, managing, and reporting (SWOT) planning tool to determine areas of improved incidents internally externally (to OIG and the U.S. Computer alignment of enterprise IT security services. In addition the Emergency Readiness Team; and (iv) a hotline for reporting Agency has also developed a series of IT Security handbooks. potential IT security incidents. In October 2011 NASA 4.2. ESA adopted an IT governance model to streamline decision The European Space Agency is an International making for strategic IT investments. Organization promoting space research with about 30 sites The NASA 2011 Strategic Plan: In February 2012, NASA interconnected by the ESACOM Wide Area Network covering CIO Linda Cureton released details NASA’s 2011 Strategic 4,000 internal online users and over 10,000 external users.

Tv_5 Trans. JSASS Aerospace Tech. Japan Vol. 12, No. ists29 (2014)

Users comprise managers, scientists, technicians, programmatic goals, e.g., the Earth Observation Payload Data administrators, politicians, citizens, even astronauts and Ground Segment and the Galileo ground segment. Regarding cosmonauts. ESA’s structure is highly diverse, comprising 20 access protocols, program-specific data systems are normally Member States and a high degree of cooperation and located in specific “De-Militarized zones” (DMZs) subject to interaction with external partners not limited to National specific access policies. ESA’s current network security Space Agencies/Offices (CNES, DLR, ASI, etc.), the policy is structured in three principal layers; ESA’s External European space industry, including EADS, Thales-Alenia Services Networks and de-militarized zones that connect with Space, etc.,) and international space agencies including NASA, external networks, one layer deeper are ESA Internal Services CSA, RKA and JAXA. 7) Networks protected by firewalls, and at the innermost core are Space is now considered a basic element for the security of ESA Restricted Networks. There are about 4,000 end user the European citizens. European Space Policy includes devices, 1,000 data servers, served by a full class B of IP defence-security aspects and is building synergy between address spaces. While missions and programs develop their civilian and military activities, both terrestrial and space-based, own specific data policies, each program must appoint a with data of different security classification levels. ESA responsible security officer and ESA security officers are recognizes that key infrastructures providing access to and linked in a network of expertise and operationally linked, from space must be protected. This is covered by the EPCIP coordinated by an Infosec Officer in the Security Office. (European Programme for Critical Infrastructure Protection) Roles of ESACERT and SO: ESA’s SO and ESACERT directive, which says that access to/from space is considered demarcate their roles. ESACERT conducts operational among Europe’s critical infrastructures. network monitoring and reacts to incidents. The SO sets the Security elements targeted by the ESA Council include security policy for the Agency as a whole as well as for critical infrastructures protection, maritime and land operational security systems (mission-related). The SO surveillance, humanitarian crisis support and rescue tasks, coordinates its work with a set of external controllers, public safety (incl. civil protection), as well as other emergent including the Member States’ national space agencies and security threats (e.g., climate change) and security in space, national security authorities, who meet biannually in the ESA namely Space Situational Awareness (SSA). Security Committee, which is the specific Agency board Evolution of cyber security strategy: ESA’s cybersecurity ruling on security matters. The SO maintains a peer policy during the 1990’s, called INFOSEC, was driven by the relationship with the European Union, having established a huge growth of data flow combined with the growing security agreement with the EU Council, the Commission, and complexity of interactions both externally and internally. the External Action Service. ESA’s modern cyber security strategy evolved from 1998 The SO covers the traditional five pillars of security: when it established its first initial network security policy, physical (premises) protection, personnel, document and instituting firewalls between internal and external systems, information protection, security of information and and then setting more barriers between missions, leading to communication systems, and business continuity management. the setting up of subnets separating and protecting each In its policy-setting role, the SO defines ESA’s Security Mission. ESA’s security policy protects civil space mission Regulations and Security Directives, technical solutions, like types, commercial data dissemination, science mission for example- the Network Security Policy and the rules for the experiment scheduling and data access, business, commerce Network Security Perimeter (firewalls), and conducts regular and scientific assets. threat and risk assessment exercises, based on the ISO 27001 ESACET and Security Office (SO): Reflecting the growing standards. need for a specialized organization to deal with growing Modular Approach and ISO 27001: ESA takes a modular sophistication of cyber threats, cybercrime and approach to security defined by objectives, scope, and cyberespionage, ESA evolved its cybersecurity institutions. methodology. IT security objectives define the security This followed a long-term evolution of ESA policy from requirements applicable to all ESA IT and communications information security to cyber security and the emergence of networks that store, process or transmit ESA information. classified systems, for example Galileo. In 2002 when ESA ESA adopts a Principle of Information Assurance. All ESA set up the ESACERT, with five full-time security analysts ITC systems must protect ESA information under their control based at ESRIN, ESA's Centre for Earth Observation, in from unauthorized access, destruction or disclosure, with Frascati, Italy, to control incident response, as well as respect to the typical aspects of confidentiality, integrity, monitoring, warning and advisory function. ESACERT availability, authenticity and non-repudiation. All systems are continually monitors ESA’s IT service providers including eventually subject to ISO 27001 certification, requiring a Orange Business Services owned by France Telecom for cycle of risk assessment and countermeasures that are based ESA’s corporate networks, vets all alarms and zero day on the establishment of ESA’s own information security attacks. In 2006 ESA set up its Security Office (SO) that was management system (ISMS). ESA therefore continually also located at ESRIN, as a separate function that defines the updates its response to risks through a PDCA loop. The cybersecurity policy and procedures and controls its correct Security Office performs regular audits and reserves the right implementation. to conduct specific audits on any systems at any time. DMZs and missions-based security: In ESA, missions and Threats: ESA characterizes cyber threats in terms of threats programs develop their own IT systems to support their both its space and ground based systems and networks

Tv_6 P. K. KALLENDER: Waking Up to a New Threat: Cyber Threats and Space

(organized in ground stations and control centers) including Conversely, the SAO checks and monitor compliance with the uplink jamming and replay, while threats to the ground department security officers on a timely basis in response to installations include interception of data from the network or changes in policy or procedures, compliance issues or threats. its users, malware or unauthorized access. ESA now The SAO sets policy, management setting and compliance recognizes social engineering, email-based key logging monitoring of the department-based security officers. software or initiates phishing attacks and APTs as its main Operational and day-to-day IT security is the responsibility of threats. ESA states its most common security incidents include each department. viruses, trojans and worms distributed by amateur hackers, JAXA consists of roughly 60 departments, which are folded although some are now considered as targeted security attacks. into several Directorates and Groups; the Space ESA notes that several strategically important programs, Transportation Mission Directorate, the Space Applications particularly Galileo or GMES have generated more complex Mission Directorate, the Human Space Systems and threats. ESA regards potential infiltration of critical Utilization Mission Directorate, the Aerospace Research and infrastructures with software that can take over control of the Development Directorate, the Institute of Space and facilities as a “future possible threat.” It regards it main Astronautical Science (ISAS), the Aviation Program Group vulnerabilities as failures to update patches and weak (APG), the Lunar and Planetary Exploration Program Group passwords. and the Information Gathering Satellite Systems Development Response - Case study: the incident of April 2011: ESA Group. JAXA’s cybersecurity budget has risen in recent years, follows up all security incidents carefully, noting that but the agency does not disclose spending, as these items are publicized intrusions may negatively affect its public not specifically tracked. reputation. On April 18, 2011, ESACERT was informed that Threats: JAXA does not provide specific details about the TinKode had published an article stating that the ESA portal changing nature of the cybersecurity issues it faces, however had been hacked, leading to widespread media interest. ESA the SAO acknowledge that threats are growing, that it is under immediately declared a severity 1 incident (the highest level constant attack. Against this SAO manages policy flexibly and of importance). After an initial review, ESACERT confirmed proactively to change procedures both to forestall that 12 servers, all on ESA external DMZs had been affected. vulnerabilities and respond to the latest data on issues. The The systems were immediately disconnected cleaned, , SAO conduct regular auditing, compliance and response to all accounts were reset, and returned into operations. As only incidents as part of its cybersecurity policy setting on JAXA’s an external DMZ was affected, ESA said there was no data departmentally based operational IT security management. loss or leakage from protected internal networks. However Oversight and policy: As an Independent Administrative ESA recognized that publication of the usernames and Institution (dokuritsu gyǀsei hǀjin, or IAA) JAXA is a legal passwords represented a security breach. In response, ESA body for Japanese governmental organizations regulated by instituted a renewed rules verification process encrypting that the Basic Law on Reforming Government Ministries of 1998. all passwords. As such JAXA is not governed by the National Government From this incident, ESA maintains that its initial response Organization Act that controls Japanese Ministries and was effective, but the incident exposed weaknesses in administrative organizations. Japanese IAAs utilize preventative measures since the hacked accounts were not management methods of private-sector corporations and are protected according to ESA rules, concluding it should better given considerable autonomy in their operations and how to identify escalation paths to responsible individuals, hold more use their budgets. technical coordination meetings to devise common solutions, JAXA’s IT policy is described in the Medium Term Goal and that common protection rules should be strengthened. and subject to oversight and control of MEXT, but its 4.3. JAXA cybersecurity policy is not defined concretely. JAXA’s In JAXA, IT policy and related issues are addressed by the mid-term goal includes IT promotion and strengthening IT Information System Department. JAXA’s cybersecurity security, but it doesn’t mention specific policies. Overall structure and control is largely the same as the structure government standards for information security are not inherited from the previous organization, the National Space therefore directly applied to JAXA. However, according to Development Agency, from which JAXA was formed in JAXA’s Law, all executives and employees shall not divulge 2003. any confidential information. JAXA Law Act 16 stipulates the Organization and structure: A Security Administration duty of confidentiality, and it is not necessarily limited to IT Office (SAO) situated in the Tsukuba Space Center controls security, but all kinds of information. JAXA describes its IT cybersecurity with a total of seven personnel under a director, and security policies as “stakeholder driven” and formulated which controls the overall setting of cybersecurity policy, by the needs of both customers and international partners, management and compliance. The Director of the SAO reports including other space agencies (including NASA and ESA) to one of seven Executive Directors who is the Chief Security and private contractors. Officer. Day-to-day operations are managed by Security In regards to contracting with the private sector, JAXA Control Administrators. These are usually directors or describes its IT security management as stringently controlling managers of JAXA departments, stationed in each of some 60 and managing the IT security of organizations it contracts with JAXA departments, who report IT security issues to SAO. rather than vice-versa. Contracts are managed to standards and

Tv_7 Trans. JSASS Aerospace Tech. Japan Vol. 12, No. ists29 (2014) policy that JAXA sets, rather than measures driven by companies such as AI Solutions, another, is Kratos Defense & contractors. JAXA also contracts outside IT specialists and IT Security Solutions and its RT Logic subsidiary, which security firms help it review and improve policy and provides cyber protection for ground stations, satellite test implementation, and receives audits from outside IT equipment, and satellite operations through its CyberC4 specialists and companies on a needs basis. products. According to RT Logic, the migration of satellite While there is no legal requirement for JAXA to adhere to ground networks to IP-based technologies has brought brings specific sets of IT governance or cybersecurity standards set in along increased cyber security risks, particularly zero-day Japan, JAXA closely monitors a number of important national malware. RT logic sees zero-day malware as a main threat. criteria and standards set by outside organizations, folding IAA: In January 2012 the Aerospace Industries Association them into suites of best practices (see below). announced the National Aerospace Standard NAS9924, Scale, scope, standards: JAXA does not disclose details “Cyber Security Baseline,” its first National Aerospace about how many IT systems, information systems websites Standard written specifically on cyber security to provide the and IP addresses are assigned to its IT systems and networks. aerospace and defense industry supply chain a base line of However, as it has about 1,700 full-time staff and several standard practices they can follow to better protect their multiples of these on contract, the agency says that monitors information system infrastructures from cyber threats. The and controls over 10,000 PCs, laptops and web-enabled digital standard provides information for companies to assess devices. As well as intrusion detection systems and intrusion themselves on their information technology security practices prevention systems, which are updated on a needs basis, and to help them determine their preparedness for cyber threat JAXA says it uses “a full range of controls” to prevent, limit, risk management for their customers while assessing the risks and detect unauthorized access to its networks and systems presented by their own suppliers. including identification and authentication of users; restricting user access to systems, encrypting network services and data, 5. Space Security Implications particularly laptops, protecting network boundaries, auditing and monitor computer-related events; physically protecting its Part five of this paper looks at some space security information technology resources and controlling and implications. regulating transmitted information between interconnected 5.1. Space systems overlay cyber systems systems, etc. As an example of the importance of the space and cyber Main standards and policy setting bodies and agencies realms to the global economy, this paper notes that include the National Security Information Center (NISC) governments, militaries and corporations around the world which sets out standards and policy and revises each year. rely on space for communications, imagery, and accurate Other main standards setting organizations that JAXA positioning services, making space a 257 billion dollar monitors include IT security policy, standards and industry in 2008. Financial traders in New York City use the administration set by the Ministry of Internal Affairs and Internet to transfer 4 trillion dollars, greater than 25 percent of Communications (MIC), METI, and the Information- America’s annual GDP, every day. technology Promotion Agency (IPA). The space and cyber realms form a co-dependent ecosystem 4.4. Response from industry that covers a huge range of governance, technical, military This paper does not cover military assets, but notes that the strategic, & economic scenarios. The security of each system U.S. has upgraded its Rapid Attack, Identification, Detection, is to a degree contingent on the other. Strategists such as and Reporting System (RAIDRS) system to detect, Richard A. Clarke have pointed out that the more reliant a characterize, geolocate and report sources of radio frequency country like the U.S. is on its digital economy and strategic interference on U.S. military and commercial satellites. space assets, the more vulnerable it might be. The very Recent years have seen the emergence of a growing market technologies that enable the U.S. to accelerate its economic, and demand for cybersecurity products for space systems. industrial, scientific and military advantages over other In 2009, the U.S. National Security Telecommunications countries may well turn out to be its Achilles Heel. Take one Advisory Committee warned of the growing threat of example: space assets are a major force multiplier for the U.S. unauthorized commanding of, or preventing control of routes, and a strategic asset that are at the same time incredibly switches, services, databases or satellite buses. It warned that valuable and vulnerable. General Larry Welch, former Chief satellite networks would require special safety measures to of Staff of the US Air Force believes passionately that space prevent hackers from sending false commands, blocking security depends on cyber security, itself contingent on data authorized commands or interfering with data transmission, assurance. and recommended a joint coordinating center to share cyber The fears of a “Space Pearl Harbor” propounded by former situational awareness. Secretary of Defense Donald Rumsfeld a decade ago have Commercial satellite companies established a test version of been replaced by concerns about a “Cyber Pearl Harbor” that the center in April 2010, but reportedly this initiative is not reached public currency last year under former Defense making progress due to coordination difficulties between the Secretary Leon Panetta recognizing that the latter will private sector and U.S. government and military requirements probably contain the former. and practices. 5.2. Space systems resiliency and negation One example of commercial products are those by Measures to protect space systems can be broadly

Tv_8 P. K. KALLENDER: Waking Up to a New Threat: Cyber Threats and Space categorized into capabilities to detect space negation attacks; technological similarities, providing opportunities to physical and electronic means to withstand attacks on ground cyber-exploit industrial systems for control and processing stations, communications links, and satellites and and are built on SCADA systems with technology sometimes reconstitution and repair mechanisms to recover from space as far back as the 1980s. For example a satellite’s onboard negation attacks, according to a definition provided in the computer (OBC) can allow reconfiguration and software “Space Security Index 2012,” which cites cyber attacks updates, and a vulnerable satellite that will be orbiting for the against space system computers, electronic attacks on satellite next 10 years can be preset by a cyber perpetrator for communications links as threat to the security of space unauthorized usage when needed. Kallberg envisages a cyber systems. 8) attack on a less protected commercial satellite resulting in a The report noted that most space systems remain space collision that would be difficult to attribute. Such a unprotected from a range of threats including electronic strategy would present an “attractive target” to an adversary warfare, physical attacks on satellite ground stations, laser by simulating, for example a “designer” collision masked as dazzling or blinding of satellite sensors, anti-satellite (ASAT) an accident that was in fact resulting in hijacking the asset by attacks (including direct-ascent and co-orbital ASATs and a cyber attack perpetrated through reconfiguration of an OBC microsatellites ASATs and high altitude) but also pointed to of a less technically advanced third party nation, commercial 9) the vulnerability of satellite communications, broadcast links, or research organization. and ground stations as likely targets for cyber-based space 5.4. Some policy and technical responses negation efforts in the event of a conflict. While this paper does not deal with space law, cyber threats The vulnerability of such is compounded by the potential in space also pose new and difficult legal and policy issues. desirability of cyber attacks based on cyberwarfare’s As with other debates on cyberwar vs. kinetic war, it is perceived asymmetrical advantages and the difficulty of unclear what constitutes an “armed attack” for the purposes of detecting and identifying any form of cyber attack on space Article 51 of the UN Charter in terms of a cyber attack on a systems. Such vulnerabilities raise security concerns since space asset. It is apparent that non-kinetic threats pose military space actors are becoming increasingly dependent on difficult issues for the definitions of “due regard” and commercial space assets, the vast majority of which depend “harmful interference” in the Outer Space Treaty and on cyber networks. Therefore the report cited the link between “purposeful interference” in the United States’ National Space cyberspace and outer space “constitutes a critical Policy (see next). As it is, Article IX of the Outer Space vulnerability.” Treaty has never been formally invoked for satellite jamming 5.3. Non-kinetic cyber-enabled threats and debris-generating ASAT testing. It is also unclear what As summarized above, unlike traditionally recognized constitutes an “armed attack” for the purposes of Article 51 of potential threats to degrade or destroy space assets, cyber the UN Charter in terms of a cyber attack. International attacks on space and satellite systems offer lower lower-cost, Telecommunication Union rules on “harmful interference” for asymmetrical advantages to new actors, including hackers, example only apply to radiocommunication satellites, not to terrorists, non-state groups or states. Cyber penetration of all spacecraft. systems can include the means to degrade, damage or destroy However, recent policy has been forced to start addressing space assets, counterfeit transmissions, gain access and leak cyber threats to space assets. As noted by the authors of imagery and other data collected by satellite sensors or “Space Security 2012,” and others, the ability of space compromise other terrestrial or space-based networks used by systems to deny an adversary the benefits of a cyber or more the satellite(s) or space systems. Without pervasive cyber conventional attack is a key concern for advanced spacefaring situational awareness knowing the attacker’s identity, nations. Efforts to both improve military and non-military affiliation, and location may be difficult. space assets and improve identification and reporting of The threat of non-kinetic cyber-enabled attacks to space sources of interference with space systems and improve systems has recently been more publicly recognized. For robustness after attacks may help deter cyber attacks. example by Air Force Lt. Gen. Larry D. James, former 5.5. Some U.S. policy initiatives commander, Joint Functional Component Command for Space On the policy level, more concerted efforts are being made believes the opening actions of a conflict will include cyber to address cybersecurity issues in space, reflecting the fact that attacks on space assets. In effect, the fiction of Clarke is while improved cyber defenses may stimulate arms escalation, assumed as a future fact in the event of conflict. improved cybersecurity may reduce the escalatory logic of The U.S. Air Force Space Command’s Schriever Wargame employing cyberwar against space assets. In light of this, a 2010 explicitly refers to the growing threat of cyber attacks on number of new initiatives that acknowledge the increasing space systems in its simulation of a global space and cyber importance of cybersecurity and space have emerged that now war in year 2022 in which an adversary interfered with United reflect the importance of the symbiotic connections between States’ and allied forces’ cyber and space systems, degrading space and cyber security. Here is a summary of some key their air and naval operations. initiatives: “Designer satellite collisions.” According to Jan Kallberg, 1) The United States 2010 National Space Policy refers to cyber threats against space organizations or satellites present a right to deter others from interference and attack, inferring the new threat on top of traditional concerns. Just focusing on recognition of the possibility of cyber attacks. satellites, such assets are vulnerable since every transmission 2) In January 2011 the United States National Security is a potential inlet for a cyber attack. Older satellites share Space Strategy, which includes this strategic objective: “to

Tv_9 Trans. JSASS Aerospace Tech. Japan Vol. 12, No. ists29 (2014) maintain and enhance the strategic national security advantage after 2010 in line with attacks on leading Japanese afforded to the United States by space.” The Strategy states governmental, research and industrial institutions. that “resilience can be achieved in a variety of ways, to The co-dependent and complex interrelationships between include cost-effective space system protection, cross-domain the cyber and realm and space realms, with their associated solutions, hosting payloads on a mix of platforms in various economic, infrastructural and military strengths and orbits, drawing on distributed international and commercial vulnerabilities are posing new problems for both space and partner capabilities, and developing and maturing responsive cyberspace policy and governance that are pressing policy space capabilities.” evolution and that need to be addressed comprehensively. 3) The 2011 Department of Defense (DoD) Strategy for Operating in Cyberspace is more explicit saying DoD will Acknowledgments “work with interagency and international partners to encourage responsible behavior and oppose those who would The author would in particular like to thank Stefano Zatti, seek to disrupt networks and systems, dissuade and deter ESA Security Office Manager, ESA, Takao Munenaga, malicious actors, and reserve the right to defend these vital Director, Security Administration Office, JAXA, Profs. national assets as necessary and appropriate.” Setsuko Aoki and Motohiro Tsuchiya, Keio University 4) In February 2011 Admiral M.G. Mullen, former Graduate School of Media and Governance, and Brian Chairman of the Joint Chiefs of Staff, released the U.S. National Military Strategy, noting the U.S.’s need “to operate Weeden, Technical Advisor, Secure World Foundation, for effectively in space and cyberspace, in particular, is their kind guidance and information used in this paper. increasingly essential to defeating aggression.” The strategy includes aims at establishing and promoting References norms, enhancing space situational awareness, fostering transparency and cooperation, improving and resiliency of 1) 2011 Report to Congress of the U.S. China Economic and Security systems, and training for operations in space-degraded Review Commission, One hundred Twelfth Congress, First Session, November (2011), pp. 215-216. environments. 2) Testimony before the Subcommittee on Investigations and 5) In May 2011 the United States launched the International Oversight, House Committee on Science, Space, and Technology, Strategy for Cyberspace, which provides a framework to NASA Cybersecurity: An Examination of the Agency’s Information Security, Statement of Paul K. Martin, Inspector General, National expand international partnerships in order to more effectively Aeronautics and Space Administration, February 29, (2012), pp.1-7. address cyber threats. The strategy “establishes how network 3) Clarke, R.A., Knake R.K.: Cyber War: The Next Threat to National security relates to other crucial areas of partnerships.” Security and What to Do About It, Harper Collins, (2010), pp.179-228. 6. Conclusions 4) APT1 Exposing One of China’s Cyber Espionage Units, Mandiant Corporation, Feb 18, 2003. 2012 Report to Congress of the U.S. China Economic and Security There is strong circumstantial evidence of attempts to 5) Review Commission, One hundred Twelfth Congress, Second conduct sustained cyber espionage with the possibility of Session, November (2012), pp.9-10, 96-99, 141-3, 147-169. precursors of cyberwar in attacks in IT systems that control 6) Krekel, B., Adams, P., Bakos, G.: Occupying the Information High space assets in world’s space agencies. Evidence for this is Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage, Prepared for the U.S.-China Economic and driven by the publicly disclosed issues faced by NASA, but Security Review Commission by Northrop Grumman Corp, March the weight of evidence from what is made public about APTs 7, (2012), pp.8-14. against high-value institutions strongly suggests that like other 7) Zatti S.: Coping with Cyber Attacks – A First-Hand Report from a high value, high technology, strategically important assets, Cyber Attack Victim, presentation, European Academy for Taxes, JAXA and ESA similarly besieged by similar attacks. NASA Economics & Law, November 9, 2012. 8) Space Security Index 2012 www.spacesecurity.org pp. 22-3, 69, may be seen to be in a constant catch-up mode driven by both 109, 129, 132, 137. external and internal auditing of its systems, protocols and 9) Kallberg, J.: Designer Satellite Collisions from Covert Cyber War, security measures. In ESA, the development of national Strategic Studies Quarterly, Spring 2012. security programs, particularly Galileo has driven the Agency to radically overhaul its security measures, primarily through the creation of its Security Office in 2006. While declining to be specific, the Agency confirms that it is facing increased APT attacks, but is dealing with these. The most major publicly disclosed breach of its systems in 2011 did not result in the disclosure of sensitive information and the Agency says it is committed to openness regarding cybersecurity breaches, noting that its policies have been transformed by a culture of maintaining information security to one of combatting increasingly sophisticated cyber attacks, including APTs. There is circumstantial evidence following disclosures of attacks in 2011 onwards that JAXA has been targeted by waves of increasingly sophisticated APTs that have emerged

Tv_10