The full-scale overhaul of Space Force acquisition announced in April has been presented as a matter of speed and agility. The LA-based Space and Missile Systems Center (SMC), which spends 85 percent of the Pentagon’s space budget, will be elevated to a Space Force Field Command, headed by a three-star general.
The new Space Systems Command (SSC), with a $9 billion annual budget, “will rapidly identify, prototype, and field innovative, space-based solutions,” said the Space Force announcement. The reorganization will “further … our focus on accelerating the pace of acquisition,” added Lt. Gen. John F. Thompson, SMC’s current three-star commander.
Agility in acquisition is vital, but experts say there’s another reason—arguably even more urgent—that the new Space Force has to reinvent the way it develops, buys, and fields satellites and ground systems: They have to ensure they are building in cybersecurity to protect against hacking by online spies and enemy cyber warriors.
The raison d’etre of the new Space Systems Command is to “pivot … from today’s peacetime architecture, … which was never envisioned to conduct offensive or defensive operations,” to new more resilient systems that could survive kinetic and cyberattacks by near-peer adversaries, Cordell A. DeLaPena Jr., the program executive officer for SMC’s Space Production Corps told Air Force Magazine.
We’re not unique. We fool ourselves if we think that we’re unique and untouchable—we’re not.Scott Kordella, MITRE Corp.
A Space Cyber Test Range
As the acquisition reorganization moves ahead, Space Force engineers at SMC are laying the foundation for a Space Cyber Test Range—a digital environment where hardware models of new satellites, and virtual copies of their ground control systems, can be cyber-attacked by red team penetration testers to find vulnerabilities, so they can be fixed. The range will also be used to train satellite operators to defend their systems against such attacks.
“We are building a virtual environment where the pen testers can come in and conduct their test events in as close to real operational conditions as we can get,” Tyrone Berthiaume, chief information officer of SMC, explained. He said the test range would include flat sats—hardware models of a satellite system, so-called because they typically lay the various electronic components out flat on a workbench—and also digital twins of Space Force ground infrastructure, the Earth stations that communicate with and control the satellites in orbit. The range will even allow red teams to simulate attacks against the RF radio links that enable communication and control.
The Space Cyber Test Range is the most advanced of a series of cybersecurity testing and simulation initiatives SMC plans on rolling out as it transforms into Space Systems Command and works to make the vision of the Space Force as the first fully digital military service a reality, Berthiaume said.
The range will leverage the infrastructure of the National Cyber Range (NCR), which provides operationally realistic cyberspace environments for test and evaluation, as well as training. Using the NCR infrastructure has enabled Berthiaume to develop this novel capability on the cheap—it’s funded for three years with just $5 million from the Air Force Cyber Resiliency Office for Weapons Systems, known as CROWS.
The Space Cyber Test Range, being built at the Pacific Northwest National Lab, a Department of Energy research contractor in Richland, Wash., will be a digital testbed, which SMC engineers will be able to access to employ specially designed pen-testing tools, tailored for the unique characteristics of space systems, against new satellites as they are being prototyped, developed, and built.
The range will go live by 2022 if all goes according to plan, Berthiaume said: “We have a test plan as our final checkout that we’re going into here during the summer. If the tests are successful, we should be [at Initial Operational Capacity, or] IOC by the end of this calendar year,” and fully operational by 2023.
Cyber attacks: When, not if
And that’s not a moment too soon: Unclassified threat assessments show that vital U.S. space assets are increasingly vulnerable to a range of emerging threats. However, hacking is a much lower-cost way of interfering with a satellite than kinetic or directed-energy attacks, and can more easily be scaled across multiple targets, according to the Aerospace Corp. And because many cyberattacks are reversible and can be hard to attribute, they offer an adversary a much greater opportunity to hide their hand—or at least preserve some plausible deniability—said Craig Miller, president of government systems at Viasat Inc., which provides satellite hardware and services to DOD.
“Someone can launch a cyber attack, and there’re ways to obscure it and obfuscate it, so that it’s difficult to find the source. … And they’re also often reversible, you can turn them off, or you can stop them, whereas other effects [like kinetic or directed-energy attacks] cause permanent damage, and it’s much clearer who did it,” he said.
The low cost character of these attacks makes it a matter of when—not if—they’ll be employed, Miller said. “The nonattributable, nondestructive nature of cyber makes it far more likely that it’ll actually be employed. And that’s the real danger of cyber attacks—you’re going to see them.”
Satellites are vulnerable, noted Miller, because they remain operational for decades. “Some of this hardware has been in space for 20 years. And it’s ’90s vintage hardware with ’90s vintage security and, in some cases, ’90s vintage operating systems that are very vulnerable.”
That vulnerability isn’t merely theoretical. In 2019, security researchers found a series of critical flaws in a software package called VXWorks, which provides real-time control for many satellite communications systems. The researchers worked with Wind River, who make VXWorks, and who produced a patch for the affected systems. Modern satellites typically allow for updates and patches to be applied to on-board software, but legacy space systems don’t have this capability.
Traditionally, in SMC acquisition programs, “the emphasis was always on meeting warfighter mission requirements, rather than cybersecurity requirements,” said Cristina Chaplain, who retired last year as director of space systems for the Government Accountability Office. “Cyber didn’t get much attention [in SMC] until just the last few years.”
Space systems, both military and commercial, are also tremendously complex, pointed out Scott Kordella, a senior adviser on space systems at MITRE Corp., which runs many federal technology research centers. “The key components of any satellite architecture are the space vehicles, the ground systems, and the terminals. And for each of those, there are systems, subsystems, and components.”
Cybersecurity experts say that kind of complexity typically makes systems easier to attack, since it increases the number of possible points of failure.
Security through obscurity
Kordella said it helped to think of space systems in two parts: “90 percent of space systems are like other systems, communication systems or health care systems. … They use the same IT as those other systems. But 10 percent is unique, the radiation hardened processor that goes on board the space vehicle,” for instance.
The 90 percent of space systems that employ commodity IT are vulnerable in the same way those IT systems are vulnerable in meat processing, or pipeline operations, said Kordella. “We’re not unique,” he added, “We fool ourselves if we think that we’re unique and never touchable—we’re not.”
At the same time, the broad deployment of such commodity IT systems means that there is much value to be gained by information sharing among users—both within the space sector and beyond it. Kordella urged the national security space community “to be less introspective and internally focused on our uniqueness and instead, look for those common connections and … recognize that we don’t have to reinvent the wheel, … we have the opportunity to share with other sectors and benefit from them.”
The security of the remaining 10 percent of space systems, Kordella said, “is often very classified, and very exclusively addressed by a small group of people. We’ve come up with some very clever ways to address that,” he said, calling those components “highly protected.”
But that security through obscurity approach to the on-orbit components of space systems may not last.
As part of the standup of SSC, DeLaPena explained, “we’re fundamentally changing how we buy satellites into a more modular open system architecture, with standard interfaces to plug-and-play payloads.” But that model implies open, published standards, which blows away at least part of the protection provided by classified system architectures.
The design of a processor or other system element might still be secret, but the way it communicates with other system components on the satellite has to be public, to ensure that other vendor systems can “plug-and-play.”
And the unique character of many space systems components is a double-edged sword, from a security point of view. There is a huge ecosystem of tools—like vulnerability scanners or pen testing frameworks—that can be used to test the security of conventional IT systems. But they mostly don’t work on satellite systems, explained USSF Capt. Matthew Preszler, part of the SMC Production Corps Test and Evaluation team focusing on cyber.
“Our satellite systems run on data buses, not like typical [Internet Protocol, or] IP networks, so we need specialized tools to conduct this pen testing,” he said. The pen testing tools his team currently has in Pathfinder development “will allow us to emulate typical hacker attacks, like man-in-the-middle or replay type attacks” on the unique architecture of satellite systems.
The need for SPEED
The pen testing tools are phase one of an ambitious vision Preszler is in charge of realizing: The Satellite Penetration-test Environment, Evaluation, and Demonstration, or SPEED—a set of digital tools that engineers will be able to use to test and evaluate the cybersecurity of space systems throughout the entire acquisition cycle.
SPEED is currently just a concept, but the phase one pen testing tools are already in development and will be ready for internal testing by September, according to Preszler, who added that they hoped to use them to test vehicles in the 22-strong GPS IIIF satellite constellation, which went into production last year and is scheduled to start launching in 2026.
Two further phases of SPEED are planned, Preszler said. The second phase involves building a fully digital model of a space vehicle. The Space Cyber Test Range currently under development uses flat sat model satellites with hardware and software components, but Preszler points out that a totally digital model will be “available and accessible from multiple locations.” Attacking such a digital model will help uncover cybersecurity vulnerabilities the real satellite has, which can then be fixed or mitigated during manufacture.
The third and final phase, he said, is developing security tools that can monitor a satellite’s internal system to detect malicious activity the way conventional cybersecurity software—like intrusion detection and prevention systems —monitor regular IP networks.
All the tools developed under SPEED will be available to Space Cyber Test Range users from all three acquisition corps in SMC, Preszler said.
The stand-up of Space Systems Command will build on an earlier reorganization, dubbed SMC 2.0, which created three acquisition corps to handle different phases of the space systems life cycle: The Development Corps for design and prototyping; the Production Corps for manufacturing; and the Enterprise Corps for sustainment and communications once the vehicles are on orbit.
“The three corps are mapped to the acquisition life cycle,” explained Preszler. “And depending on what stage a system is in, that drives the type of [cyber] testing that will occur.” In the Development Corps phase, “where they’re pulling together initial requirements and initial designs of the system,” cyber testing was likely to be based more on “tabletop-type activities, where it’s more a matter of reviewing the architecture of the system.” During the Production Corps stage, “that’s when you’re actually getting hands on to a system or model” to use penetration testing and other offensive tools to find vulnerabilities. Finally, in the Enterprise Corps, cyber testing “turns into the sustainment-type risk management framework, activities in which we’re conducting recurring cyber assessments on the system in order to get authority to operate,” and fulfill other security requirements.
The aim, said DeLaPena, is that “regardless of the contractor, regardless of the processes, these will be a standardized set of cybersecurity test tools and processes that are going to be available and somewhat standardized across all the [acquisition] programs” being run by SMC.
And they’ll be available even beyond that. Once a satellite is launched, it belongs to Space Operations Command, or SpOC. At that point, its cybersecurity becomes the responsibility of Space Delta Six, the SpOC element in charge of defensive cyber operations.
Berthiaume said that the Space Cyber Test Range development effort was “partnering heavily with Space Delta Six, to ensure that the lessons learned from the operational community are identified and brought forward as far left as we can get into the acquisition life cycle, so that our future systems have that cyber resilience baked in from the beginning.”
And the exchange goes both ways, he added, noting that the range team hoped to use it to help train cyber defenders, “so that when they get to the operational community and they’re embedded with the flight commanders, they will be able to identify vulnerabilities or adversary presence based on their experiences in the simulators and the test ranges that we’re building and take the appropriate actions,” which they’d rehearsed running digital models of their craft.
The range might even eventually be available to commercial satellite operators providing services to Space Force, according to DeLaPena. “We are planning to partner with the commercial augmentation teams and then the commercial SATCOM teams,” he said, “but at this point, we’re too early in the planning cycles to really say who would use them.”
A digital ecosystem
The Space Cyber Test Range and other virtual tools were all part of the vision of Space Force as the first fully digital military service, DeLaPena said.
And that digitization would help improve the cybersecurity of the space systems SMC is building in myriad other ways, pointed out Kevin Coggins, a Booz Allen Hamilton vice president who helps lead the company’s digital engineering efforts. “The documentation for these systems is 1,000 pages long. And there are lots of changes because space systems interface with everything, and it all has to be compatible and standards are constantly changing. If those changes are propagated manually, how many errors do you think are going to creep in there?” Multiple contractors maintaining paper- based documentation merely multiplied the possibility for errors that could result in a security vulnerability, he added.
By contrast, digital documentation would allow the use of automated validation tools, so that “if there are errors, they’re identified and fixed.” And it would allow new security or other requirements to “ripple through” the documentation on multiple projects.
DeLaPena added that security was only the beginning of the benefits that digital engineering could bring to Space Force.
“At every phase of the acquisition, from the analysis alternatives to development to production to sustainment, at every phase, the technical baseline is defined digitally. So, as the technical baseline matures, that [digital documentation and data] is now available to do things like testing, modeling and simulation, as well as 3D manufacturing and 3D printing in the manufacturing process, and even potentially the follow-on use of artificial intelligence [to analyze that data and provide improvements] in sustainment,” he said.