Expert advice. Pragmatic solutions > Newsroom > In Focus > Securing Satellite Systems

• Press Releases
• Events
• In Focus
  • Earth Observation (EO)
  • Space Exploration
  • UK Space
  • Space Tourism
  • Securing Satellite Systems
• Case Studies
• Media Contacts

 

Securing Satellite Systems

Whether it’s navigating from A to B, doing online banking, watching television, or calling someone on a mobile phone, more and more aspects of our daily lives are impacted by information received from outer Space. In the military and security areas, reconnaissance, positioning and communications are a fundamental part of operations both at home and abroad. As a result, protecting satellites and Space systems, and ensuring the data they produce is secure, resilient and reliable, is essential.

 

With this in mind, it’s now time for these data providers to be considering some key questions in guaranteeing their services – How reliable is the service? How resilient is the service? How private or confidential is my information? All these considerations are important because the threats to a satellite information service are many and include:
 

• Having your satellite moved, stolen or used by others
• Corruption or loss of data
• Cyber attack on the Space segment and/or the ground infrastructure

Understanding the Threat

Addressing this, and delivering ‘assurance’ to the customer that his information is secure, can be done through a process that starts with an understanding of the threats to the service.

 

This threat assessment, combined with vulnerability (or opportunity for the threat to materialise), leads to a Security Risk Register, in which the threats are grouped into the following categories:

 

• Confidentiality – can someone else read my information, or is it private to me
• Integrity – does a data package remain unchanged – is it resilient to accidental damage or attack
• Availability – is the service and information available 24/7, or at least compliant with the customer requirement.

 

Some threats will fall into all three categories.

 

They are then ranked in order of likelihood and impact. Information assurance procedures propose mitigation of these risks, which, if applied, will reduce risk to a level that is acceptable to the customer. Of course, early discussions with customers to understand their risk appetite will help this stage work more effectively.

 

Information Assurance

Pragmatism recognises that it is economically unaffordable and practically impossible to terminate all risks. The information assurance process seeks to mitigate risk so that they remain acceptable to the customer, and both parties can move forward together with a common understanding.

 

For the customer, risk appetite is usually established by the question “how much is my information worth to me?”. This can extend to addressing the impact of not having the information at all or in its intended form. In the adversarial scenario, further consideration may be directed to the ease and/or cost to accessing the information by other means.

 

In response to the prioritised risk assessment, information security-enforcing techniques will be applied. These may include the use of secure ICT components (often referred to as ‘approved products’) and lockdown of applications and software, with the application of physical security policy and procedures, where appropriate.

 

Examples of responses to loss of confidentiality could include use of appropriate encryption techniques. Service integrity could be delivered using defence in-depth with firewalls, anti-virus services, proxy servers, and protocol manipulation etc. Assuring service availability might require hardware diversity, redundancy and network hardening. All of these form part of the security architecture – the working design of the complex systems to meet their intended service goals.

 

At the other end of the service delivery process, is the testing and assurance that the service functions, as planned. The range of activities here includes resilience testing, evaluation, certification, and, if appropriate, accreditation of secure information systems.

 

Certification

The ultimate outcome, and the focus of increasing attention, is to produce a Certificate of Information Assurance which declares that the satellite-provided service is resilient and fit for purpose. A certificate from a recognised professional organisation provides a rapid route to the assurance that customers and the wider public seek, that services can indeed be relied upon.

 

With more than three decades’ experience in the Space and security sectors, VEGA consultants’ understanding of the threats and counter-measures are crucial in supporting client projects, and add to the depth of assurance our technical capability provides. VEGA’s world class experts in information assurance have advised upon and delivered these information security services, working with UK Ministry of Defence satellite communication systems at both strategic and tactical level, and also working with other companies and organisations who contribute to the UK Critical National Infrastructure.