 Hi, I'm James Bevor. I'm a PhD student at Oxford University where I research satellite cybersecurity and today I want to talk about something called space situational awareness or SSA SSA is a type of data that we use to solve a problem, which is that space is getting crowded Today there are tens of thousands of satellites and pieces of debris and other objects in orbit that will whizz over your head every hour and As space gets more congested over the next decade The number of objects is going to increase dramatically with the addition of constellations like one web blue origin and star link Changing the way we think about lower orbit as we put more satellites up there The biggest challenge will be dealing with increasing risk of space debris collisions Space debris are just like bits of metal or rocket fragments or other things that fall off of the satellite During operations. There's part of a space mission and they move at orbital velocities So if they collide with the satellite they can cause it to break or even disintegrate depending on the size of the collision And it's a second case that can lead to something that we call a cascade effect We're by a piece of debris crashes into the satellite which creates more debris which crash into more satellites And in the worst case scenario when space is as crowd as it's going to be the next decade a Debris cascade can severely constrain our access to either a particular orbit or even the space as a whole And that debris is not going anywhere. It can remain an orbit as a threat to satellites for decades or centuries depending on where it is So to deal with this we use space situational awareness data I'll talk about how that works and who gets it and then I'll talk about why a cyber attacker might target this critical data as A route to cause harm to specific satellites in orbit We'll run through a scenario where we actually kind of play through one of these attacks in orbital simulations And then I'll close by discussing mitigations that both industry players and governments can use to protect and bring more trust Into the SSA environment So SSA as a concept is very simple at its core. It's just Understanding what's out there whether that's a satellite or a piece of debris or even a comet or an asteroid depending on how you define it It's essentially a catalog of everything in space and where it's going and we use SSA in every step of a satellite mission From the moment that we decide which orbit that we're going to launch our satellite into the moment we retire our satellite into a graveyard orbit and try to avoid crashing into other satellites when we turn it off and Two particularly important uses of SSA are conjunction analysis and intelligence purposes You use SSA to figure out when your satellite is going to collide with a piece of debris So that you can steer it around it and this is not trivial because pieces of debris move They're affected by friction or collision with other pieces of debris So you need to constantly be updating your catalog so you know when you need to steer your satellite and where Additionally, I mentioned intelligence purposes SSA is really useful if you want to know if your adversaries are say launching a spy satellite that overpasses your territory Or testing anti-satellite weapons So it's perhaps unsurprising that the dominant source of SSA data today is the US military which operates the space surveillance network or SSN The SSN consists of a bunch of ground stations around the world with either radar systems or electro-optical telescopes And even some satellites in orbit that are constantly scanning the sky for space debris The reason this is distributed across the globe is because to get a good catalog of space situational awareness data You need multiple observations of an object from multiple different vantage points in different parts of the planet and The US military gets a huge advantage from this investment They're likely the only entity in the world who have access to ground-treat information Describing debris objects measuring 10 centimeters in diameter or even smaller. However, this edge does not come cheap We don't know exactly how much the US military spends in the space surveillance network But we know that the most recent upgrade to the system exceeded six billion dollars and then in fiscal year 2015 alone I spent one point six billion dollars on procurement. This is all to say that this is not a trivial effort This is not picking up a telescope warmer and looking for pieces of space debris This is a very complicated technological endeavor that is beyond the means of even most nation states to pull off The next most sophisticated SSA capability is probably Russia's through the Russian space surveillance system We don't know quite as much about like what kind of objects they can see or what size But we do have a sense of the network's capabilities because we know where the ground stations are and they're primarily in former Soviet territories Or countries that were friendly with the USSR of prior to its collapse This makes sense as a lot of the groundwork was kind of late for the system during the Soviet Union But in recent years Russia has expressed skepticism and third-party data from like the US military and has been shoring up their own Internal capabilities including through the launch of satellites like this one, which was widely expected to be a space surveillance system Although the Russian military is not confirm this One other thing I just want to note while we're talking about Russian space situation awareness There is a civilian network that is ostensibly a collaboration between scientists and universities It's not super active today and depending on who you ask it's like deeply tied to the Russian Academy of Sciences and kind of the Russia civil military apparatus for space power or it's entirely independent In either cases at least worth noting that there are some civilian efforts to get space situation awareness data as well as military efforts associated with Russia The final network I want to talk about is China's they run a system through their PLA should you support force unit Interestingly the PLA SSF is also responsible for China's offensive cyber operations and a lot of other high-tech things that China does in military context Their network is relatively small They are not remotely comparable to Russia or the United States in terms of what they can see in space and This makes sense because unlike Russia and unlike the United States China has never really had much opportunity to expand beyond its borders And so it doesn't have those four deployed military bases for putting up telescopes So what they've been doing is pretty clever They've been deploying these ships, which are essentially mobile SSI stations They take out international waters so they can get that global perspective on the skies and Compete with these other space powers despite having significantly less territorial reach If you're not one of these three countries You may have your own smaller network The EU is the next biggest and then basically any country with a space program has some degree of SSI capability However, there are also some commercial actors that are starting to sell SSI data They'll claim that they've made some pretty significant technological breakthroughs to start us is unclear how true that is Or to what extent they could ever match like the US military's capability But at least there's kind of a shift towards privatization that's starting to emerge in the sector In reality though today if you were on satellite Chances are you get your SSI data through a website like space trap dot org or from someone who buys it Who gives it from this website and then resells it to you? Space trap dot org is a public website that's run by the US military and anyone with an account can log in and get access to Space situational awareness data that's pretty high quality for your charge The fundamental idea here is that if you share a signal with people you prevent collisions in orbit and you protect the environment They're like terms of service here where you like check a box That says I promise I don't work with the military or whatever, but fundamentally the US government doesn't care Well, it would be nifty to see a North Korean satellite get destroyed by a piece of space debris if the resulting cascade from that collision Threatens critical US communications missions or navigation missions It's not worth the collateral damage risk And so there are strong incentives right now to share high quality SSI even though it cost an inordinate amount of money to get access to So right now the primary format for sharing this data is something called a two line elements that were a TLE TLEs were designed to fit on two 80-column hutch cars and the format has basically not changed since It's very rare in cybersecurity that you access a system that's like that was compatible with punch cards So I know this is a pretty interesting aside There are some efforts recently to update the format because you actually have only so many objects Contractors like an ID field and a two line element set and it's starting to fill up as space gets too crowded However, the core idea is probably always gonna be the same The two line element set is intended as input to what we call a propagator Which is essentially a model of how things move in orbit and two line element sets are not physically meaningful on their own They're like tied to physical properties, but they're not directly descriptive of them But instead they're intended as inputs into the system And so a two line element set is meaningless without a propagator and a propagator is useless without the two line element set If you use them together though You are able to predict where an object will be a orbit with an accuracy of about a kilometer over 72 hours Which is pretty good. It can get better in some cases and slightly worse than others But that's a good kind of rule of thumb for accurately There are other formats that are available You can actually get better data from the US military if you sign a special data sharing agreement with them This agreement is super palatable if you're like a commercial space operator, but it's less attractive if you're a foreign military And this kind of starts picking into the trust problem here, right? So at its core There are only a few people a few organizations in the world who know what these objects are and where they're going if everyone else Has to trust whatever they tell them So this makes it kind of an intuitive target for a cyber attacker So why would you target SSI? Well, these databases are highly centralized, right? They're only a few in the world and if you change a line one of them You can affect what thousands of organizations think outer space looks like and those organizations probably can't catch you They don't have a capability. They don't have the billions of dollars investment Needed to double check where a small piece of debris is at any given point in time And so they kind of just have to have blind faith that the information in the database is true about what's in space Because they can't see it themselves So as an attacker if you want to harm a satellite I say hiding a degree collision and causing it to crash You have essentially bikes on a computer somewhere that you can change to have a very hard physical effect blowing something up in outer space If we're thinking about ways to blow up satellites and you prepare deploying a couple of zero days against a database Which isn't trivial but certainly feasible versus building a national space program developing anti satellite missiles Building with a diplomatic follow-up from that and deploying them accurately It's pretty clear why a cyber attack after might be a more attractive way to target a satellite So let's talk about a couple of threat models the sort of people who engage in these attacks and what they would do and why So the first I think is the most intuitive and that is the owner of the repository decides to start lying to people Since they're the only ones with access to a lot of this information They're the only ones who sensors pick up these objects if they start lying It's very unlikely They'll get caught in the act and they can deceive whoever they want about the state of orbit this comes at a cost right if they get caught in the lie their database is no longer trusted and People maybe are unwilling to rely on it and they accidentally collide with legitimate degree that they don't believe other But at its core is something they could do And a nation's data factor who doesn't run one of these databases might say hey I want to discredit this database We would be great if you have to know that they spend billions and billions of dollars on an SSA network And nobody believes what it says and they could do that by say just making the sensors less accurate with malware Doesn't need to be particularly targeted. It just needs to change the measurements that are coming off of those radar Sensors such that the predictions are inaccurate or if they have a space program They could launch objects that are deliberately designed to do nothing other than be like difficult to track with radar or electro optical telescopes To kind of discredit the overall utility one of these databases Finally if we're kind of talking about bread and butter cybersecurity just some rando who wants to have a database somewhere Fundamentally, this is just a line in the database military databases are hard to hack but they're hardly unhackable and Additionally, this data doesn't just go directly from the military this satellite It's often sold to third parties who repackage it and sell it to like individual satellite operators to incorporate into their integration Processes and so if you compromise one of those later recipients databases, you may have a similar effect That's a little bit more targeted and a little bit easier to walk So when we talk about messing with this data, what does that look like? What do you have to change to achieve what kind of goals and what can you achieve? So we're going to run through a very simple attack scenario Our attackers goal is to cause harm to a specific satellite orbit There's two ways to go about this the first one you probably already guessed If we see in that database that there's a piece of debris that will collide with satellite in the future We can tamper the contents of that database to make it look like that piece of debris is no longer a threat The results of the satellite operator moves along blissfully ignorant of impending doom until a satellite collides with a piece of debris That seems to come out of nowhere From a physics perspective, this is trivial. If you change any Component of a two line element set, there's a really good chance that over a 72 hour forecast window That a debris object is going to be in a radically different place and no longer pose a threat to the satellite So we want to focus on a slightly more nuanced version of the attack. That's a bit more challenging and a bit more pernicious So the idea here is we create a ghost collision We take a object that doesn't collide with a satellite and we tamper it just a tiny bit to make it look like it will The effect is that we call these guys in at 12 in the morning to deal with an emergency and engage in a debris avoidance This burns fuel in the satellite and causes mechanical wear and tear it increases the cost and decreases the lifespan of their space missions This is a more credible attack than you might initially think You might have trouble imagining the US military's hiding today blow up an Iranian satellite and passing away data But it's not that hard to believe that someone would just kind of tip the scales a tiny bit so that Iranian space missions are Particularly unlucky with regard to how many debris objects they have to dodge And over time it has a kind of slow burn effect that we've seen the nation's base use in other contexts like stuck net Which caused mechanical wear and tear on centrifuges for nuclear Power slash weapons program and you might imagine a similar thing targeting a space program So how do we go about doing this? Well, first we're going to start with some assumptions to keep the simulation very simple for today The first is that we'll assume the database is already being compromised Either the owner of the database is the one telling lie or someone has deployed a hearing. We're not fundamentally interested in how you compromise the database We're going to target data in the two-line elements that format. This is a little bit Not real world in the sense that people tend to use more precise MRIs for their conduction analysis but two-line element sets are publicly available which makes it easier to work with for research purposes and Fundamentally if you can tell a lie with data the format that data is in doesn't really matter We're going to say that people trust the output of their conjunction analysis in relations in the real world If you see a collision you may call up the US military and say, hey, you double check This is actually going to happen We'll assume that either that double checking process has been compromised You just say the US military is the attacker or the victim doesn't do that for some reason and then we're going to define a Collision pretty generously as a password in one kilometer. You can do this much smaller We've had success with past as well as 100 meters But the reality is that a wider zone of collision increases the likelihood of finding a candidate quickly from a computational complexity perspective and in this case To see life on that sets are only that accurate anyway more precise is kind of meaningless So here's our target It's in a radium satellite over the Atlantic Ocean and it has an orbit that looks something like this and We're going to try to modify an element in this debris field of 10,000 objects taken from space track or To see if we can make one look like it'll collide with the satellite over the next 72 hours To filter down these objects because we have a lot We're going to only measure the time of closest approach for objects that pass within this sphere So let's go ahead and see what that looks like in the lab So what we're doing is we're looking for debris objects that pass within that zone And then we're seeing what I pass closest to the satellite The intuition here is that an object that already looks like it will pass closely Would be easy to tamper with to create one of those phantom collisions that we're trying to generate Because you'd have to only make small changes to do this orbit say a couple hundred years in one direction or the other Now the size of our debris field here is 10,000 objects. You can do this with a larger debris field It just takes longer to hunt down candidates But you're also more likely to find a good candidate that passes closer the bigger the debris field So there's a bit of a trade-off between how much computing time you want to put into this and how accurate of a collision you want to find Here I'm propagating for just a couple of days I think 48 hours or something and we're going to take our top five candidates for manipulation and try to tamper with them So if we look at the results here We see that our best candidate passes within 3.8 kilometers of our target, which is excellent This means we only have to modify this object's orbit by three kilometers in the correct direction And it'll look like it's going to collide with the satellite even when it's not so that's the scale of why we have to tell Now this initially sounds easy, right? You just change the bytes But it's a little harder than you would think because we need to get this Specific object into a new orbit over the next 72 hours. We need to change how it's moving through space pretty substantially in the database We also need to have it appear like it'll be in a specific location Right that zone of collision at a specific time when our target satellite is also there And we need to do all of this with only any tiny modifications To the line that database right we want it to look like friction might have caused this object to shift We don't want it to look like someone just believe it around database and created it completely brand new object So this is a pretty hard astrophysics problem I don't think it's unsolvable, but it's definitely beyond me But what I can do is get some check So what I did is I'm put a genetic algorithm Which is essentially a fancy way of saying I threw things at the wall to see what would stick and we define our individuals in this genetic algorithm as Set of characteristics that would change is to four fields in the two line element set and The idea is that in each generation of this genetic algorithm We determine the likelihood that one of these changes gets like passed on to the children of this individual on The basis of a fitness function which was defined as the distance between our Stake ghost debris objects and the target we're trying to collide with at the time of closest approach Now we could have added a stealth metric here to minimize the amount We have to change these fields if we were particularly worried about detection We're particularly worried those being monitored, but for simplicity purposes We set this is a very high bound and just a hard cap Then we weren't allowed to modify any of these fields by more than 10% in practice We modify most of these fields by a fraction of a percent But e-centricity in particular tends to need to be modified a little bit more because of the precision of the format Although you can find collisions within much smaller zones. It comes at the cost of more computational time Once we kind of run our scenario we get an output that looks like this So in this case we found a collision for our target object within three generations That passes in a kilometer of our target if you look at the malicious 2-line element set on the top and the original one on the bottom You'll see that they're pretty similar and if someone wasn't like actively looking for data tampering impacts It'd be pretty hard to identify that this object has been hacked to look like it's going somewhere isn't Let's see what the result of that is in our simulations So we'll see the objects kind of move along just like they did before but over time There's that slight difference such that at the time of closest approach Our malicious debris object passes well within this sphere around the iridium satellite Which is a one kilometer across and so at this point We have caused a collision to appear like it will happen The iridium operator will steer their satellite even though they don't have to and they'll increase their mission cost and decrease their mission lifespan So how do we protect against these kinds of attacks? How do we prevent this kind of manipulation? If you're a satellite operator and you're thinking how do I keep my SSA data secure? There are a couple of things you can do the first is to get higher quality data where you can to enter into those data sharing agreements This particular demonstration was made much easier by the fact that our zone of collision was one kilometer The smaller that zone of collision gets the more accurate your data is the more likely an attacker is to have to work hard With like a larger debris field or more genetic algorithm generations or bigger tampering effects to find a collision That will trigger an alert so you really increase the cost and the complexity for the attacker even if you don't fully get rid of the risk of someone lying to you You might also want to see if you can vet your data, right? There aren't any databases that fully match the US militaries But even something with like 30% coverage at least gives you a second source for truth on those 30% of objects that they do know about And you might think about also comparing your internal data with the public data from the US government So you can say hey my database says a prediction that the US government doesn't even though the source data should be the same That's a pretty good indicator of compromise If you're a nation state actor There are a couple of different ways to think about this if you run an SSA database So if you're the US Russia or China You need to understand that those bites on a computer are critical strategic resource that someone might try to mess with From a cybersecurity perspective They might do this to discredit your information to cause harm to one of your own satellites for someone else's satellites But fundamentally as a nation you have an obligation to recognize the importance of these specific databases as some of the most important space data you hold Additionally, I think it's important to disavow any funny business in SSA Right now the US military has a statement on the website that basically says that the data from space track that word could be manipulated Anytime for national security purposes and they understand the logic behind this But I think standing by SSA data is an important step towards protecting the space environment in the future and Publicly disavowing and ascribing a diplomatic cost to get in caught concealing or manipulating SSA data I think is an important step towards credibly building a system where people can trust what space looks like Finally if you're a smaller country you might not have a full space surveillance network But you may have a couple of telescopes or a couple of radar sensors that you can use to kind of randomly sample and audit Specific objects and say there's supposed to be a debris object there today Is there anything and use that to kind of catch at least some tampering attacks in these databases and get a sense of their reliability? So to sum things up SSA is fundamentally about trust There is someone out there who is the only person who knows the truth about these objects and is telling it to you And you have no way fundamentally to get that physical reality and ground truth information for yourself This trust is intuitively abusable You can change information in SSA database through some very basic orbital physics operations to make it tell Prophecy, but is it true to create a phantom collision or to conceal an impending collision with catastrophic effects? We think that we can fix this by recognizing that SSA is an information target That can be used to cause physical effects in space and so as a result building Responsibility and verification into the SSA process is a key step towards recognizing that trust is as important as truth in these databases Thank you so much for listening to my presentation and I'm happy to answer any questions Hopefully I've gotten you thinking about kind of interactions between the physics of space and the cybersecurity properties