Home >> September 2015 Edition >> HPA Corner: Satellite Security + Information Assurance
HPA Corner: Satellite Security + Information Assurance
By David Thompson, Chief Engineer for Information Assurance, Harris Space and Intelligence Systems


Historically, the protection of satellites has relied on the physically remote location and the fact that satellites were treated as a single entity to mitigate threats.

As long as the satellite was protected during integration and launch, there was little that could be done to threaten the safe operation of the onboard payload. The bus would provide command and status through an NSA-approved, cryptographic implementation and the payload would be limited to sensor operations or communications, with the channels fully isolated from the bus platform. A limited number of threat vectors could be easily mitigated through onboard segregation and isolation.

With the advent of hosted payloads, where the owner and operator of the bus can be separate from the owner and operator of the payload, a new threat environment is introduced. The payload operators may now need the ability to send commands and receive status independent of the bus operations. The owners no longer rely on bus-encrypted communications—instead, they must provide their own control channels, or use a satellite provided, shared communications channel with other payload tenents.

The new threat environment now appears to be much like the threats experienced by enterprise architectures. Shared communications systems are exposed to multiple organizations using Internet protocols. This is similar to the environment that businesses work in today and invites the consideration of including protections that are currently effective in enterprise computing.

The Hosted Payload Alliance (hostedpayloadalliance.org) is a satellite industry alliance formed to increase awareness of the benefits of hosted government payloads on commercial satellites. The US National Space Policy published in 2010 calls for an increasing role for commercial space to meet government requirements and explicitly directs the use of non-traditional options for the acquisition of space goods and services, and cites hosted payloads as one of these non-traditional options. The policy notes that public-private partnerships with the commercial space industry can offer timely, cost-effective options to fill government requirements.

This column’s question for HPA Members is…

What does the commercial industry need to do to ensure the security of satellite and hosted payload operations to meet government information assurance standards?

The Harris AppStar hosted payload platform. Image is courtesy of ©Harris Corporation.

“The commercial SATCOM industry has the ability to meet the most daunting Information Assurance (Mission Assurance) requirements, whether those requirements come from Governments or commercial customers. All of the major satellite manufacturers can, or have plans to, offer NSA Type 1 certified command and/or telemetry encryption using the latest NSA approved Gryphon algorithms. In addition, hosted payloads which require their own command, telemetry or data Information Assurance protection can look towards the Air Force’s Space and Missile Systems Center hosted payload interface unit specifications to meet these requirements. 

“The Air Force’s CHIRP program used a dedicated command, telemetry and data channel that was protected by Secret level, NSA Type 1 encryption units for both uplink and downlink data. 

“The commercial SATCOM industry also looks beyond the spacecraft requirements to those requirements that ensure the data is protected while in transport on the ground as well. The Defense Information Systems Agency (DISA) has established Mission Assurance Categories (MAC) for Commercial SATCOM. Designing a system to meet these robust requirements ensures the integrity and availability of the data from its point of origin to its final destination.”—Tim Deaver, Corporate Vice President, Development, SES Government Solutions.

“In short, good fences make good neighbors. When a satellite is owned and operated by a single entity, using Cardholder/Pegasus to encrypt commanding and telemetry is a reasonable strategy.  When multiple entities coexist on the satellite, the protection boundary moves from the satellite to the payload. In IA terms, this means treating each payload and the satellite bus as “untrusted entities”, and protecting each separately.  Protection includes cryptography, authentication, auditing, and integrity to the degree dictated by the individual entity’s mission.  

“Ground systems have used this concept for years, but application to satellites has been rare due to satellites typically being isolated and operated by a single organization.  The advent of hosted payloads has changed the dynamic of the industry.  Smart hosted payload design requires incorporation of IA techniques adapted to the environment.  Commercial industry can do this using existing IA standards and the established approval processes.”—Rob Clark, Hosted Payload Manger, Harris Corporation

“The advanced security issues that we face today continue to gain significant attention.  It’s important to note that threats are not new, and Intelsat has been addressing the ever-changing security landscape since 2002 with a comprehensive framework that focuses on the three core tenants of security: confidentiality, availability and integrity. 

“We believe it is imperative that security belongs in the foundational DNA of every company, especially those in our industry.  Our ecosystem must adapt to this persistent threat and invest in the necessary tools to keep our customers safe and preserve the integrity of our networks.

“Intelsat leverages the following governing control frameworks: 1) DoDI 8500.2; 2) NIST 800-53; ISO 27000 series to support the government’s information assurance requirements.  Pursuant to the government’s requirements and objectives, commercial IA methodologies can include these top-level themes: 1) Defining the scope and boundaries of information systems, services, facilities, and architectures; 2) Map applicable existing framework and unique controls from IA requirements and incorporate mapped controls into design and architecture and perform a risk assessment to complete the accreditation process.”
Gerry Jansson, Director, Space Segment Developing, Intelsat General Corporation.

The Global Aircraft Surveillance Payload
ADS-B Communications Signal Receiver

This article is courtesy of the Hosted Payload Organization's infosite.

Sponsor: Aireon LLC.
Operator: Iridium / Exelis.
Manufacturer: Harris Corporation.
Spacecraft: Iridium NEXT Constellation.

In this day and age, it’s hard to comprehend that technology created during the Second World War is still being used to surveil airspace and track aircraft throughout the world. Air Navigation Service Providers (ANSP), airlines, air traffic controllers and other stakeholders continue to rely on radar as their primary source of surveillance. More recently, technologies such as Automatic Dependent Surveillance-Broadcast (ADS-B) and Wide Area Multilateration (WAM) have become accepted alternatives.

However, current land-based systems are limited to line-of-sight, leaving an estimated 70 percent of the world’s Flight Information Regions (FIR) uncovered by any real-time surveillance. With technology that would provide global real-time surveillance, business practices and safety will be improved and also allow for more environmentally friendly operations.

In 2012, Aireon was formed through a joint venture between Iridium Communications and NAV CANADA, with subsequent investments from ENAV, the Irish Aviation Authority and Naviair, to provide a space-based, real-time surveillance system. The backbone of Aireon’s technology resides on the Iridium NEXT constellation of satellites gearing up to launch at the end of 2015. To enable the Aireon® system, Iridium will host specially designed payloads on each Iridium NEXT satellite.

Aireon’s CEO, Don Thoma, understands the importance of hosted payloads, having served as the Hosted Payload Alliance’s Founding Chairman. The hosted payload model is a critical enabler of the Aireon space-based aircraft surveillance system and can be a similar enabler for other critical applications.

According to Thoma, “Hosted payloads create an unprecedented opportunity for new space applications by providing cost-effective access to space-based infrastructure. When we first started exploring hosted payloads on Iridium NEXT, we realized that the aviation industry would benefit by putting ADS-B, the FAA’s next-generation GPS-based surveillance technology, in space. Aireon is coming to fruition by the merging of two important components—Iridium NEXT with ADS-B receiver hosted payloads built by Harris.” He added, “This combination of technologies will enable a breakthrough air traffic management capability by providing real-time, global aircraft surveillance at an affordable cost to aviation stakeholders.”

Iridium NEXT’s low-latency, 66 cross-linked Low Earth Orbit (LEO) satellites make it uniquely suited to meet the technical demands of global air traffic monitoring. The LEO satellites will orbit approximately 485 miles above the Earth, and each satellite will be cross-linked, creating a dynamic network to ensure continuous availability in every FIR on the globe with low latency and update rates suitable for air traffic control. The Aireon receivers located in each hosted payload will detect ADS-B signals from next generation equipped commercial aircraft all over the world—including vital airways over oceans, mountains, remote areas and polar regions—relaying them seamlessly to air traffic controllers on the ground.

According to Matt Desch, CEO of Iridium “Aireon represents a big milestone for commercially hosted payloads and will serve as a ground-breaking use of Iridium NEXT. Iridium is the only company with the capability and reach to enable this, and we are thrilled that our service will make air travel more efficient and safer. Aireon is truly revolutionary.”

The Harris Corporation is manufacturing the ADS-B receiver hosted payload that has a highly sensitive Aireon receiver coupled with multiple steerable beams, all capable of detecting aircraft with ADS-B compliant avionics. The overlapping satellite beams provide for multiple views of aircrafts from multiple satellites. This increases the ability to detect the aircraft at a high update rate.

Additionally, built into the Iridium® mesh network of satellites is the ability to transfer data between satellites to the ground receivers through a low latency data link. The information will then be distributed through a highly redundant processing center for use by Aireon customers.

Aireon is working in partnership with Iridium, along with the leading ANSPs NAV CANADA, ENAV, the Irish Aviation Authority (IAA) and NAVIAIR to deploy the robust system.

The system will undergo rigorous testing over the next two years. The testing will be done by Aireon, and its launch customers in the North Atlantic and Europe and will ensure all safety cases are being completed. With the first launch of satellites scheduled later this year, and the full network expected to be completed in 2017, investors and partners will have several years to prove the concept before implementing it, with many additional ANSPs in the process of joining this group of pioneers.