COLORADO SPRINGS, Colo.—U.S. Space Force contractors are building an AI-powered tool to detect cyberattacks on satellites by directly monitoring the behavior and telemetry outputs of satellite systems in orbit, executives said this week.
The Cyber Resilience On-Orbit tool will be available as a software program but could be implemented in hardware and installed on satellites, said Dick Wilkinson, cofounder and chief technology officer of Proof Labs, an Albuquerque, N.M., start up. CROO should be available next year, he said at a gathering organized by the non-profit Aerospace Corp. and the Space Information Sharing and Analysis Center (Space ISAC). ISACs are nonprofit membership groups organized so competing companies can share cyber threat information.
“The state of play for the industry right now, is that cybersecurity happens on the terrestrial side of your network for the most part,” Wilkinson said. “Yes, the satellite links, the radio links, tend to be encrypted. And there will be an encryption module on board … but that’s basically it. Let’s just be honest, that’s not very effective. That only protects the data that’s inside the transmission pipe. It doesn’t protect your satellite. It doesn’t protect other capabilities that exist on board.”
The CROO tool, which will be marketed to both military and commercial satellite operators, was partially funded through a research innovation contract from the Air Force Research Lab last year. Space Systems Command is the presumed Space Force customer for the technology, Wilkinson told Air & Space Forces Magazine.
In addition to Proof Labs, Big Bear AI and Redwire Space Systems are also contributing to the tool’s development, which uses machine learning and artificial intelligence to spot anomalous behavior on orbit. The AI model is being trained using high-fidelity synthetic satellite telemetry and other data, which is compiled by Big Bear using a digital model built by Redwire.
Joe Davis, senior cybersecurity research scientist for Big Bear, said the data set includes all the telemetry a satellite’s flight software would process: “We’re getting things like the speeds of the reaction wheels, the position coming off the Star Tracker, the angle of the sun, reported by the sun sensors on the satellite,” he said.
Using a digital model of a FireSat—a satellite that uses Mid-Wave Infrared sensors to look for wildfires on Earth—Big Bear compiled a time series of 1.2 million rows of data, modeling FireSat telemetry and other data both under normal conditions and under cyberattack, said Davis.
Big Bear will share the data as a GitHub repository so that others can use it to train their AI models, as well, Davis said
Importantly, CROO is designed to detect or infer cyberattacks from data not produced by the device or subsystem being attacked, said Mike Reher, aerospace engineering manager for Redwire. Designers want to guard against weapons like Stuxnet, the U.S.-Israeli cyberweapon deployed against Iran’s nuclear program more than 15 years ago, which caused the centrifuges used in Uranium enrichment to revolve so fast that they were destroyed, even as they continued to report normal telemetry.
“Knowing how well you can understand the real state of your satellite is very important,” Reher said. “There’s a lot of comparison [possible] … What is your reaction wheel really doing, versus what its sensors are reporting what it’s doing?”
The attacks modeled against the FireSat were targeted at the satellite’s reaction wheel—a flywheel, powered by electric motors, that controls the satellite’s orientation in space by storing angular momentum—and at its battery.
The battery is the heart of the spacecraft, said Wilkinson. “The battery is like the heart of the spacecraft, … If your heart stops, you stop. If the battery stops, you stop in space, right?”
He added that the two attacks modelled on FireSat, plus another three modeled on another satellite he wouldn’t identify, were chosen because they were relatively easy to catalogue. “We needed to select attacks and attack scenarios that would create telemetric noise,” he said.
An attack on the reaction wheel would rapidly become apparent because of changes to the way the satellite moved. “If something breaks, there’s a physical reaction to that breakage or there’s a massive change in the digital environment that would be noticeable for telemetry,” he said.
