Cyber Conflicts in Outer Space: Lessons from Scada Cybersecurity

• Publication year: 2021

Cyber Conflicts in Outer Space: Lessons from SCADA Cybersecurity

Roy Balleste

CYBER CONFLICTS IN OUTER SPACE: LESSONS FROM SCADA CYBERSECURITY

Roy Balleste^*

He captured strange and distant worlds in greater detail than ever before. They were beautiful, magnificent . . . full of awe and wonder. But beneath their sublime surfaces . . . there was nothing. No love or hate. No light or dark. He could only see what was not there . . . and missed what was right in front of him.

—Roy McBride¹

Introduction

The story of cybersecurity begins in land. By land, a cyber operations expert would mean the land mass on the surface of the Earth. The great monuments to human achievement surround our daily lives, every hour of every day. These testaments to human ingenuity are not the usual ones known to be appreciated as works of art. The monuments of concern for cybersecurity include, among others, power plants, electrical substations, water dams, water processing plants, auto assembly factories, and satellite ground stations. On January 10, 2014, Australia's IT News reported that Russian researchers Sergey Gordeychik and Gleb Gritsai discovered vulnerabilities in industrial control systems that granted them "full control of systems running energy, chemical and transportation systems."² The researchers spent a year prying into the supervisory control and data acquisition (SCADA) systems that controlled critical national infrastructure and, in particular, noted vulnerabilities in the Siemens WinCC software for industrial control systems.³ The Siemens SIMANTIC WinCC refers to one of the SCADA components. In this case, the WinCC serves as a human machine interface portal for the use of the operator to control remote operations.⁴ Siemens

[Page 2]

did eventually release security updates for its SCADA products to patch critical vulnerabilities.⁵ One of the vulnerabilities would have allowed an attacker "to remotely execute arbitrary code on a Siemens SIMATIC WinCC SCADA server by sending specially crafted packets to it."⁶ This vulnerability received a score of 10 in the Common Vulnerability Scoring System—the maximum—since it would have allowed a full system's compromise.⁷

SCADA systems are common to the daily life of every nation in the world, yet these remain seriously vulnerable. For this reason, this Article provides guidance on selected aspects of securing the SCADA systems and its effects for the commercial satellite industry. The challenge for those engaged in space activities is much more complex than in the early days of the Gemini and Apollo programs. It is in this emerging world of clandestine online maneuvers that industry stakeholders encounter the evolving conflict of cyberspace in outer space. There are legal considerations that intersect the role of SCADA systems in modern society. These systems offer the benefits of automation while operating without the trappings of human error.⁸ Since these systems are autonomous by design, human operators expect that production outcomes will match real-time unique management mechanisms of accuracy.⁹

SCADA systems are utilized across various industry sectors. In the modern world of industries' cyberthreats, the potential for a cyberattack with devastating consequences is not out of the realm of possibilities. As a result, senior executives are encouraged to improve the security of their organizations' SCADA systems. Failure of performance in one of these systems—for example, the water infrastructure—would raise serious and somewhat unexpected concerns for the human operators and the general public counting on their services. On April of 2020, Israel's Water Authority, along with the National Cyber Directorate, advised the water companies of a cyberattack on their SCADA systems.¹⁰ The hacker's main intention had been to direct the systems

[Page 3]

to dump larger amounts of chlorine in the water.¹¹ There was a larger implication in this real scenario. While an attack against a water system may have been low profile, it presented high impact consequences.¹² The fact that malicious actors were willing to interfere with a water system, even during a pandemic, highlighted the security risks that management executives and operators must navigate.¹³

The lawyers of the twenty-first century have challenges beyond those of their counterparts in the twentieth century. Today's lawyers work within five domains that intersect technology: land, sea, air, outer space, and cyberspace. The role played by the lawyer vis-a-vis the chief information security officer (CISO) of an organization and the responsibilities associated with this role has become critical. The challenges at hand are those cyber conflicts that threaten the peaceful utilization of cyberspace. With the increasing proliferation of mobile technologies and the growing real-time borderless exchange of information, satellite networks have become a vital tool with international connotations requiring a global approach. It is in outer space where the next adventure begins. The exploration of outer space fills the imagination of many individuals. The idea of colonizing distant places of our solar system, and beyond, offers some tantalizing possibilities. This idea, in many ways, seems to border the imaginary. Indeed, the story of Astronaut Roy McBride, in the sci-fi film Ad Astra, compels us to consider the future possibilities of space exploration, while also reminding us of the fragile human existence:

Vehicle system: "Trajectory, Earth. two point seven one four billion miles."
Roy McBride: "I am looking forward to the day my solitude ends, and I'm home."

And with just a few words, McBride sparks our imagination about the solitude encountered in the immeasurable universe.¹⁴ He helps us understand that future space travel will be challenging, where extraordinary events will intersect ordinary moments. As nations seek ways to protect their national critical infrastructure sectors, the international community wrestles with extraordinary legal challenges associated with ordinary vulnerabilities identified by malicious online attacks. Commercial activities in outer space, by default, will require

[Page 4]

some degree of cyberspace utilization. The applicability of international cyber law to space activities intersects, for example, with Article III of the Outer Space Treaty (OST), highlighting activities in outer space that could involve hacks of "the landlines that connect ground stations to terrestrial networks."¹⁵ The applicability of international law finds it footing with Article III of the Outer Space Treaty:

States Parties to the Treaty shall carry on activities in the exploration and use of outer space, including the Moon and other celestial bodies, in accordance with international law, including the Charter of the United Nations, in the interest of maintaining international peace and security and promoting international co-operation and understanding.¹⁶

As a result, and by extension, Article III of the Outer Space Treaty provides part of the legal context for the application of international law to cyber operations in outer space. The concerns over cyber vulnerabilities have steadily become a matter of international priority and relevant to space activities. Michel Bourely, former General Counsel of the European Space Agency, explains that "[f]rom the moment when humanity began undertaking certain activities in space, the international community was conscious of the need to organize them by adopting, as early as possible, a means of regulation."¹⁷ This was the first clue: new law would be needed to tackle future and emerging space activities. Indeed, he also notes that "by their very nature, space activities have no respect for national boundaries. . . ."¹⁸ Thus, this lack of respect, if considered from the opposite point of view, opens up new challenges and new opportunities. This has been the essence of space, and interestingly, also of cyberspace. Cyberspace was invented for a military purpose, and this purpose has evolved over time. Despite its promising future, the complexities of Internet communications have become tied to the emergent space activities of nation-states and the commercial industry. The interconnection of cyberspace via ground stations and space via satellites have opened potential risks and actions of dubious motivations organized by malicious actors.¹⁹

[Page 5]

The status of security requires that cyberspace be understood as "an inherently adaptive, iterative and interactive domain."²⁰ Cyberspace, thus, is a landscape where nation-states and other actors remain in constant interactions and is a domain where conflict cannot be contained to specific areas.²¹ In this landscape of threats, new space executives need to maintain the initiative—and anticipate that vulnerabilities will pose a danger to their operational outcomes.²² One anticipated vulnerability is the tampering of data integrity or seeking to affect data availability.²³ Indeed, malicious code can be used to create a cyberattack aimed against computer instruction logic or data.²⁴ A malicious code can exploit vulnerabilities in computer software or security practices of an organization that, in turn, would disrupt data access.²⁵ These and relevant aspects of the security systems need to be understood and addressed by industry executives and SCADA operators.

The desire to resolve the challenges associated with SCADA systems has concentrated in surveying the vulnerabilities, understanding these, and proposing a solution. This Article seeks to add a new assessment process aided by existing standards. The Article offers guidance to understand selected aspects of the SCADA systems, including relevant information for the benefit of satellite industry executives, SCADA operators, and engineers. The Article identifies known threats and vulnerabilities. It also explains the consequences of significant cyberattacks that result in substantial damage or...