Aerospace Village - Cybersecurity Lessons Learned from Human Spaceflight

Video thumbnail (Frame 0) Video thumbnail (Frame 1071) Video thumbnail (Frame 2927) Video thumbnail (Frame 4393) Video thumbnail (Frame 10684) Video thumbnail (Frame 11543) Video thumbnail (Frame 13190) Video thumbnail (Frame 14778) Video thumbnail (Frame 16836) Video thumbnail (Frame 18423) Video thumbnail (Frame 21113) Video thumbnail (Frame 24943) Video thumbnail (Frame 26923) Video thumbnail (Frame 30704) Video thumbnail (Frame 37323) Video thumbnail (Frame 38664) Video thumbnail (Frame 40821) Video thumbnail (Frame 45453) Video thumbnail (Frame 47610) Video thumbnail (Frame 54141) Video thumbnail (Frame 57612) Video thumbnail (Frame 59311) Video thumbnail (Frame 60572) Video thumbnail (Frame 61675) Video thumbnail (Frame 63796)
Video in TIB AV-Portal: Aerospace Village - Cybersecurity Lessons Learned from Human Spaceflight

Formal Metadata

Aerospace Village - Cybersecurity Lessons Learned from Human Spaceflight
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Space is incredibly important in our daily lives – providing the GPS navigation on our phone and in our financial system, national security communications throughout the world, and remote sensing of weather conditions and other indicators of the health of the Earth. We’ve had a very complacent attitude about our satellites because physical access has been impossible. Now we know our key infrastructure is at threat on the ground, and it is in space as well from both physical and cyber threats. There are many important lessons to be learned about the software approach to human space flight and its high standards for software error rate and redundancy, tiered levels of access, distributed architecture, command protocols, and there are mistakes to learn from as well. The space industry is changing very rapidly. With commercial space stations, lunar exploration, and nation states competing for achievements – and resources – in space, we must understand the implications and prepare for the challenges ahead. Pam Melroy - is a retired US Air Force test pilot and former NASA astronaut and Space Shuttle commander. After NASA she worked at Lockheed Martin on the Orion lunar exploration vehicle program, the Federal Aviation Administration’s Office of Commercial Space Transportation, and at DARPA. She is now an independent consultant and advisor.
Cybersex Forcing (mathematics) Multiplication sign Aerodynamics Information security Spacetime
Arm Fluid mechanics Forcing (mathematics) Chemical equation Multiplication sign Sound effect Mass Mereology Entire function Element (mathematics) Connected space Power (physics) 2 (number) Software Gravitation Position operator Spacetime Computer worm Physical system Thomas Bayes
Satellite Mobile app Euler angles State of matter Variety (linguistics) Multiplication sign Software bug Hacker (term) Energy level Software testing Office suite Information security Metropolitan area network Physical system Cybersex Pattern recognition Quantum state Physicalism Bit Denial-of-service attack Database transaction Special unitary group Price index Vector potential Type theory Data stream Database normalization Software Telecommunication Order (biology) Transmissionskoeffizient Intercept theorem Spacetime Asynchronous Transfer Mode
Touchscreen Execution unit Line (geometry) Neuroinformatik Number
Web page Axiom of choice Group action Multiplication sign Maxima and minima Neuroinformatik Number Power (physics) Different (Kate Ryan album) String (computer science) Bus (computing) Chinese remainder theorem Macro (computer science) Task (computing) Physical system Vulnerability (computing) Area Interface (computing) Keyboard shortcut Maxima and minima Message passing Software Phase transition Electronic visual display Spacetime Computer worm
Laptop Logical constant Link (knot theory) Code Line (geometry) Multiplication sign Bit rate Mereology Vibration Order of magnitude Computer Power (physics) Neuroinformatik Bit rate Thermal radiation Error message Weight Forcing (mathematics) Reflection (mathematics) Volume (thermodynamics) Bit Total S.A. Line (geometry) Computer Entire function Product (business) Error message Software Personal digital assistant Thermal radiation Right angle Table (information) Spacetime
Computer program Group action INTEGRAL Multiplication sign Execution unit Set (mathematics) Computer Software bug Neuroinformatik Mathematics Bit rate Different (Kate Ryan album) Semiconductor memory Formal verification Core dump Backup Error message Physical system Structural load Parallel port Range (statistics) Mass Computer Flow separation Entire function Orbit Message passing Process (computing) Interface (computing) Software testing Energy level Escape character Procedural programming Physical system Inclined plane Mass Code Read-only memory Software Computer hardware Software testing Addition Execution unit Turing test Uniqueness quantification Interactive television Database normalization Software Personal digital assistant Backup Computer worm
Laptop Computer program Complex (psychology) Dataflow Functional (mathematics) Game controller Mobile app Greatest element State of matter System administrator Multiplication sign Insertion loss Coma Berenices Orbit Neuroinformatik Architecture Mechanism design Robotics Synchronization Operator (mathematics) Software Digital rights management Information security Position operator Computing platform Computer architecture Physical system Email Information Mapping Multitier architecture Bit Line (geometry) Control flow System call Orbit Message passing Software Function (mathematics) Telecommunication System programming Backup Right angle Filesharing-System Asynchronous Transfer Mode Spacetime Computer worm
Satellite Complex (psychology) State of matter Multiplication sign System administrator Insertion loss Nominal number Computer Neuroinformatik Mathematics Computer network Bus (computing) Flag Error message Information security Physical system Software bug Electric generator Kolmogorov complexity Fehlererkennung Type theory Message passing Arithmetic mean Frequency Telecommunication System programming Whiteboard Spacetime Point (geometry) Game controller Number Tablet computer Telecommunication Software Spacetime Digital rights management Booting Form (programming) Information Quantum state State of matter Plastikkarte Data transmission Mathematics Causality Error message Event horizon Software Complex system Game theory
Cybersex Trail Addition Service (economics) Game controller Information Multiplication sign Characteristic polynomial Set (mathematics) Computer network Public key certificate Process (computing) Bit rate Software Internetworking Videoconferencing Musical ensemble Single sign-on Energy level Musical ensemble Videoconferencing Information security Communications protocol Computer worm
Polar coordinate system Presentation of a group Local area network View (database) Shape (magazine) Mereology Computer Neuroinformatik Software bug Bus (computing) Videoconferencing Backup Information security Physical system Cybersex Workstation <Musikinstrument> Email Touchscreen Arm View (database) Moment (mathematics) Control flow Computer Portable communications device Flow separation Twitter Element (mathematics) Radical (chemistry) Right angle Procedural programming Quicksort Whiteboard Physical system Spacetime Laptop Game controller Firewall (computing) Rule of inference Twitter Element (mathematics) Architecture Hacker (term) Internetworking Robotics Operator (mathematics) Computer hardware Energy level Computer worm Proxy server Traffic reporting Game theory Form (programming) Computer architecture Addition Multiplication Polar coordinate system TDMA Personal digital assistant Robotics Backup Computer worm
Satellite NP-hard Computer program Context awareness Group action Euler angles Code Weight Multiplication sign Real-time operating system Insertion loss Mereology Neuroinformatik Formal verification Bus (computing) ARPANET Cuboid Office suite Information security Physical system Vulnerability (computing) Cybersex Area Enterprise architecture Satellite Software developer Computer Flow separation Data stream Data management Telecommunication System programming Data logger Encryption Whiteboard Information security Elektronische Wahl Physical system Spacetime ARPANET Point (geometry) Functional (mathematics) Patch (Unix) Disintegration Cybersex Frequency Moore's law Hacker (term) Operator (mathematics) Computer hardware Energy level System programming Spacetime Software testing Firmware Metropolitan area network Computer architecture Information Uniqueness quantification Weight Computer program Code Configuration management Exploit (computer security) Kernel (computing) Voting Software Computer hardware Computer worm
Satellite Gateway (telecommunications) Computer program Information Logistic distribution Real number Multiplication sign Vermaschtes Netz Twitter Element (mathematics) Orbit Vector space Computing platform Spacetime
Point (geometry) Satellite Building Information Logistic distribution Data storage device Insertion loss Heat transfer Orbit 2 (number) Connected space Goodness of fit Internetworking Software Internetworking Telecommunication Delay-tolerant networking ARPANET Communications protocol Delay-tolerant networking Spacetime
Cybersex Building Internetworking Information security Delay-tolerant networking Vulnerability (computing) Spacetime
hello i'm pam melroy and i'm delighted to be here today for aerospace village to talk about cyber security lessons learned from human space flight so i'll start out by introducing myself i am a retired air force test pilot
and a nasa astronaut i flew three times
in space on the space shuttle to the international space station my first two missions i was the pilot in the right seat and on my final mission i was the mission commander of the space shuttle now all of my missions were to the international space station
and this is a picture of what it looks like now in space orbiting above us at about 400 kilometers it's an international laboratory now there's lots of very interesting science that you can do in microgravity as you're whizzing around in low earth orbit experiencing a balancing of all the forces so it feels like there's no gravity you don't feel the effects of gravity even though they're there um we discovered we could do a lot of really interesting science on the space shuttle like fluid mechanics combustion and even studying the human body in biology but flying on the shuttle uh we only flew about six or seven times a year for about 10 days to two weeks at a time and so the united states joined with our partners russia japan canada and europe to build the international space station so that we could do science 24 7 365 days a year and now of course if you look at the space station you realize it's far too big to put on the top of a rocket and launch it we had to bring it up a piece at a time and build it as we went along if you look in the
upper left hand corner you can see atlantis from my second flight with part of the truss segment that the solar array sit on filling up the entire payload bay so we carried up an element at a time and then using the robotic arm of the space shuttle and the space station maneuvered it into position and uh and then bolted it down and then we sent space walkers outside to make the power cooling and data connections and then inside the space station we would activate the element now most of the time we actually had to upgrade the software each time that we did that on the iss because we had new mass properties new capabilities and so it wasn't just activating a new element it was actually constantly evolving the international space station command and data handling system
now after i left nasa i went on to
a variety of opportunities in industry and government including spending a couple of years with the faa's office of commercial space transportation learning all about uh space policy and the new emerging commercial space industry and i spent four years at darpa as a deputy of the tactical technology office overseeing the air and space research portfolio space is incredibly important in our daily lives the gps navigation that we have on our phone is just just the beginning think of all the apps that use gps agriculture most importantly financial transactions when you use an atm the timing signal is set by gps we also use space for national security communications throughout the world think about remote sensing of our earth to study the weather be able to predict it and have other indicators of the health of the earth we've had a very complacent attitude about our satellites because physical access was basically impossible once the satellite was launched but now we know that our key infrastructure is at threat on the ground and it is in space as well from both physical and cyber threats space systems have always focused on safety and mission assurance because you can't access them you can't repair them and it's expensive to launch things so we spent a lot of time focusing on redundancy and testing and mission assurance now we have the commercial world coming into play doing things faster and cheaper and we have the potential for lunar exploration and we also have nation states competing for achievements and resources in space so the threat is evolving we need to understand the implications and prepare for the challenges ahead i'm going to talk a little bit about the lessons learned from the software approach to human space flight for both the space shuttle and the space station but first i'd like to actually address so what is the real threat what could a hacker actually do to a satellite well the simplest hack of course is a denial of service uh pretty straightforward and it's actually happening today jamming of signal sometimes it's inadvertent uh just having a transmitter tuned too loudly so it's drowning other transmitters out and sometimes it's completely intentional you could intercept commands and data so uh you could understand what things the satellite is pointing at what it's taking pictures of see those see that data stream for yourself and also uh intercept communications there's also the potential for the man in the middle type of attacks that's quite a bit harder actually with most space systems now because uh you would have to really understand the data stream in order to alter it now could you do something crazy like send it over to hit another satellite so if you think about a self-driving car and hacking that you could drive it off the road well not really most satellites don't actually carry enough propellant to maneuver over to another satellite but what you could do is run the satellite out of fuel you could shut down a critical system like cooling or pointing the solar rays at the sun now there are roughly 5 000 active satellites in space but only the international space station has humans on board permanently so even back in the 70s when the shuttle was being designed there was a recognition that it was going to be different lives were going to be at stake so a much higher level of attention needed to be paid to software errors that could have catastrophic consequences so i'd like to talk about some of the lessons that we can learn from the shuttle and from iss
now it's kind of easy to make fun of the
space shuttle yes this is a picture from my first flight and you can see that we interfaced with the shuttle computers using a cathode ray tube screen and uh that that's a blow up of what it looks like it's uh black with green letters on it uh absolutely no no graphics processing units or uh uh you know any kind of artistry at all it's anything that you could make with numbers and lines and that was pretty much it we also
were very limited in the way that we could communicate we didn't have a full keyboard the way most computers do we had a small hexadecimal keyboard now this actually wasn't that bad one of the very clever things that was done with shuttle software was the extensive use of bundled commands what i would in my simplistic mind think of as a macro so there were many many things that needed to have multiple tasks done say to configure the entire vehicle for a different phase of flight or to prepare for another activity so rather than throwing switches which were you know limited uh limited space or pressing in a number or an action for every single one you had the capability to hit item and a number and then execute on a given page and it would set off a whole string of bundled commands it actually wasn't as bad to interface with as you might think
now here's one of the areas that i really didn't like the fault summary so if something went wrong this is the page that you went to and it had a maximum of 15 faults displayed which most of the time was was pretty okay but worse it doesn't have any scrolling capability so on my first flight we had a malfunction we had an electrical bus short on a payload bus that provided about one third of the power to the payload and the systems aboard the space shuttle now you can imagine when that happened every bell and whistle went off inside the space shuttle and when i went back to look at this fault some i didn't didn't have very many choices i had to either write everything down because when i hit reset it was gone and i could never see it again and uh the messages would stack up and get lost behind each other so definitely um you can see some real weaknesses in the interface area i think that was uh that was a real challenge i think uh but probably very reflective of the capabilities of the 70s
the shuttle general purpose computer or gpc was a marvel really incredibly rugged so carrying a whole whopping megabyte of ram but very very rugged had to be rugged it had to withstand the intense vibration and g's of launch it also had to be very radiation tolerant compared to the laptops that we carried that i'll talk about in a little bit which uh had constant cosmic ray hits and corruption of their of data requiring you to reboot them typically once a day that was not the case with the gpc it was very very rugged and it was meant to be radiation tolerant it was also highly efficient only 400 000 lines of code to operate the entire space shuttle pretty amazing actually that we could do that part of the reason for that is that code in space has weight implications that's right if you're doing more computations you need more power and more cooling which is more mass and more volume and so efficiency in software is incredibly important in space and the space shuttle definitely reflected that
one of the cool things about the space shuttle software was it had a very very low error rate so i'm showing here a table from a great paper that's got the link at the bottom uh about you know a reflective of the space shuttle software history if you look back uh to the right hand side there the total error rate per case lock uh in 1981 was about eight to nine uh that's pretty darn good and uh within seven years it was consistently down around one which is an order of magnitude better than commercial software some would say two orders of magnitude depending on the software and you can see that by the time we got close to the end of the space shuttle uh flying the space shuttle we had gotten the error rates in our uh new updates down to zero now how in the world did we do this well we kind of had to brute force it
right it was a lot of verification and testing so each space shuttle mission had unique software on it now there was the core software which was the same but there it was actually a unique software load because you had a different payload you had different mass properties maybe you were going to the space station or maybe you were going to a different inclination so for each shuttle mission months were spent on that unique software load doing verification in sale the shuttle avionics integration laboratory and the idea behind that is you would have crews and engineers who would run through tons and tons of scenarios lots of procedures to verify that there were no unwanted changes to the software this is pretty amazing considering that there were no auto debugging capabilities at that time uh so it was very manual intensive but it does show that it is possible to get very very low error rates one of the other interesting things about the shuttle software program was that not only was verification very intense but if a bug or an error was found this the program would go back and take a look at what process escape allowed that bug to slip through so in addition to just checking the software they were also looking at the entire coding process to go back and see if they could trap any other bugs that were from the same process escape and plug that process escape so that future bugs would not be introduced to the system
another aspect of the space shuttle that was really interesting and added to the resiliency of the system was the flexible redundancy in the software systems put into the general purpose computers so we carried five gpcs aboard the space shuttle four of them were loaded with the primary avionics software system known as pass and one computer was loaded with backup flight software or bfs that software was developed completely independently it was a separate company a separate group of people there was no interaction or interfacing between them that backup flight software was there to protect in case there was a flaw in the primary avionics software system that affected the four primary computers that were used now backup flight software didn't have all the same capability as pass it had basically what you needed to complete an ascent and get to orbit safely or if you had a problem occur on entry to get down to the ground so on on ascent and entry we flew with four computers running in parallel with each other and the backup ready to go and if there were any failures uh that you lost confidence in either the software or the gpc's the crew could press a red button on the stick and instantly jump over to the backup flight software and then get into a safe place with that software any computer could take any of that software if you got on orbit and realized that the bfs computer uh that had bfs loaded into it had a a hardware problem that was fine you could load bfs for entry into any one of the other gpcs the mass memory unit on board had several copies of both sets of software so if you found an error in the software maybe there was a a coding problem or a corruption in one of the gpc's you could reload the software from the mass memory unit and you'd had actually several copies uh to select from in case again somewhere on the mass memory unit there was a corruption or a failure incredibly flexible incredibly redundant
the other key aspect that i think had a very positive impact on resiliency but also on security is a distributed architecture and the space shuttle was one of the first vehicles to use this capability so the idea is that you separate critical functions and then you're very careful and limit what information is allowed to pass between them and there are checks to make sure that you protect that so on orbit we would shut down uh three of the gpcs into basically into uh a warm mode and so that we could restart them if we needed to we had one that actually was was warm as a warm backup and the other two were shut down completely and then in one computer we had guidance navigation and control very critical software controlling the vehicle knowing where its navigation state was knowing where you were appointed all very very critical aspects of operating the vehicle and then in another computer we loaded systems management software or sm software and that had critical functions having to do with the systems but the communications between these were very tightly structured
well we found pretty quickly that three crts was not enough information for the crew especially as our missions began to get more complex on in the shuttle program and so we added a third tier to the distributed architecture a payload uh general support computer or pgsc and that's a picture of the ibm thinkpad uh that i flew on my mission says a pgsc uh each crew would carry somewhere between five and seven pgscs they performed functions like a world map so that you could just glance at the map and know exactly where over the earth you were you could see critical things like if there was a loss of communications coming up a com outage or something like that but we used them heavily for mission support in the bottom left picture as me and my friend koichi wakata had just completed a very complex robotics operation using the two pgscs mounted behind us of course in microgravity it was pretty easy to mount those anywhere that you wanted to they just would stick with a little bit of velcro on a on a platform and those uh pgscs would take data from the gnc and the sm computers but could not send anything back so it was a one-way flow of data from the gnc computer or the sm computer to the pgsc now in the bottom right hand corner you see a picture of the rendezvous and proximity operations program or rpop which is an app that we used to visualize the orbital mechanics between the shuttle and the station and that picture was taken shortly after i docked to the space station showing uh my my approach my line of approach now we also used these laptops for email but the email wasn't directly connected in fact what would happen is the ground would sync up our mail three times a day so you know three times a day we'd get a message from the ground basically mail call and uh you know everybody would scramble for a computer uh to check their email we could do that because we were only in space about 10 days to two weeks at a time we also used it for file sharing and other things like that the pgscs were absolutely essential but they were also very isolated and very protected
now this is a pretty happy story about the overall security of the shuttle software system and how we approached it but that doesn't mean that we didn't have unanticipated issues almost all of them resulting from complexity so we used uh for many many years on the um the space shuttle inertial navigation units were the primary form of maintaining the navigation state you know where are you in space and the ground could up uplink information from a radar pass or something that gave us more precise information but when the opportunity came to integrate a gps receiver uh when they started to become uh lightweight enough and ubiquitous enough that was a great opportunity because we were doing highly precise navigation maneuvers like rendezvousing with the space station now the first time we tested it was on sts-91 and of course we're smart enough not to make the gps receiver be the only generation of the nav state in fact we disconnected the gps receiver from the primary nav state of the gnc computer so we didn't want to influence or upset that but we wanted to monitor it so there was an aiding state basically a secondary state that the gps receiver would periodically update and that way we could sort of measure and see what the nav state would look like if the gps receiver was updating it well we had a little hiccup the gps receiver had a software anomaly and basically went into a control alt delete type reboot situation and unfortunately at exactly the same time the gnc computer sent a message to the gps receiver asking for an update to the aiding state well the gps receiver never saw it when it came back up on board uh it was it was you know not a flag that was set and so it as far as the gps receiver was concerned it had never been asked for the information and never provided it so the gnc computer at that point said uh-oh gps receiver is down so stopped asking for updates from the gps receiver now that aiding state uh began to degrade right you're propagating a navigation state without putting any corrections in and sooner or later the numbers started to go pretty funky and math errors began to be generated no problem right no problem i told you already very limited information flows between the gnc computer and the systems management computer everything should be just fine well there are two very important things that are communicated between the gnc computer computer and sm the first one is the nav state so the systems management computer knows where to point the antenna to talk to the ground unfortunately when those math errors started to generate the other type of information came into play which is error codes of course the systems management computer wants to know if there's a problem on the gnc computer well the intercom computer communication bus got flooded with these math errors which essentially choked out passing the nav state so the systems management computer did not receive any updated shuttle state vectors and eventually this antenna lost lock with the satellite uh that that linked it to the ground and one of the most serious problems that can happen in space is a loss of communications and it happened while the crew was asleep well mcc to the rescue mission control uh was able to actually get in and figure out how to manually uh uh get get get a uh they eventually got got a lock over a ground station they sent a command to manually point the antenna at the tdrs satellite and uh and then uh were able to uh to fix the problem but it just points out that um even you know it was really incredibly resilient and they thought through as many errors as they could but in a complex system like this you can still have problems
now we learned a lot for the international space station i'd like to say we really upped our game we learned a lot about security starting all the way with the
ground system so even back in the apollo days there was uh not the capability to talk straight from houston up to the spacecraft but instead a large set of antennas in white sands new mexico talking the to the tracking and data relay satellite which then communicates low data rate s-band audio information and high data rate ku band video and payload data this entire network is completely owned by nasa so this is not going uh through uh open internet there's no uh cloud this is uh completely controlled to nasa and of course it's been updated so just another aspect of the security
another interesting issue was around mission control commanding now people weren't really thinking about hacking but what they were thinking about is making mistakes so an innocent mistake could send a bad command now that was true for the space shuttle too but we had fewer controllers for the space shuttle uh all hands on deck the six times a year or seven times a year that the shuttle was flying um so a high level of proficiency uh in a very small pool of people well with the international space station operating 365 days a year and 24 7 we needed a lot more controllers so there's a very rigorous certification process required for controllers in the international space station mission control center to allow them to send commands to the space station in addition there are screening protocols both before it ever leaves mcc going up to the iss and once it's on board iss to check and make sure that that that command will not inadvertently do some damage to the station and so again really all of these characteristics were really there for safety but they have the added capability of adding to the cyber security as well
now distributed architecture this is at a whole new level on the space station so starting with the command and control computers multiplexer demultiplexer or mdms there's three command and control mdms that control the station and just like the gnc and the sm computers on the shuttle in this case there are multiple separate payload and iss element mdms to control the system so highly distributed in that regard and again with very strict rules about uh bus traffic between them now the crew on board the space station does not have cathode ray tubes i'm very happy to report instead they use a laptop called the portable computer system i apologize for all the acronyms this is what nasa does though anyway the pcs is used for a cr the crew to send commands to the iss mdms it's essentially a remote terminal it plugs in they are not networked to each other they are plugged directly into the station and can send commands now they have the same issues that we did on the space shuttle wanting more screens more apps more capability and so there is an ops lan it is a local area network using station support computers these computers are used for procedures email and everything else including twitter now you may be wondering because i told you on the space shuttle we didn't have real-time access to the to the internet well that's a real hardship on the space station if you stop and think about that for a moment because there are people living up there for six months and i mean just even really simple things like if you were up there for six months and maybe you wanted to go on the internet and buy your husband a birthday present and lots and lots of other things so uh and of course the onset of twitter which astronauts have embraced completely so uh it took a fair amount of work to set up the cyber security because that was already a consideration even by then so there's a computer inside the firewall at the johnson space center that is the proxy computer so the space station support computers talk to the proxy computer which then goes out onto the internet now of course just like any computer it's still subject potentially to malware but the most important thing is the station support computers in no way shape or form are networked to the actual commanding of the station they're completely separate systems and they don't talk to each other and so a hacker might be able to get at with great difficulty but might be able to get at somebody's email on board the space station but they couldn't take over controlling the station sort of the up ultimate in a distributed architecture
so the use of computers is so important on the international space station i just want to show an example actually of of how they're used operationally and this is a picture from my third flight in space where we had a lot of important robotics operations so in the center of the screen you will see three videos and then underneath the one on the left and on the right are two hand controllers they control the robotic arm of the space station so that's how you move the arm is with those hand controllers now i talked about the pcs which does command and it actually can send commands to the big arm turn it on turn it off switch power sources and so forth and so the pcs on the right was set up for iss commands and then there's a backup pcs set up in the middle it enables you to quickly if there's a hardware or software failure uh on the primary pcs you could go to the backup pcs very quickly and in addition it allows you to monitor other critical systems that interact with the robotic arm and then the other three computers the two above and one to the left are part of the ops lan they're station support computers they provide extra camera views procedures file sharing etc etc
now areas of concern in space systems for me i'd like to shift gears a little bit and say uh this is what i see out there that is worrying me first of all um uplink and downlink to most satellites is encrypted but the data on the bus itself is not so of course it's easy to say well there's no way to access it it's just out there it's in space but in fact i think it is an area of concern it's something that we should be thinking about encrypting onboard traffic as well ground system vulnerabilities is probably the one place that if you're talking to a space person they will acknowledge there is a cyber risk our ground systems are very vulnerable they're just as vulnerable as any enterprise computer as part of any enterprise i.t system something interesting particularly in dod is that uh all of the constellations and all of the satellites most of them have completely unique ground systems now dod is moving away from that they're having a common ground system going forward but what that means is that they're all different now the good news is well if you figured out an exploit in one it wouldn't necessarily work on another one but the flip side to that from an enterprise it management standpoint is configuration management patching and so forth is a nightmare so that that is a real concern and uh fortunately it's it's being addressed in dod edge computing well the the challenge uh there is you know i had talked a little earlier about how men in the middle attacks are kind of hard on satellites because real time you have to see the data stream and then figure out what you want to inject into it well edge computing is uh becoming increasingly important now i mentioned the fact that in the past it's been minimized to do computations on board there was really just enough code and just enough hardware to run the satellite run its payload and then communicate all the data to the ground and that's as i said because it had weight implications well with the advent of advent of moore's law satellites are becoming smaller and more efficient because their electronics are more efficient so one of the challenges in low earth orbit is as you whizz around the earth every 90 minutes you really can only downlink your information when you happen to be within sight of a ground station and any one ground station you're only in sight of between five and ten minutes so you could take a picture but you might actually end up waiting a half an hour before you can downlink it well that's actually a challenge uh if you've got very short periods of time to get a lot of data down and so increasingly we're moving into a place where there's more and more computation moving on board and really getting high quality edge computing so that you can do all the the data management and that minimizes the amount of information that you have to downlink i'm just going to send you a notification that something has occurred or i'll send you a highly processed picture of what you're most interested in instead of a giant data stream well that is also going to make it a lot easier for man in the middle attacks finally the most uh serious problem i think we have in aerospace is complacency as i said many people in space think that their systems are not vulnerable to cyber we have an attitude in aerospace it's part of our culture and our values to think about safety safety is integral from design to test and verification and operations we just think that way we are going to have to figure out how to insert cyber security and an awareness of that into the values and the culture of aerospace all the way from the beginning in design and all the way through to operations i really think we are going to need to do that
now fortunately there's some exciting work being done on cyber physical systems one of my favorite demonstrations was in the information innovation officer i2o at darpa when i was there it's the darpa high assurance cyber military systems program or hackams so the picture you see there is an optionally crude helicopter called little bird built by boeing now the hackams program gave a group of hackers access to the flight data recorder and within 30 minutes they had hacked their way into critical systems on the little bird which really surprised everyone so the hackams program funded several performers to develop uh security capability and a secure kernel so i'm not a software person but to me a secure kernel is very much like the distributed architecture that i talked about for the shuttle and station you have a separation of critical functions and then you have a high level of restrictions about what information and checks and that they go on for information that flows in and out of that critical area this secure kernel um was loaded into little bird those same hackers were given access in the same way and all they could do was shut down the flight data recorder not very important and point the camera so it is possible to develop secure cyber physical systems now the hackams program is over but the system security integrated through hardware and firmware program or sif is still active and those of you who were at defcon last year may remember that darpa through the sith program brought a voting box a voting computer to defcon uh to work on the vulnerabilities and challenges of how to protect uh that hardware system from software exploits so i i have high hopes there's a lot of really good work going on i would like to see these best practices and these technologies proliferate into space
so a lot of interesting trends in space that are going to have an impact on this some of you may be familiar with some of these uh proliferated low earth orbit or p leo constellations like starlink or oneweb now i talked about low earth orbit and having to wait until you came over a ground station well the idea here is to have enough satellites which are also connected through crosslinks through a mesh network such that if one satellite takes a picture it can send the information through the mesh network to another satellite that's over a ground station and so this would greatly increase the persistence and in fact uh make it data ubiquitous at any time now there's some real challenges with mesh networking um so the space defense agency is working on that uh right now uh i think you're gonna see a lot more of these cross links and these mesh networks which of course will increase the attack vectors as well nasa is working
on going to the moon and on to mars their moon to mars program uh is a program that uh just like the space station they've reached out to international partners so far europe japan canada and australia have all expressed interest in joining in going to the moon to prepare and develop the technologies that will allow us to go on to mars and there will be an orbiting logistics platform called gateway in lunar orbit and then not too different from the international space station a moon village made up of different elements that different countries have doing whatever science they're most interested in but having shared infrastructure as we push out into the solar system
we're going to need a lot more logistics hubs so the most efficient way to get from point a to point b in space is through careful transfers of orbits low earth orbit to geosynchronous orbit geosynchronous orbit to lunar orbit geosynchronous orbit to mars orbit and you're going to see these logistics hubs that allow us to refuel or even build new satellites store and supply logistics and transfer not just data but also goods and supplies out into the solar system nasa's already
thinking about solar system internet but there's a big challenge with that communications is done through rf and what that means is it's prone to blockouts and fading now the way internet protocol works today is a packet that cannot show that it has connection all the way to its destination never gets sent well you can't have that in space because you're going to have these blockages these this fading of signal periodically so nasa has been working on delay tolerant networking that allows data to be cached uh as it pushes out and so that way if uh there is a loss of signal that's fine it can tolerate microseconds up to seconds and then pass along the information once the network is re-established interestingly this has implications as well darpa has also been working on it for disruption tolerant networking and that's more for uh emergencies uh uh you know disasters humanitarian disasters and things like that where there's not a consistent capability for the internet and so uh disre delay or disruption tolerant networking is going to be incredibly important as we develop a solar system internet so
i just want to say how wonderful it is to be here and thanks for inviting me to participate at the aerospace village i'm very excited about hackasat i think it's a really great idea idea it's a way to get insight into what the actual vulnerabilities are just like we did the demonstration uh for hackups but it's important to remember that the implications for space cyber security are huge even today i talked about how much of our economy depends on gps weather and so many other pieces of data that we get from space but there are bigger implications as we build out a solar system internet we're really going to have the opportunity to completely think this through again and go on to internet 2.0 technologies like delay tolerant networking and build in security from the beginning which is something that we didn't do with internet 1.0 so i'm hopeful that someone out there that's listening today will have some ideas about how to build a more secure internet for the solar system and i'm just going to ask you to get cracking on that thank you you