So word is out that an upcoming congressional commission annual report will reveal that unnamed (but let’s face it, Chinese) hackers gained access to a satellite station in Norway and completed “all steps required to command the satellite” – the satellite being the Terra AM-1. Apparently another satellite was also compromised.
I initially had my doubts. In 2000 I was CEO of a wireless company that partnered with Lockheed-Martin to demonstrate a COTS solution for remote satellite control. In six weeks we did something nearly impossible. We used a wireless Palm VII PDA, hopped through commercial networks to NASA, and actually sent real-time commands to the WIRE spacecraft. We did this from Johnson Space Center’s Mission Control building but we could have done it from anywhere. Let me assure you that clearing the massive security hurdles for this project was no simple task. Our proposed architecture required input from engineers and executives at Palm Computing, AT&T, NASA, Lockheed-Martin, and one other agency that won’t be named. Not only was it secure, but the system was only live for a brief demonstration period before connections to commercial networks and the Internet were severed.
With this experience in mind it was hard for me to imagine anyone having vehicle control systems sitting, permanently exposed, on vulnerable networks. However, the more I think about it the more plausible it seems. Internet gateways to command and control systems are far more common now – as are vulnerabilities. This is a very real problem but outright negligence also can’t be overlooked as a possibility. It is possible that these systems could have been, or should have been, completely isolated from the public Internet, but were not.
Convenience is the enemy of security. NASA, and others, have to walk a difficult line here. On one hand, the Internet has driven extremely beneficial global collaboration and information sharing. On the other hand, systems connected to the public internet will always be vulnerable. How many times has convenience trumped security in other systems? The vulnerabilities are as a numerous as the actors seeking to exploit them.