As if CSOs didn’t have enough to worry about, how about upwards of four million more ways that cybercriminals could affect businesses — and society in general — through attacks on spacecraft and the infrastructure that develops, launches, and supports them?
That’s what a new study from the Ethics + Emerging Sciences Group at California Polytechnic State University provides. Weaving through that study, Outer Space Cyberattacks: Generating Novel Scenarios to Avoid Surprise, are insights that apply as much to the Earth-bound CSO as they do to rocket scientists.
If you’re wondering how attacks on the space systems could cause problems on the ground, consider some of the more obvious scenarios: if GPS systems are disrupted, that interferes with transportation and with the precision clocks used for network timing. Telecommunications relies heavily on satellites in other ways too, as does everything from weather forecasting to disaster recovery, and hackers are already attacking those assets.
But, said lead researcher Patrick Lin in an email, “It’s important to guard against a failure of imagination, which can be disastrous in security planning. Hackers are already thinking very creatively, and this project applies structure to the ‘dark art’ of anticipating those cyber threats — a method to the madness. This helps defenders to generate a full range of scenarios in order to avoid tunnel vision and stay ahead of would-be attackers.”
The US National Science Foundation obviously agreed – it ponied up US$300,000 for a two-year project looking at outer space cybersecurity — both its technical and policy dimensions — which resulted in a 95 page study enumerating not only the types of attack, but who the perpetrators might be, and their motivations.
A matrix for anticipating risks
The result is summarized in a matrix combining the who, what, when, where, and why components of an attack to build scenarios for security personnel to contemplate and figure out how to defend against. The ICARUS (Imagining Cyberattacks to Anticipate Risks Unique to Space) matrix, although focused in its current form on attacks involving outer space, could be easily adapted to more terrestrial threats and used in tabletop scenarios by CSOs anywhere.
It consists of five columns: threat actors, motivations, cyberattack methods, victims/stakeholders, and space capabilities affected. Users can combine entries in two or more columns to create one of more than four million possible attack scenarios. The study highlights 42 of them.
For example, an insider could be motivated by financial gain or anger at being passed over in some way to compromise digital assets, sabotaging life support system on the ISS (International Space Station) or giving confidential information to a hostile entity. Or, an organized crime group could plant destructive malware in a critical system and demand payment to keep the system from being crippled.
Using the tool in the enterprise
Many of the potential threats are also applicable to enterprises. Data spoofing, for example, is a hazard regardless of whether said data is falsified input from sensors on a rocket or “evidence” of illegal online activity by the CEO. Hacked 3D printers can build subtly defective parts for space stations or automobiles. Disinformation (an alien invasion, anyone? Yes, people still fall for that) and gaslighting often let perpetrators avoid the consequences of their actions, as well as confusing the public and the media. And eco-terrorists strike at anything on earth or in space that fits their agenda, sometimes with catastrophic results.
When building an enterprise’s matrix, the study recommends a diversity of perspectives to avoid groupthink and cognitive bias. It notes, “Social scientists, such as from science and technology studies (STS), provide useful tools to uncover and examine ethnic, gender, disability, indigenous, and other issues related to technical systems. Psychologists and other behavioral scientists can offer insights into the social engineering aspects of the scenarios. Philosophers can bring deep analytic and conceptual skills to help frame, extend, refine, organize, and critically press on relevant issues. Science-fiction writers and futurists are essential for imagining the unknown, often more creatively than academics can. And of course, engineers and technologists are the architects of the systems targeted by cyberattacks; therefore, they are invaluable for assessing the mechanics of an attack and working toward a solution.”
Lin noted that the ICARUS matrix captures many more factors that affect cyber attacks than other methodologies. “Unlike other taxonomies of cyber vulnerabilities, the ICARUS matrix also captures the diversity of threat actors, their motivations, their victims, and the space capabilities affected. These help to establish the core elements of a full scenario — answering the who, what, where, when, why, and how questions,” he said, pointing out that the scenarios “prime the imagination pumps” of threat researchers. And, he added, “Because it’s important to understand a problem in order to solve it, the study also explores the drivers of space cyberattacks.”
Many of which, a CSO will quickly observe, are the same drivers that motivate the attackers of corporate and industrial systems.