Secure Small Satellite Processing Platform

A secure reference architecture enables satellites to recover from cyberattacks and carry on their missions.
Small satellites are an attractive option for missions because of their low costs; however, they are vulnerable to cyberattacks. We provide a securable and usable architecture for keeping small satellites resilient to system compromise.
Small satellites are an attractive option for missions because of their low costs; however, they are vulnerable to cyberattacks. We provide a securable and usable architecture for keeping small satellites resilient to system compromise.

Today's low-altitude, short-duration space missions demand small satellites that are fast and cheap to build. Small satellites thus use commercial processors and software that are cost-effective but vulnerability-laden. Still, these satellites must be able to recover from a compromise of their software so that their rightful owner can reassert control. They also must be resilient to cyberattacks and able to operate adequately while under attack.

To address these needs, we published guidelines for a securable satellite design and are developing a reference architecture for implementing the guidelines. Three key components of our design are a root of isolation, a root of recovery, and dynamic group keying. Root of isolation provides strong isolation between a satellite's software components to prevent an attack on one component from impacting others. Root of recovery leverages novel operating system extensions and securely stored cryptographic credentials to permit authorized users to reboot or reimage the satellite regardless of the level of an adversary's compromise. Finally, dynamic group keying enables a satellite to be cryptographically excluded from a larger network when it becomes compromised, and then to be added back to that network once it has been safely recovered.

Our design enables a satellite to go beyond merely detecting compromise. Instead of falling under the irrevocable sway of an adversary for its entire useful life, the satellite can be recovered, reimaged, and returned to service. Future work will extend the reference architecture to not only low-Earth-orbit satellites with short lifespans but also satellites for other orbits and mission types.