Sustained operation of the spacecraft is critically dependent on the reliable functioning of the hardware and software components that connect the various subsystems of which the spacecraft operations domain is composed. These components must be well protected against threats present in the cyber domain that could potentially negatively affect, for example, the space segment through command intrusion or payload control, the user segment through spoofing and DoS attacks, or the ground segment through hacking or malware.
Any successful attempt at reducing operational function or gaining control of an operational segment would have a significant effect on the overall function of the wholes system. As such, measures must be taken to detect, analyse, and deter intrusion efforts from non-state entities. The first step in this process is to analyse all data traffic through the system to extract elements that have the potential to cause harm. This can be achieved through monitoring of specific system directories for changes or through the detection of anomalous behaviour in time-dependent system data.
The SIEM/IDS for Space Operations (SISO) prototype proposes a solution to detect such malicious behaviour. SISO prototype facilitates the system monitoring by integrating the capabilities of the Security Information and Events Management (SIEM) Wazuh package with customised data processing rulesets and algorithms tailored to the Mission Control System SCOS-2000 and EDDS.
Anomaly detection (AD) methods are those which identify events within a dataset as outlying with respect to the group. When considering AD for cyber security, it is often not the case that anomalous events are discrete. Instead, attempts at the intrusion into or harmful attacks upon a system occur in a collective manner. As such, the best performing AD methods for cyber security are typically based around cluster analysis, wherein the aim is to group anomalous events on their similarity with respect to a shared, integral feature.
Capabilities of the SISO prototype include:
- Monitoring of SCOS filesystem changes - Deployment of an agent daemon inside the SCOS filesystem and log directories allows for constant checking of system integrity (via filesystem monitoring) and real-time operational use (via output log monitoring).
- Monitoring of SCOS events - Data from SCOS monitoring is decoded and compared with a ruleset. If rules are matched, an event of significance has been detected and can be acted upon.
- Alert notification – sent via email based on predefined rules
- Integration with Wazuh-Kibana UI
- Anomaly detection in the EDDS logs - Using cluster-based anomaly detection algorithms on EDDS server logs, anomalous log entries can be identified by their high score relative to the complete set of logs. These anomalous log entries have a higher probability of being harmful and so should be investigated.
If you wish to know more about SISO, watch the demonstration video on our YouTube channel: