Launching rockets securely by converging IT, OT and high-speed DAQ
Converging information technology (IT), operational technology (OT) and high-speed data acquisition (DAQ) helps make an aerospace solid booster test bench safe from cyberattack.
Information technology (IT) and operational technology (OT) have been quickly converging. The flow of information combined with the operation of physical processes and the hardware that makes them happen are a potent efficiency boon. Whether controlling an oil pipeline or a factory floor making tennis rackets, IT and OT are used together to achieve previously impossible efficiencies.
This technology has been applied to create a supervisory control and data acquisition (SCADA) system used for testing the booster for the launch of the European Space Agency (ESA) Ariane 6 rocket, but with a twist. The solid booster test bench (BEAP) is the unique test pad in French Guiana used to test the boosters of the European ARIANE 5, VEGA and ARIANE 6 launchers. The test bench acquires measurements and controls the nozzle, to check the operation of the onboard electronics.
The technical challenge
Engineers determined they required a system that had some additional high-speed analog to digital converters (ADCs) to make accurate measurements on the engines. In the past, they would have had to source high-speed data acquisition (DAQ) systems and operate them separately from the control system. Not a very elegant solution, but previously the only game in town.
Recently, the world watched as international hackers disabled a critical fuel pipeline on the east coast of the U.S., holding it for ransom. Imagine what havoc they could wreak with a 44-foot-long spacecraft booster filled with 142 tons of solid rocket propellant (Figure 1). The Ariane engineers needed a control solution that provided a neat convergence of IT, OT and high-speed DAQ technology, and provided the best possible cybersecurity.
On behalf of the ESA, CNES (the French version of NASA) looked for a system integrator to improve the Ariane rocket test bench by replacing the real-time controller and the DAQ system with high-speed signal conditioning and digitizing hardware. They required all elements of the system be integrated with the existing test bench. The new system had to provide high-reliability control and command and top-notch cybersecurity.
A division of the French company Eiffage, EES-CLEMESSY was selected to be the system integrator for the system to be used for testing the booster on the Ariane launch, and to oversee system maintenance. EES-CLEMESSY has long specialized in the engineering and implementation of industrial control installations. The system integrator has a division that specializes in developing systems for the aerospace industry.
The system selected for the BEAP (solid booster test bench) was the EES-CLEMESSY Syclone, a scalable control and command software configured like a toolbox. This modularity makes it possible to develop a customized solution that can be adapted to a wide variety of applications and environments. Syclone combines the worlds of supervision, real-time process control and physical hardware. Syclone interfaces with the operators and runs the real-time sequencer as well as the server.
For the high-speed DAQ elements, EES-CLEMESSY selected DEWESOFT, a maker of DAQ hardware and software. Unlike previous stand-alone DAQ systems, the Dewesoft data acquisition and control systems are not only used as DAQ systems, but also serve data to the Syclone control system in real time (Figure 2).
The decision support system provides operators at the Guiana Space Center with a map of all danger zones during high-risk operations such as launching a rocket or test firing engines. The objective of the system is to analyze and cross-check meteorological and pyrotechnical parameters over an area of 850 square miles and display information in real time for up to 10 dangerous operations simultaneously conducted.
Build in cybersecurity from the ground up
From the beginning of system integration, EES-Clemessy decided to address cybersecurity issues in the OT and IT systems, even though they don’t always share the same level of security, or the same requirements in terms of confidentiality, integrity and availability (CIA).
Robust cybersecurity begins by reducing the digital “attack surface” to the bare minimum required by operational requirements. EES-Clemessy applied a strategy called “defense-in-depth” to the rocket testing system. Defense-in-depth means addressing the cybersecurity at every layer of the system, each layer implementing mostly independent security measures (Figure 3). This is what the layers of the system look like:
Inter-systems communication (e.g., IT/OT data exchange). Cybersecurity is addressed in segregating and isolating the system from each other and reducing the data flows to the bare minimum. Adding network taps that observe traffic and detect unusual activity and intrusion is also important. These “taps” look for deviations from expected behavior such as unusual volume or repeated login attempts and failures. In some cases, adding “data diodes” that allow only one-way data flow can hamper a hacker’s attempts to bounce from one system to another. Another method involves installing a gateway with built-in protocol changeover controls.
Intra-system communication inside an OT.
This includes communication between the real-time controller server and the measurement repository server. If one part of the OT is more operational in nature, and another part is more about preparation and/or exploitation of results, a firewall can be used between with strict rules. Everything is blocked except for the predefined functional requirements.
Inter-server communications. Drastic filtering is used at the switch level. Important steps include:
- Careful switch configurations
- Disabling logically or physically unused ports
- Embedding protections against overflow, and more.
Server and operator station operating system (Linux or Microsoft Windows level). The attack surface can be reduced in size by eliminating unneeded services. These include built-in games, video players, web servers and more — and of course, making sure the latest security updates are installed.
Communications protocols and Fieldbus (EtherCAT). Fieldbus and its protocols were chosen because they are highly robust against cyber threats (no “plug and play,” use of ciphered frames, an embedded timestamp). For example, EtherCAT (aka “The Ethernet Fieldbus”) is used in nearly every real-time demanding project integrated by ESS-Clemessy. Dewesoft DAQ hardware supports EtherCAT, which also supports real-time determinism.
Operator station level. Log-in management, robust procedural techniques, etc.
Application software (Syclone) Level. Steps taken here include strict coding rules, and a set of special tools used to inspect code, memory management and more.
Putting it all together
When testing rocket launcher boosters or engines, the uniqueness and the high added value of the units tested, as well as the high pyrotechnic risks, require optimal safety and reliability of the control-command for a system that must be able to be used for several decades.
In this case, the product under test is unique and has a value of around $60.6 million.
As NASA is fond of saying, “Failure is not an option.” The test must go right every time. It’s not just millions of dollars at risk: the safety of the human beings involved is of paramount importance.
In the early phase of the project, several advanced features were requested by CNES:
- To see the global system as if it was only one measurement unit
- To trigger all the measuring units from a single event.
The system integrator configured the Syclone system so it could manage the acquisition of high-speed data from multiple DAQ systems scattered all over the launch center. The DAQ systems combine to provide 1,000 channels of recording, with each channel running as fast as 200,000 samples per second. All these channels had to be synchronized to each other and to absolute time. Furthermore, all these channels had to be available to the control system with less than 500 microseconds latency (Figure 4).
Syclone controls and monitors the entire rocket testing process, including driving the actuators that move the rocket nozzle itself. Upon receipt of the ignition firing signal, all the analog channels start and the test is underway.
Data is processed in the controller to execute the selected test: What are the tank pressures? What is the exact position of the nozzle at all times? What is the next step in the sequence? CNES required 400 microsecond resolution for these parameters.
Because the network itself is 2.5 miles long, there is a processing loop time of 1 millisecond. This had to be considered when the system was configured. The critical cycle time subsystems such as the fast data channel access time and system data update times mentioned above had to fit within the overall loop time.
Cybersecurity cannot be addressed in one place at one time; it has to be built into every level of the system and be maintained. Vulnerability watches must be created to monitor exploit attempts that have been made, regardless of the origin or whether they are directed at the operating system or its protocols. Several independent systems run in parallel to monitor new threats and provide alerts of what requires analysis or possible patches. Cybersecurity is a process that never ends.
In addition to a long list of technical cybersecurity measures, the human factor always plays a critical role. Organizational measures should be put in place to raise awareness among users about roles and responsibilities. Users need to understand best practices and know what to do in the event of failures or intrusions. With any complex system it is important to have a business continuity plan as well as a disaster recovery plan. Being well-prepared against risks is the best protection against cybersecurity threats, when an organization needs to move sensitive data from one location to another after a flood or a fire.
Whether the challenge is controlling a powerful rocket engine, an oil pipeline or a factory floor making tennis rackets, the same basic requirements exist, and cybersecurity is at the heart of a successful and long-lasting integration.