View from inside the Orion spacecraft simulator at the Johnson Space Center’s System Engineering Simulator in Houston, Texas, where astronauts practice docking with the Gateway space station. Wednesday’s launch of NASA‘s Artemis I mission will be the first time the agency’s SLS rocket and Orion spacecraft have been tested together.
These two components have been in development for 16 years and are meant to herald a new era of space exploration. The 2014 Orion orbital test flight was the first time the networking standard known as timed Ethernet was transported into space, therefore this unmanned trip will be only the second time it has been brought into orbit.
An example of a mixed-criticality network is Time-Triggered Ethernet (TTE), which can route traffic with varying timing and fault tolerance criteria over a single physical infrastructure. Traditionally, spacecraft have used two or more distinct networks: one for mission- or safety-critical communications, and another(s) for less urgent uses, such as video conferencing or entertainment.
Exaggerate/illustrate the operation of timed Ethernet. In other words, engineers have created a more humane mousetrap. Mice nevertheless manage to win the battle. When it comes to crucial systems like navigation and life support, file transfers are critical to delivery but not, NASA argues, the timing, and non-critical chores like a crew video conference,
Orion is the first spaceship to rely on a TTE network to route traffic of mixed-criticality. TTE is essential in modern spacecraft because it allows for significant reductions in size, weight, cost, and power needs. It is utilized in the Lunar Gateway space station by NASA and the Ariane 6 launch vehicle by the European Space Agency. Spaceship data flow example using TTE.
Network messages must be transmitted and received at intervals of only 40 to 50 milliseconds in order for safety-critical systems like steering and engine control to function properly. The consequences of message delays or loss are severe.
Communications from scientific equipment, typically in the form of off-the-shelf devices provided by universities or external researchers with low-security clearance from NASA, are on the other extreme of the criticality spectrum.
TTE is fully Ethernet-compatible, but it can also transport messages that are often reserved for more specialized networks. TTE has two advantages not available on standard Ethernet that help ensure that less-important communications don’t get in the way of more important ones. These items are:
1. A time-based paradigm wherein all nodes reliably sync with one another and broadcast messages at predetermined intervals. Because of this, we can cut latency to the hundreds of microseconds range and jitter to nearly nothing.
2. For redundancy and protection against failure, TTE creates multiple copies of the network and sends data packets to each of them simultaneously. Gateway’s TTE network operates on a three-tiered architecture.
The first results that violate TTE’s isolation guarantees were published on Tuesday. What this leads to is PCspooF, an attack that can disrupt synchronization and communication between TTE devices on all tiers using just one non-critical device connected to a single tier. The attack is successful because it takes advantage of a flaw in the TTE protocol.
Researchers from the University of Michigan, the University of Pennsylvania, and NASA’s Johnson Space Center collaborated on the study. To paraphrase the authors, “our evaluation shows that successful attacks are possible within seconds and that each successful attack can cause TTE devices to lose synchronization for up to a second and drop dozens of TT messages,”
which can cause the failure of critical systems like airplanes and cars. We also demonstrate the dangers of PCspooF by demonstrating how it leads to uncontrolled maneuvers in a simulated space flight mission. Enlarge / Artemis Network Validation and Integration Laboratory (ANVIL) at NASA Johnson Space Center.
PCspooF allows a malicious device to blend in with all other best-effort devices on a network, and it can be built on an area as small as 1′′ 1′′ of single-layer PCB. The team confidentially shared their findings with NASA and other major players in the TTE industry. The agency has taken preventative measures to ensure any risks to spacecraft are adequately mitigated, according to an email from a NASA official.