Applying cybersecurity in a SATCOM environment requires a layered security approach, or Defense-in-Depth as it is sometimes called. As recognized by the National Security Agency (NSA), Defense-in-Depth is an effective means to protect networks by presenting multiple obstacles for would-be hackers. This approach combines various strategies to mitigate threats, protecting an organization’s data and SATCOM network.
The critical layers of a Defense-in-Depth SATCOM network include detect, mitigate, prevent and predict. A review of these layered solutions provides insight to the cybersecurity approach.
Detection allows the user to discover and identify the existence of a security lapse. In an iDirectGov network, detection centers around the iVantage network monitoring tool, spectrum monitors and geolocation product.
As part of the Network Management System (NMS), iVantage provides an easy-to-use responsive graphical user interface (GUI) and reports on performance irregularities to an organization’s SATCOM network.
Network performance is monitored in iVantage, including in-routes, remotes, applications and the IP packet level. With this information, a network operator can immediately respond to any threats to the security of the network.
Spectrum monitoring tools perform automatic and operator-directed monitoring to detect interferences and unauthorized users, measure carrier and transponder performance, and generate out-of-tolerance alarms. These tools allow the user to effectively measure and analyze the transponder spectrum.
Geolocation allows operators to view real-time spectra for the detection and characterization of interference. The model 8000 seamlessly transitions from detecting the interference to geolocating the interference with the click of a button. Model 8000 geolocates transmitting terminals quickly and accurately. It locates the interference by taking advantage of the weak replica of the signal that an adjacent satellite will receive. Downlinks for the primary and adjacent satellite are acquired and analyzed to extract precision time difference and/or frequency difference information used for locating the interfering signal. Once the signal has been located, the operator is ready to take the appropriate steps to mitigate.
Mitigation is used to remove or avoid any potential network threats. iDirectGov’s Communication Signal Interference Removal (CSIR™) technology and dual-mode and beam choice features mitigate threats to a SATCOM network.
Radio frequency (RF) noise and interference, intentional or unintentional, can degrade a SATCOM network, sometimes rendering it completely unusable. CSIR eliminates an interfering signal from the authorized signal of interest (SOI). With only the SOI’s center frequency, bandwidth and symbol rate information, CSIR will monitor and remove an interfering signal in real time. CSIR can remove a variety of unwanted signals, whether they are modulated carriers, unmodulated tones or interference that changes characteristics (such as burst or frequency hopping).
Based on the SOI’s information noted above, CSIR can monitor and remove an interfering signal with as little as 1dB of power separation from the SOI. Additionally, CSIR has little to no effect on the signal quality of the SOI.
As another mitigation tool, dual-mode gives users the benefit of targeted connectivity combined with ubiquitous global coverage. The 9-Series modems can operate on both government owned and commercial networks, giving the user the ultimate flexibility.
Dual-mode is an automatic process when transitioning from one Defense network to another Defense network. It is also automatic when transitioning from a private government owned network to a commercial network.
When designing SATCOM networks in a mobile environment, the beam strength and the footprint are of the utmost importance, especially in theater. By providing users Beam Choice, they can prevent network reacquisition due to a weakening signal or a change of footprint. Operators can manually select the ideal beam for their missions rather than using the automated process.
Beam Choice is not limited to just beams in a Defense network. It also allows for selection of beams in a commercial network for complete global coverage.
Preventing security threats moves the battle for security to a more proactive stance. iDirectGov utilizes transmission security (TRANSEC) and Information Assurance (IA) to protect communication signals and network hardware from potential threats.
TRANSEC protects against adversaries who try to obtain information through monitoring the satellite waveforms traveling between remotes and hubs by addressing vulnerabilities in an IP-based VSAT architecture’s transmission path. Factors such as increased traffic, terminal spoofing and data interception can all be used to infer classified data. The waveforms and protocols of TRANSEC-enabled networks are specifically designed to appear consistent, regardless of the amount of traffic or the number of active users.
IA refers to managing the risks of processing, storing and transmitting data and the systems used for those actions. IA uses physical, technical and administrative tasks to control these risks. iDirectGov uses a two-pronged approach to IA: one safeguards the servers and a second covers the remotes. By protecting both the servers and the remotes, potential attack surfaces are reduced.
Another prevention tool, Security Content Automation Protocol (SCAP), serves as the configuration standard for the U.S. Department of Defense (DoD) IA program and IA-enabled devices and systems. SCAP services are offered on all servers in an iDirectGov network, including the NMS, Protocol Processor (PP) and the Global Key Distributor (GKD).
Since 1998, the Defense Information Systems Agency (DISA) Field Security Operations (FSO) has played a critical role in enhancing the DoD’s security systems by providing SCAPs. These provide technical guidance to “lock down” information systems and software that might otherwise be vulnerable to a malicious computer attack. iDirectGov’s implementation of SCAP standards ensures the highest level of compliance is met. In addition, iDirectGov supports a number of manual configuration changes to meet additional SCAP guidelines, including Red Hat Linux-specific recommendations. Security Readiness Review (SRR) scripts test products for SCAP compliance and are available for operating systems and databases that have SCAPs.
The 9800 AE Satellite Modem.
SHIELD, another prevention solution from iDirectGov, identifies vulnerabilities by using a DoD-approved scanning tool called Nessus developed by Tenable. The Nessus scanner identifies vulnerabilities that could allow unauthorized control or access to sensitive data, misconfiguration, default passwords and service vulnerabilities.
SHIELD scans evaluate the 9-Series routers for vulnerabilities that hackers could use to access a system or network. The data is then used to design a Remote Security Bulletin (RSB).
SAMS™ is a powerful satellite capacity and link resource management tool used for planning and organizing space, ground and network assets that support satellite communications. Using SAMS, satellite traffic planners can manage their network traffic and perform link budget analyses to optimize space assets while meeting data throughput needs. Designed for both fixed and mobile networks, it provides network wide visibility and performance assessment.
When looking at reports, some of the biggest benefits are an increased understanding of risks and opportunities in an organization’s satellite network. Reports can enable the streamlining of processes and improve efficiency.
The robust NMS provides automatic alerts and warnings that can help operators anticipate potential attack vectors. Performance stats per network, in-route, remote, application and IP packet level permit effective network management
Outside of the NMS, iDirectGov offers a Bandwidth Timeslot Correlator (BTC) that allows network operators to view and analyze bandwidth and timeslot allocations. The BTC expands Network Operations Center (NOC) capabilities in a Time Division Multiple Access (TDMA) network to enable network operators to manage time slot allocations and to optimize networks to avoid network traffic gridlocks. The software module also provides an automated graphical representation of historical time slot usage and bandwidth for a given network, in-route group or remote. By using historical data, users can re-define and enhance upstream links for better throughput performance and achieve savings in satellite bandwidth and costs. These report designations are configurable through a user interface.
Maintaining a healthy network is one of the most important steps to security and efficiency of a satellite network. Through the iDirectGov Premium iSupport program, a comprehensive network analysis can be conducted in four key phases: customer consultation, data collection, data analysis and report documentation. Through the health check, network conditions are assessed, and recommendations are made for improved efficiency and security.
Implementing a Defense-in-Depth approach to SATCOM cybersecurity to plan, detect, locate, remove, report and deploy mitigation to signal interference allows defense, homeland security, first responders and other government users to have reliable and secure communications to support their critical missions. The idea behind this approach is if one mechanism fails, another checkpoint is ready and waiting to thwart an attack.
Adopting a proactive multi-pronged approach as Defense-in-Depth is profoundly changing the security posture. The inherent security in iDirectGov’s solutions protects and minimizes the attack surface from actors that may, intentionally or unintentionally, interfere with lines of communications. Not only can these newest Defense-in-Depth solutions protect defense and government users from the tiniest drops in the “interference pond,” they can protect users from the storm of bad actors. It’s full speed ahead for secure SATCOM.
Karl Fuchs is the Senior Vice President of Technology at iDirect Governemnt (iDirectGov), a U.S. corporation that is a trusted partner of the U.S. government and has been for more than 17 years. All its employees are U.S. citizens, with a third being U.S. military veterans and more than 60% holding U.S security clearances. Fuchs leads iDirectGov’s team of federal systems engineers and serves as chief architect for new product integration and specialized technology, including transmission security (TRANSEC), Communication Signal Interference Removal (CSIR™) anti-jam technology and Open Antenna Modem Interface Protocol (OpenAMIP). All Defense-grade products sold by iDirect Government are designed, developed, assembled, programmed and verified within the United States. Fuchs leads iDirectGov’s team of federal systems engineers and serves as chief architect for new product integration. Fuchs has more than 20 years of experience in the areas of technology and the federal government and is a Senior Contributor to MilsatMagazine.