However, time is running out
The Ukrainian conflict has amplified serious questions about cybersecurity at every link in aerospace deployments. Now is the time for manufacturers, governments,and security providers to align with each other on solutions.
Recent industry conferences have differed from other space trade events of recent years, in that cybersecurity is no longer a sideshow. This is a topic on which most panelists were queried, given the backdrop of the intensifying Ukrainian conflict.
Although the first month of the Russian invasion of the Ukraine did not become an arena of unrestrained cyber warfare that many people feared, the February 2022 disruption of a satellite network (which was not restricted to Ukraine) added urgency to many conversations.
Panelists, when asked about satellite security in Ukraine, Western Europe and the US, gave thoughtful answers that, nonetheless, often lacked actionable details. Most experts presumed that bad cyber actors have a jumpstart on governmental and operators and equipment manufacturers.
This is problematic on two levels. Aerospace and satellite deployments are mission-critical and indispensable to the growth of many industries and technologies. However, their attack surfaces have also greatly expanded — without corrective action, insufficient security controls will be bolted onto future designs, rather than built into them.
However, given the projected expansion of satellite deployments, there is a unique opportunity to build mature security solutions into government and commercial deployments. We can expect an exponential increase in the number of Low Earth Orbit (LEO) satellites, as well as the emergence of small, GEO satellites. This means more methods of connectivity, in space and on the ground, and a corresponding increase in opportunities for cyber malfeasance.
To help stimulate innovation and partnership, here are three messages that should gain traction in 2022 and beyond:
1. Don’t miss the threat on the ground for the threat in space
Much attention has been paid to the threat of signal jamming or spoofing directed at satellite vehicles, which could lead to collisions or disruption of internet access and vital industry or governmental communications. But dangerous cyberattacks can focus on any part of a satellite network, including multiple devices that support satellite base stations and communications hubs
These assets on the ground can be accessed remotely, or in many cases physically since they often are in isolated locations with variable perimeter security. The objective of such attacks could also be the compromise or destruction of land-based equipment, as seems to be the case with the Viasat/KA-SAT attack, which temporarily disabled thousands of modems in several countries.
Viasat’s analysis indicates the attacker began by exploiting a VPN device misconfiguration, gained remote access to a segment of the company network, and then sent management commands to thousands of modems at once that overwrote flash memory and temporarily knocked the modems offline. It was a consequential strike that required no knowledge or exploits of a satellite vehicle.
2. End users, manufacturers and security experts must collaborate on advanced solutions
The impressive growth of commercial aerospace and satellite deployments complicates efforts to elevate industry security standards. As more business opportunities are built out and scaled, we can expect more players to enter the space and more reliance on increasingly complex supply chains — both of which will elevate cyber risk. The days in which a few established private sector enterprises supplied technology and devices to a few dedicated clients, each of which was a branch of the government, are past. Given this new reality, collaboration around industry standards will be essential to satellite network security. As more companies move in, it’s critical that established players advocate and fight for high-security standards that reflect the current threat climate. This can help establish benchmarks that exceed current standards, promote accountability, and incorporate security solutions for devices and systems.
The U.S. government will remain hugely influential, due to the power of its purse, decades of aerospace engagement, and history of collaboration with industry leaders. It can actually incentivize commercial suppliers to invest in advanced security controls by demanding them — and it most certainly should do so.
There is also a need for rigorous testing of new security deployments in controlled environments, such as red vs. blue exercises that can provide training for military operators and opportunities for them to work with device manufacturers to integrate security technology with new and legacy SATCOM equipment. Ideally, this training should include commercial equipment manufacturers, equipment operators, and security experts. Securing space will require a highly collaborative, multi-disciplinary approach: No one body of experts has all the answers.
3. Expand regulations to cover embedded systems
Government regulators have created timely responses to growing threats to SATCOM networks. CISA issued an alert for service providers and customers (and a second in collaboration with the FBI), while NIST has pushed to update its guidelines for SATCOM cybersecurity risk management.
Although welcome, these documents focus on network based security controls that, are essential, but not sufficient to meet current threats. Like other recent directives, they do not adequately address security challenges in embedded systems and the devices that support them. What guidance there is focuses on network controls: also essential, also unable to provide a comprehensive security posture.
For decades, security policy has exempted special purpose and embedded systems as being too difficult to secure while maintaining real-time performance. It is time for policy to catch up with technology and mandate the levels of security controls that are now feasible for aerospace, and many other industries.
There is still time to get it right when it comes to space security, but the longer commercial and government interests wait, the harder it will be to walk back the time that has already passed.
To paraphrase a sage from another era, “The best time to plant a tree was 20 years ago.” The next best time to address satellite cybersecurity is now.
Dr. Ang Cui is the Founder and CEO of Red Balloon Security, a leading cybersecurity provider and research firm that specializes in the protection of embedded devices across all industries, and which was named “One of 11 Cybersecurity Startups to Bet Your Career on in 2022” by Business Insider. In addition to publishing innovative research, he frequently provides commentary and thought leadership on the most pressing challenges in cybersecurity today. Dr. Cui earned a Ph.D. in computer science from Columbia University, where he worked extensively in the Intrusion Detection Systems Lab.