Collaborating to Achieve End-to-End Cybersecurity in Satellite
To what extent must hardware manufacturers, service providers and others across the satellite ecosystem collaborate to ensure secure cyberspace for their customers? During a panel titled “How to Achieve End-to-End Protection?” at the 2017 CyberSat Summit, experts agreed that one of the biggest challenges in cybersecurity today is the ongoing transition to an ecosystem where competing companies must cooperate on joint solutions for their shared customers.
“If someone purchases a Boeing [Model] 75 for their own personal use and put a Honeywell system on it for connectivity, and a Satcom Direct router as a backup system, we all have an interest in making that customer secure,” said John Zban, Chief Information Officer (CIO) at Satcom Direct. Zban described these interwoven relationships as a “co-ompetition” — where separate companies will compete for the same customers while also buying or exchanging hardware and information off each other. “Regardless of the competition, we have to make that customer happy,” Zban said.
In-Flight Connectivity (IFC) for airlines exemplifies a vertical that may leverage solutions from multiple companies to serve their customers’ needs. “Instead of using one constellation, there may be one or two or three; instead of one Point of Presence (POP) it may be two or three,” Zban said. “It requires expertise from all of those different disciplines … to deliver what the customer needs.”
The crux of the cybersecurity issue, the panelists agreed, is that all nodes within the satellite ecosystem must be resilient. “If you have a chain and it’s made of titanium, [a] paper link diminishes the strength of the entire chain,” Zban said.
A paradigm for sharing critical cybersecurity information already exists in the form of the Information Sharing and Analysis Center (ISAC). Since 2012, ISAC has featured threat warning and incident reporting capabilities divided by sectors, allowing those operating in aerospace, for example, to share actionable information related to cybersecurity and situational awareness. But the panelists agreed that the organization is not the only and final solution to coordinate efforts across the satellite ecosystem.
Norm Balchunas, senior director of defense/cybersecurity services and connectivity for Honeywell Aerospace, expressed confidence in Honeywell and other companies’ willingness to share its cybersecurity knowledge with adjacent manufacturers. “I am impressed with the aviation industry and how we’re communicating with each other,” he said. “ISAC has to catch up with how we conduct business on a day-to-day basis.”
Bruce Chesley, senior director of strategy for Boeing Space and Missile Systems, said that the conversations around cybersecurity must be both persistent and dynamic. Original Equipment Manufacturers (OEMs) and service providers must be flexible and willing to communicate in order to adequately serve the wide range of satellite customers and their different demands. “For certain satellite customers, the boundaries of the system and the scope of what we deliver varies pretty widely,” Chesley said. The cybersecurity challenge for a mature operator such as Intelsat, for example, is different for other customers for whom Boeing will develop, operate and maintain the entire core network, including the user terminals. “The edges of the ecosystem that have to be protected is a variable threat surface from a cyber point of view,” he said.
As space becomes more democratized, service providers will have to be able to adapt their cybersecurity solutions to a “wider variety” of customers, Chesley said. “Certainly a hobbyist has a different level of cyber [assuredness] that they need to achieve than a global operator like SES,” he said. “I don’t think there’s a one-size-fits-all [solution].”
Chesley added that even now there are companies that will waive certain cybersecurity protections as a matter of cost versus risk. That will likely change as the cyber threat grows more prominent, he said. “When that choice is made and those consequences knock on the door, it’s almost evolutionary in a way … They’re not going to last,” he said.
Chesley also echoed comments made earlier in the CyberSat Summit program, which emphasized companies should continue to develop their cyber capabilities without relying on government-enforced standards or regulations.
“Anybody in this audience who thinks the federal government is the answer to the problem has some other problems that we need to address,” commented Greg Touhill, Cyxtera president, during his panel at the summit on Nov. 9.
Ultimately, according to Chesley, it boils down to the slow, bureaucratic nature of government regulation: “The pace of innovation by the private sector outstrips the government’s ability to legislate it,” he said.