Cybersecurity Experts Stress Importance of Government-Industry Collaboration
[Via Satellite 02-24-2016] The satellite industry needs to work more closely with government end users to make sure both are in sync with each other to protect against cybersecurity threats. Headlines continue to dredge up new startling feats hackers have performed — from swiping password and bank account information to hijacking car controls and drones. As an ever-increasing number of devices get connected, satellites could be the next trophy hack.
“The satellite industry is fast realizing the need to invest in cybersecurity measures due to the critical nature of the satellite networks and services they provide. In addition, the high value of space assets, notably satellites, means that the cost of a security breach is particularly high,” Magda Cocco, partner at VdA, told Via Satellite.
Governments and government organizations, both military and civilian, represent a sizeable percentage of the customer base for satellite companies. The U.S. military is the biggest purchaser of satellite capacity, with a large fraction of its communiqué traversing over privately operated systems. That cyber risks are present to satellites is no surprise, given that cybersecurity is a concern for all telecommunications, but the need to prioritize security is greater now than before.
Cocco said factors like the dual use nature of satellite technology, and the public sector’s frequent use of private sector capabilities has spurred on the adoption of more demanding public security requirements. The result, she said, is that in some ways the satellite industry can be considered well prepared to tackle cyber threats. But a disconnect remains. Cocco said cybersecurity still seems to be more of a concern within the cyberspace sector rather than the space sector, resulting in wide disparities between suppliers of equipment, software and components. And this gap in attention is not unique to the space sector either.
“Governments do not seem to have already realized in a systematic manner the interdependence between cyberspace and space,” adds Helena Correia Mendonca, managing associate at VdA. “Most cybersecurity strategies do not usually address satellite networks in an autonomous manner, and satellite providers are not always identified as critical infrastructure suppliers in cybersecurity laws. The situation is bound to change naturally, partly as a result of the move to IP-based technologies. The number of cyber attacks against satellite networks has been a clear wake-up call, and as satellites come to their end-of-life, their replacements will no doubt be built with security in mind. But, because cyber threats are constantly evolving, reliance on the security of the space segment is obviously not enough.”
Fortunately there are efforts to tie government and satellite-sector cyber efforts closer together.
“Collaboration between industry and government is critical to addressing such a wide and dynamic area as cybersecurity,” said Jandria Alexander, principal director of the cybersecurity division at The Aerospace Corporation, a U.S. federally funded nonprofit organization that conducts Research and Development (R&D) efforts for National Security Space (NSS). “There are lessons learned that can be exchanged from both sectors as well as research into technologies and operations that are mutually beneficial.”
Alexander said satellite cybersecurity faces unique challenges due to the interdependence of ground, space, user and launch segments. For example, legacy components are not always compatible with newer cybersecurity solutions, and embedded control systems can necessitate long lead times for upgrades. The result, she said, is that satellite systems often include state-of-the-art and cutting-edge cybersecurity components mixed with older, more vulnerable legacy equipment.
The Aerospace Corporation works collaboratively with the cybersecurity and space communities to address future architectures, mission assurance and space-cyber operations. The organization researches and promotes the adoption of emerging cybersecurity technologies into space systems, and provides guidance on best practices to achieving cyber resiliency for continued cyber operations.
Additionally, Aerospace Corporation has a cybersecurity research program covering the space segment, and Alexander said the organization is developing frameworks for increasing mission assurance as systematic, repeatable and measureable actions to include in assessing and accepting risks. She said the organization is working to promote more comprehensive cybersecurity for satellites.
“Effective models address the interconnections of segments as well as the critical components. In order to respond to new threats, satellite networks must adopt a philosophy of cyber resilience. Resilience must address more than hardware, software and specialized cyber technologies. They need to consider the processes, operation and the associated risks,” she said.
Mendonca mentioned law/policy, technology and organizational structure as three key areas ripe for collaboration. From a legal perspective, she suggested government and industry cooperate to develop strategies and recommendations aligned with current and future needs, as well as globally accepted standards. From a technological point of view, Mendonca said there is a need for minimum security criteria, and that on an organizational level, skills training, cybersecurity exercises, public awareness campaigns, and the creation of national and international structures to coordinate actions against cyber attacks would all make government and the satellite industry stronger.