Satellite Providers Stymied by Lack of Cyber Standards
Satellite companies vying to sell to the government and defense markets know their prospective customers want them to be cyber-secure, but the absence of industry standards and guidance leaves them scratching their heads about exactly how secure they need to be, and how best to attain that level of cybersecurity.
That was the take away from a panel of experts on the government and defense markets at CyberSat last week.
“The question everyone has been asking here, and they’re asking it at other (space industry) conferences I’ve attended, is: What do we need to do to secure our space assets?” noted Harrison Caudill, founder of the non-profit Orbital Security Alliance.
The answers tended to be couched in generalities, he said, but “There are specific things we know can be done” to harden space-based systems against cyberattack.
The Alliance, he said, was in the process of drafting very detailed and specific standards and practices that satellite operators and service providers could use to ensure their enterprises met the highest levels of cybersecurity. He said that the non-profit hoped to publish an initial version early next year, for feedback and input from industry. Eventually, he added, the alliance hoped the use of the standards would be made mandatory by federal legislation and he said the group would lobby Congress to make that happen.
“It’s not a perfect solution, it’s not a permanent solution,” he said, “But it’s an important first step.”
Part of the problem satellite companies face is uncertainty about which products work best, acknowledged Ron Bushar, vice president and CTO for government solutions at cybersecurity stalwart FireEye.
It wasn’t a problem unique to the satellite industry, he added.
“The state of cybersecurity from a vendor perspective is pretty broken right now,” he said. “There’s a lot of money that’s going into the sector … and it’s following a traditional Silicon Valley (venture capital) of model of ‘Let’s bet on a lot of different ideas and see what comes out best.” But, he added, while that’s a great approach for, say, ride-sharing apps — “when one fails, there’s another one right behind it” — it’s a major problem when dealing with security.
“Cybersecurity architectures, first, have to work. They have to protect you effectively. And two, they have to (be able to) reside in place for many years. There’s a significant investment both in money and time. If you pick the wrong technology … you’ll experience cascading effects for many years.”
CISOs and other executives tasked with defending their company’s IT often complain privately that there’s a bewildering variety of cybersecurity technologies and approaches; and no real objective measurements of how effective they are — leaving potential buyers at the mercy of marketing buzzwords.
Worse, Bushar acknowledged, when companies try to hedge their bets by buying from more than one vendor, the different products often don’t work with each other. “You have all these solutions that don’t integrate well, that don’t talk to each other — it’s a highly competitive landscape.”
At least government and defense officials now recognize the problem, noted Robert Vick, program manager for the Space Protection and Response Program at the Air Force Research Laboratory. “We spent the first three or four years trying to convince people in the government that this was a real problem and that you could not just make it all go away with National Security Agency (NSA) encryption. And then about six months, a year ago, there was this pivot on a dime and now everyone is like, ‘Okay, we get it, we believe you, now what do we need to do?”
Part of that change of heart was connected to the growing use by military and other agencies of commercially provided satellite communications, he said. “When I’m using something that wasn’t designed and built for me and may not be operated by me, how do the rules change? How does our mindset have to change?” he asked.
A big part of his challenge, Vick added, was having to “translate cyber-speak for the space community,” as there was little common ground on vocabulary.
And the translation problem exists in both directions, he explained, because traditionally space assets were built with very different architectures than conventional IT, which often meant that commodity cybersecurity solutions didn’t work. “Implementation-wise, space is special,” he said.
Historically, noted Bushar, there’s been “a natural barrier to traditional cyberattacks (against space systems) because you’re dealing with legacy (IT) architectures that are very esoteric and now well understood” outside of a very small community of specialists.
That same “security by obscurity” model was long touted by the users of industrial control systems, or ICS — the highly specialized software that runs machinery for factories, refineries, chemical plants and power generation facilities.
As in control system environments, Bushar said, “The risk point tends to come at the seams, where those specialized architectures are integrated with conventional IT systems” which are vulnerable to hackers.
But a new generation of small satellites — mass produced much more cheaply than traditional birds — was changing that paradigm, said Vick. “We’re at an inflection point in the industry,” he pointed out.
That commoditization represented a tremendous opportunity for the industry, argued Caudill. “Right now everyone has to do everything” on their own. Each company in the market has “to figure out how to do their own communications, their own encryption, their own key management, (their own) system operations (and their own) licensing, everything.
“This is enormously expensive, time consuming and injects enormous business risk,” he said.
But in fact, most operators only needed an ability to communicate with their satellite and a way to get their data back from it and could be agnostic about that is achieved. “For the most part, you don’t care how that happens,” Caudill said, “It could be smoke signals” as long as it enables your mission.
With more common architectures between different satellite operators, and with this agnosticism about how to communicate, “We can concentrate our cybersecurity controls into a few managed service providers” that then provide secure communication and control to the market.
“That will lock down 80 percent of our attack surface,” and will end up being less expensive for the operators. “We can save the market money and make them more secure,” he said.
The scale of the challenge was huge, he added, and went way beyond the government and defense sectors. Nation state adversaries could target small providers, too cash strapped to pay out for cybersecurity. And the fact that they might be too small or cyber-insecure to win government or military work didn’t diminish their value to U.S. adversaries.
“Even our smallest startup is leveraging billions of dollars of R&D spending that they have not had to do,” he said. “North Korea can’t launch satellites, but they can hack.” And that could get them access to overhead surveillance capabilities that would be completely beyond their reach otherwise.
“This is in no uncertain terms a national security disaster,” he concluded.