Satellite Cybersecurity Beset by Misaligned Market Incentives
Many things make cybersecurity for the satellite sector difficult: IT in space is tough to update and satellite systems are enormously complex. But the hardest thing of all might be that market incentives are misaligned, panelists said at CyberSat 2019.
The satellite sector — like other critical industry verticals — is under constant cyber attack, probed by nation-state hackers set on ensuring they can degrade US space capabilities in order to cripple its economy or defeat its military when they need to, industry executives told a panel on “emerging threats to the satellite sector.”
Cybersecurity is costly and the incentive structure in the industry often doesn’t reward investments in it, said Andrew D’Uva, president of the Providence Access Company, a communication satellite services firm.
“The biggest threat, in my mind, to cybersecurity in commercial space systems is capitalism,” he said, “Capitalism values efficiency above everything else” and the correct incentives had not been applied.
When it came to satellite communications services, “The government doesn’t value in most cases effective cybersecurity,” he said. “They allow industry to self-certify, self-assess and … in the commercial satcom area at least, they haven’t bothered to check the effectiveness of those controls.
“It’s a paper game,” he added, meaning those who make real investments in security suffer smaller profit margins than those who merely do the minimum needed to tick the box.
As a result, in many companies in the sector, “cybersecurity is not baked in, it’s a bolt on, add in kind of a thing,” he said.
Satellite systems are enormously complex, he told Via Satellite Magazine after the panel. Each segment — the ground stations, the space vehicles, the user terminals — was in itself a full-scale IT system, and each was interconnected with the others.
“The complexity, that’s the hard part” when it comes to cybersecurity, he said.
Satellite systems also encompass both commodity IT alongside esoteric legacy space systems, some of which have been on orbit for decades.
“You can patch a circuit board,” D’Uva said. “These (legacy) satellites were designed to be ‘set it and forget it,’ … To be beyond the reach of human hands for 15 or 20 years … That has to end … It has to be updateable.”
A new generation of software-defined satellite systems was already arriving, panelists said.
Amazon was now offering “ground station as a service” — a virtual ground station in the cloud — said Mari Spina, principal cybersecurity engineer for the MITRE Corp., a federally-funded non profit research association.
This fusion of satellite and more conventional IT like the cloud meant there would be “Vulnerabilities coming out of the IT sector,” for satellite systems, she said.
Spina is also the cloud security capability leader for MITRE and warned that the shared responsibility for security implied by cloud computing “is making everyone hiccup,” as they adjusted to the new model.
“You have to trust your cloud service provider,” she explained. “You have to trust their controls. You can’t see those controls, the providers don’t want to let you look under the hood.”
Third-party certifications like FedRAMP could help ensure that you can trust those cloud provider controls, but satellite companies should still consider putting their own security stack in the cloud, Spina told Via Satellite Magazine after the panel. She cited the Defense Information Systems Agency’s Secure Cloud Computing Architecture (SCCA) as a model.
“SSCA protects you like you’re in your own data center,” she said.
The increased use of conventional IT would also enable the space sector to leverage improvements to cybersecurity that terrestrial sectors had been working on for years, she said, adding that the CVE system and the the ATT&K framework — two widely used cybersecurity tools developed by MITRE — were being updated to incorporate cloud based vulnerabilities and attacks.
Another concern, she said, was that the industry really needed to ensure it had visibility and security throughout its supply chain. “Is what’s going into orbit what you think is going into orbit?” she asked. “I would beg you, inspect your hardware … The quickest way to cross an air gap is through your supply chain.”
The attitude she heard frequently was “We can’t inspect everything,” she said, but that doesn’t mean they shouldn’t bother. “You can do some level setting … If you’re not looking, you can’t see it” at all.
And it wasn’t just a hardware issue, she added, “There’s a tremendous number of software components going into … the overall software stack.”
The scale of the problem might seem overwhelming, concluded, D’Uva, but it was important not to be discouraged. “This is a big elephant, we have to eat it piece by piece,” he said.