Latest News

Cybersecurity

European New Space Companies Prepare to Counter Growing Security Threat

By Mark Holmes | April 26, 2024

    Leaders speak at CySat in Paris on April 24. Photo: Via Satellite

    PARIS — European space startups  are paying attention to cybersecurity threats, hiring cybersecurity professionals, and working to fortify their cyber defenses.

    Speaking at CySat in Paris on April 24, Cesar Carmona, system security manager for Rivada Space Networks, said that Rivada “expects” nation-state threats such as elaborate spear phishing attacks to become the norm. He believes the attacks will be very directed and targeted on the company’s network going forward. Meeting U.S. security standards will be key.

    “We are already seeing very well crafted attacks. When it comes to goals and objectives, we want to put together a comprehensive security program for the OuterNet. We see IA-PRE, as an enabler for the U.S. market. We need to make sure security risk management is taken seriously, and that it is taken seriously from the top down,” says Carmona, referencing the U.S. Space Force’s IA-Pre Program, requires satcom providers to comply with over 400 cybersecurity controls.

    “Communication is key,” Carmona says. “We hear more and more how important security is. This message is constantly repeated. You need to ‘walk the talk’. You need to be proactive about it, understanding your feared events and being able to do something about it.”

    Rivada’s planned Low-Earth Orbit (LEO) constellation of 600 satellites will form the backbone of the company’s OuterNet, which aims to be a global, ubiquitous communications network. The first satellite launch is set for 2025, with global service planned for 2026.

    In terms of how Rivada will test security, Carmona says Rivada will do penetration tests/pentests, which authorize simulated attacks to evaluate system security.

    “Our focus will be on the ground systems,” Carmona said. “We need to see if through this external testing, we find vulnerabilities. If we do, we then have to figure out how they impact the TT&C of our satellites.”

    In Europe, the situation is somewhat different compared to the U.S., as Carmona notes that there is no such thing as IA-PRE in Europe. Because of the IA-PRE frameworks in the U.S., Rivada believes ultimately it will be easier to target other customers outside of the U.S. in major European countries, such as France and Germany for example, thanks to the influence of frameworks in the U.S.

    Carmona also praised the upcoming EU Space Law, saying it is a “long awaited step in the right direction”.

    Mario Polino, head of Cybersecurity for Leaf Space, has won international hacking competitions in the past. He said he has more often played the role of the “attacker,” and he now takes on the role of a “defender” for Leaf Space. When he started at the commercial ground segment company, he said the situation was better than he thought — there were “enough paranoid people” in the company when it came to security.

    He talked about the cyber threats that Leaf Space observes.

    “From a threat perspective, we get the usual and targeted threats. Spamming and phishing are becoming worse. This is probably down to AI. The targeted attack depends if you are valuable enough. Everybody will get automated attacks,” he said. “My goal is now to try and embed the security protocols in the company. It is hard to convey the amount of risk. The attacker needs to succeed only once. You have to defend every attack. This is tough. We need to deliver data in a secure way.”

    Leaf Space, like Rivada says it will use external people/organizations for penetration testing. “You want an external perspective. They can bring a new perspective. This helps to discover new things. We do it at least once per year,” Polino said.

    Iceye said it ramped up security after Russia’s invasion of Ukraine. Ari Kesaniemi, product security manager of Iceye said once the company realized where the threat may come from, Iceye made a conscious effort to improve its monitoring and awareness.

    “We need to protect our assets and operations. When I joined three years ago, we had satellites in orbit. We started with good ‘security by design.’ We have been maturing our security. We are evolving and maturing our security set-up,” he said. “Our main points are to drive forward are compliance. We really need to understand the risks of our customers. I am looking forward to having more clarity in standards. Our milestones are around compliance, and adhering to NIST based standards.”

     

     

    Comments