Photo: Shutterstock

Space companies face an ever-growing attack surface, including a recent upsurge of attacks from Iran. Top CISOs of space companies from Vantor, SES, Viasat, and Telesat shared a view into the threats the companies face in March in a discussion during CyberSat Exchange at SATShow Week.

Vantor CISO Norm Laudermilch said the company was seeing a massive increase in attacks that follow the tactics and techniques that mirror what the Iranian threat actors do.

“The Iranian threat actors are really, really good at social engineering. You will see them scraping your public facing websites, creating malicious versions of those websites, and then targeting your suppliers, customers, and any external entity that’s accessing your systems with very targeted social engineering tasks using this URL that points to a fake thing that looks just like your site. That’s one that we may or may not be seeing a lot of activity around right now.”

Laudermilch said there is some really “amazing targeted smishing and phishing” going on, on platforms such as, SMS, WhatsApp, Signal, etc.

“What these threat actors are doing is listening to talks just like this, capturing the audio, feeding it into AI, creating fake voice messages or voice notes that they attach to these text messages, and demanding that the recipients do something immediately, like, ‘Hi this is Norm we need to immediately escalate the privileges of these five users are working on an incident response, and we need access to logs.’ Things like that are 100 times more prevalent now since the war started, and very closely matching the capabilities of Iranian actors,” he said.

U.S. companies in critical infrastructure sectors are on alert for Iranian cyber attacks after the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), FBI, Environmental Protection Agency, Energy Department and Cyber Command released a Joint Alert talking about the growing threats to critical infrastructure from Iranian actors on April 7.

The alert said that Iran-affiliated advanced persistent threat actors are conducting exploitation activity targeting internet-facing operational technology devices. The alert said that US organizations should urgently review the tactics, techniques, and procedures and indicators of compromise in this advisory for indications of current or historical activity on their networks.

While space is not a critical infrastructure sector, the alert lines up with what space CISOs shared during the event.

One of the trends the CISOs highlighted is the shrinking time between when a vulnerability is discovered and when that vulnerability is exploited. Laudermilch said this time is “so short” now. It means companies like Vantor need to have strong partnerships with intelligence partners to remediate quickly before a wide scale exploitation campaign gets started.

Phil Mar, CTO and vice president of Engineering for Viasat Government, added that whenever there is a new conflict in the world,  companies like Viasat will often see is increased activity very soon after the event.

Asit Tandon, chief network and information officer of Telesat, said what is bothering him over the last 12 months is these small, seemingly low-impact events which keep happening. “It is not the big, bad attack which worries me. It is the silent, quiet ones to keep me awake,” he said.

AI

Thanks to AI, the security threat is growing rapidly, and this will impact space companies. Vinit Duggal, vice president of Networking Engineering and CISO of SES said, “The threat actor capabilities are now substantial. They can move at light speed. We need to get to that point where playing math with math, so to speak. We’re all getting a little bit behind.”

Mar said one thing he tells his most junior engineer, or even his most senior engineer, is that engineering will be revolutionized over the next five years, compared to the previous 35 years. “You look at our software engineer, how they do work today is very different from people from our generation. They are actually spending a lot more time to run prompts and trying to understand modified code in a different way.”

He said that cyber defense systems will now have to be AI aware.

“The architecture has to be AI aware, to know that we are no longer just protecting the systems and infrastructure. We are protecting decision loops. Clear escalation paths have to be defined. We can’t have blind automation,” Mar said.

Tandon said the introduction of the AI in the space industry has opened up a new attack surface, and companies like Telesat not only have to protect the infrastructure systems, they have to protect AI models. “It is very easy for somebody to manipulate the policy, and then the model will think [it’s] doing the right thing and we keep on giving wrong results, thinking that they are not. This has opened up another totally open, totally new attack surface area for AI agents,” Tandon said.

Matter of Time

The Viasat hack of four years ago was an inflection point for the industry. The satellites that are being launched today are a far cry from the satellites of a decade ago. The industry is putting more capabilities on orbit than ever before, which means the attack surface is changing.

“I think it is only a matter of time [before another major incident involving a space company], even though we’ve gotten better, the community is better,” Laudermilch said. “No security system is perfect, and it really boils down to resilience. In these cases, cybersecurity controls are about prevention. Resilience is when prevention fails. And I think that’s an area that we’ve all invested very heavily in since the Viasat event, and hopefully that pays off when the next when the next event happens.”

Viasat, and Mar in particular, has been very transparent about what happened and sharing the learnings with the industry. Two years ago, Viasat laid out the whole attack chain. It has both talked about this privately as well as in public forums. “It never stops. It continues every day. I have to always tell people that it’s actually hand-to-hand combat,” Mar said.

Tandon said the industry has come a long way, but that it can do more. “I feel the biggest opportunity is about sharing of operational incidents in near real time, so not after the fact reports. Those are things which matter. Near real time operational incident sharing could be another opportunity.”

With multi-orbit and LEO strategies now increasingly prevalent, security questions are changing. Telesat is building out its Lightspeed constellation. In terms of the impact on security, Tandon said, “While there are smaller, more satellites, multi-orbit constellations, we have resiliency, redundancy by design. There is a safety net, but what it opens up again, is more attack surfaces, more interfaces, more software. We need to have cyber security by design in different stages. When we are designing a multi orbit operations, cybersecurity has to be right at the center of things. It can no longer be a bolt on later.”

Laudermilch said one of the really cool things about building a smallsat mesh constellation is the ability to do different types of security than we can do with a more exquisite spacecraft. He talked about having this mesh network in space. “The vehicles are talking to each other, so if you get a threat actor on the ground that are directing RF attacks or high energy directed attacks, the network of small satellites can adapt very quickly. So, for example, if this region of the Earth is sending me all kinds of junk and trying to compromise my command and control, I’ll just stop listening as I fly over this part of the Earth, and instead, I’ll get my command and control from my neighbor satellites through those links.”

In the Q and A section of the panel, an attendee asked what the CISOs would do with another $100 million in their security budget.

Duggal said he would focus the money trying to bring all of his data into one place where it could be applied to many of the issues that had been discussed.

“The data is still done in a place where it all needs to be sorted to make it actionable,” Duggal said. “There are these pockets of action instead of something more comprehensive. I think it to be truly actionable across all areas of the business, I would probably spend a little money to make that happen.”