3 Takeaways from Cybersecurity Experts at CyberSat

Photo: Access Intelligence/Vince Lim.

Cybersecurity threats and protocols aren’t exactly the most comfortable topics for public discussion. Few are eager to reveal their practices and even fewer are willing to ask for guidance out of fear that they will be perceived as vulnerable. The cybersecurity discussion at the 2017 Via Satellite CyberSat Summit, however, felt long overdue — and even welcome. Attendees from a variety of industries shared their thoughts and concerns about protecting sensitive data in the age of the Internet of Things (IOT) and automation, when threats are continuously evolving and attacks are increasingly bold and aggressive. Here are some of the most important takeaways and most popular discussions from the productive two-day event:

Cybersecurity frameworks are simply foundations, which companies must then build upon with measures that match the nature of their operations.

The National Institute of Standards and Technology’s (NIST) most recent cybersecurity frameworks not only provide suggestions for how businesses should protect their data networks — they also elevate collaboration and communication as key network defense tools.

Ron Clifton, senior solutions architect for Tata Communications, led a panel discussion focused on the recommended cybersecurity measures for satellite, broadcast, cable, wireless and wireline service providers outlined by the U.S. Federal Communications Commission’s (FCC) CSRIC IV Working Group 4 (WG4) between 2013 and 2015. The WG4 council was created to provide recommendations to the FCC to ensure, “optimal security and reliability of communications systems, including telecommunications, media, and public safety” for consumers and enterprises, as written in its FCC mission statement.

Clifton and panelists stressed that the NIST framework is not a “one-size-fits-all” security roadmap. It is simply the foundation of a protocol that needs to be customized to the use. The framework isn’t universal, either. It may not be appropriate for other types of critical infrastructure —specifically infrastructure in motion, such as aircraft, Robert Hickey, of the U.S. Department of Homeland Security’s (DHS) Aviation Cyber Security Division said during his keynote presentation. “Critical infrastructure that is in motion [a vehicle] demands a paradigm shift from traditional methods of protecting and reconstituting stationary critical infrastructure.”

Strategic network segmentation will be the cornerstone of cyber defenses in the age of automation.

The age of self-driving transportation is upon us, taking control of vehicle systems entirely out of human hands. Letting go of the wheel also means placing an incredible amount of trust in the cybersecurity defenses that are built into a vehicle’s systems. Andy Davis, transport assurance practice director for the NCC Group, referred to a rather terrifying example of how cyberattacks could potentially put millions of lives at risk in the automated world — the “Jeep Hack.”

In 2015, Charlie Miller, a security researcher at Twitter, and Chris Valasek, director of vehicle security research at IOActive, remotely hacked into a Jeep’s various “connected device” systems, eventually gaining complete control of the cars’ various functions. Situated miles away from a journalist riding shotgun in a Jeep, they drove the car from their laptops, changed radio stations, operated the air conditioning and eventually crashed the vehicle into a ditch. Davis was surprised that a vast majority of audience members never heard of the experiment, which was featured in WIRED magazine.

“Cyber-defenses need to be even more layered than the networks operating these vehicles, or the big brand names that are hosting these systems will be held responsible,” he said. “The Jeep hack happened because Miller and Valasek exploited a vulnerability in the cellular carrier’s connection, which enabled them to then exploit a vulnerability in the Jeep’s infotainment system. This process continued until all of the systems were under their control. Interestingly, the hack is referred to as the ‘Jeep Hack,’ but it was a weakness in all of these third party systems that enabled the hack.”

Hickey’s keynote on aviation cyber defenses also touched on this point, underlining the lives that would be put at risk if even one of a pilot’s vital navigation tools was compromised.

Cybersecurity is a job for everyone — not just IT.

Executive leadership at the world’s largest companies are starting to realize the perils of placing the responsibility of securing enterprise networks entirely on the shoulders of IT departments.

PBS Senior Director of Engineering and Technical Maintenance Philip Schoene told CyberSat Summit attendees that the core of his company’s approach to cybersecurity is having all workers in the building share the same responsibility of protecting its broadcasts. “At PBS, serious cybersecurity discussions happen at all levels — from the executive board to entry level team members,” he said. “Our leadership creates policies that are fully supportive of our IT department. It is the responsibility of everyone working in the building to follow their recommendations, exercise caution, and communicate their concerns when suspicious activity happens.”