Social Engineering: The Next Era of Cybersecurity
Satellite communications technology has reached a “zero delta position,” says Envistacom’s Vice President of Business Operations Nelson Santini. According to Santini, the industry has matured to a point where the key differentiators in the future will be new social engineering practices, as well as how satcom manufacturers embed security in the design process from inception, rather than as a bolt-on addition.
“In the world of satcom, if I show you a one-line diagram of an Earth station in the 1970s and one today, the similarities are going to be astounding. What’s changing is how people access that network,” Santini explained in an interview with Via Satellite.
Two or three decades ago, the biggest hurdle for satellite companies was ensuring they could establish communications in a place where there was no infrastructure. “Now we have that down to a science,” Santini said. “The next logical step is, how do we take this technology and make it secure so we can control who has access to the information? It’s taking it to another level.”
On the hardware side, Santini pointed to the emergence of “appliances” that are used to validate the identities of those communicating over remote links, such as facial recognition, fingerprint scans and iris validation. Coincidentally, many of these transmit information over satellite terminals, and Santini predicts that it won’t be long before the same technologies are used to validate who’s using the terminal itself. This will become particularly prominent in tactical comms for military and/or government operations, which have stringent cybersecurity requirements. “The way that I see it, in a couple of years if not within the immediate future, those technologies that are used as appliances will be a part of the inherent design of the terminal,” he said.
According to Santini, one can think about cybersecurity in terms of layers or a pyramid. Satcom manufacturers spend incalculable amounts of time and money developing proprietary algorithms to manage the information that goes through their satellite network. These different waveform modulations are the most basic layer of security, followed by the conditional access encryption that safeguards the message itself. At the very top is where social engineering comes in, he said.
“Who was the person that sent me that message? Does that person have the authority to send me that message and, on my end, who can see it and who can decrypt it?” Santini said. If someone is on a merchant vessel or a U.S. submarine, for example, they want to be able to verify that a transmission is authentic, particularly one that indicates a change of protocol, such as a change of course or port call. “You can validate that through conditional access encryption and decryption, and at the level of biometrics,” he added.
According to Santini, all parties within the satellite supply chain must carry the responsibility of ensuring communications are secure, from the product manufacturers to the system integrators. “Systems integrators have to take [cybersecurity] seriously because if they knowingly put one of those devices that’s vulnerable into that link and something happens, they could become liable. So it’s their responsibility now to understand the equipment and how it’s secure,” he said.
When asked if there was one technology in particular that worried him, he asserted that it is folly to focus on just one threat. “We have to keep a good 360-degree view of all the technology out there and understand that the axes of threat change hourly, if not by the minute. That’s no exaggeration,” he said. “Because there are so many threat vectors, focusing on one is somewhat myopic.”
He drew an analogy to the response of airport security officials following the shoe bomb attempt in 2001. The hypervigilance around that specific threat has now led us to routinely taking off our shoes to be scanned at the airport. “Imagine what would’ve happened if we had explosive pants,” Santini said. “The fact is the threat vectors are changing faster than we can proactively defend from them. We have to have an alert posture.”