The Growing Risk of a Major Satellite Cyber Attack
The third iteration of CyberSat begins in November, where members of the satellite, end user, and cyber communities will get together to discuss the threat landscape and vectors for a cybersecurity attack on satellites. We talk to some of experts of the CyberSat advisory board about major threats to the sector.
Last year at CyberSat, David DeWalt, CEO of Momentum Cyber and all-around cyber influencer, said one of the sectors he was most worried about when it came to a high-profile cyber-attack was satellite. It made for sobering listening.
James Turgal, managing director, Cyber Risk Services at Deloitte and Touche agreed with this assessment. He says, “Dave is correct about his fears of seeing a major cyber incident, whether that presents itself as an intrusion into the satellite itself or a breach into and collection of data transmitted from the satellite.”
In terms of what he sees as the particular vulnerabilities in satellite networks, Turgal adds that the main areas of concern have to be the human factor and the supply chain. He said there is no question that cyber vulnerabilities exist and are exploited because of the human factor. “Cyber risk and cybersecurity is more about people behind keyboards than it is about technology. The human factor; either someone engaging in an activity (witting or unwitting) on behalf of a cyber threat actor. Or, the omission of action (intentional or unintentional) such as patching, misconfiguration of systems; all of these factors can allow a gap to form which can be exploited by a threat actor,” he says.
When talking about supply chain vulnerabilities, Turgal says that because satellites and systems are made from thousands of parts manufactured in places both inside and outside the U.S., vulnerabilities can be built in by threat actors — which can cause greater levels of access to the satellite system as a whole.
Bob Gourley, founder of Ooda.com and a well-respected cyber influencer, believes that the threat is very real. He says, “Since the October 1957 launch of Sputnik humans have been putting satellites into space, giving the world 60 years to engineer out problems with operating in this harsh domain. Now a new challenge has arose, one that the community has not addressed yet. This is the threat of cyber-attack. Both the on orbit and ground components of space systems have yet to fully address this threat.”
No matter what the satellite and its purpose, the greatest threat is that the functionality of the system can be altered by a cyber-attack. So, who will the attackers be? “Adversaries that could include very sophisticated criminal groups, nations, or at times, even high-end amateurs could take action that deny services that business, academia, and the public depend on,” says Gourley. “Since our systems are so interconnected there is also a huge threat that automated malicious code will one day make its way from corporate IT systems into ground stations and from there to space components.”
Andy Davis, transport assurance practice director, the NCC Group, highlights vulnerabilities in the small satellite sector, which is expanding quickly. He highlighted the fact that because the investment required is reducing due to cheaper Commercial Off The Shelf (COTS) hardware, open source software and new initiatives such as Ground Stations-as-a-Service, this increases the likelihood of a cyber-attack significantly. “The attack surface of the assets based in orbit and their associated ground-based support infrastructure has increased and will continue to increase significantly,” he says. “The two main threats are to ground station infrastructure and to the open source software and COTS hardware, installed on-board satellites. By far the easiest of these to attack is the ground-based infrastructure, which will be internet-connected and operated by humans (who are much easier to ‘hack’ than computers, via social engineering and phishing attacks).”
However, some are optimistic that the satellite industry can continue to ward off cyber-attacks, despite the potential increase of a number of small satellites being launched over the next few years. Ron Clifton, founder of Clifton Associates and satellite industry veteran, says the low orbit of the Low-Earth Orbit (LEO) satellites will mean they are more accessible than the Geostationary Orbit (GEO) satellite, from an RF power perspective. The satellites may have their own kind of denial of service vulnerabilities, but Clifton believes the kind of modulation and encryption technologies available today should help mitigate this significantly. He adds, “It is also worth thinking about these new LEO constellations as a form of internet backbone — essentially an interconnected set of routers flying around the earth at high speed and exchanging broadband data with each other and with ground assets. Although all the lessons learned from protecting terrestrial IP networks will apply, there are some challenges unique to this emerging ‘Internet in the sky.’ Like terrestrial IP networks, the LEO networks will experience maintenance outages and require occasional maintenance windows for updates with backdoor access for ongoing support and development of enhancements.”
Clifton believes the satellite industry is taking the threat very seriously. He adds, “They (small satellite constellations) are potentially a larger target given the size and scope of their fleets as well as the number of earth station access points. However, the people I have spoken with who are building and deploying these systems are very aware of the inherent vulnerabilities. They are taking it quite seriously and building in protections.”
Turgal adds, “Certainly, an increasing number of satellites in orbit creates an increased likelihood of an attack, as there are more targets of opportunity, more ground facilities that need to be secured from what I consider as the new threat which is the convergence of the cyber and the physical security worlds.”
Crystal Lister, senior director of insider and cyber threats, GPSG, believes the number of satellites going up does not necessarily increase the likelihood of a major attack. But, rather, it increases the size of the attack surface that security teams must defend. “A determined attacker only has to successfully penetrate your controls once while defenders have to be successful every time,” she says. “I cannot comment on their vulnerability without more information about their specific security practices. It likely depends on whether satellites closest to earth have security built into the system from origin or it is tacked on later to meet regulation or compliance.”
No system or network is fool proof — it is a holy grail that can never be reached. So, what are the particularly vulnerabilities of satellite networks? Lister highlights some of them. She says, “Inconsistent software patching, weak encryption, and old IT equipment are key vulnerabilities to satellite networks. Legacy satellite communications platforms are not easily updated and must undergo significant testing to ensure that upgrades for communications, encryption, or improved operability with next-generation platforms will not interfere with other, possibly critical, system functions.”
Lister says a satellite could be attacked simply because it has been identified by the bad guys as a target of opportunity (e.g., out of date patches, legacy IT or OT system vulnerabilities) and that risk only increases. She adds, “Risk in this sector is colliding at the nexus of an increasing amount of satellites being launched in parallel with society’s increasing reliance on satellite-dependent technologies. Both large and small satellite companies alike should make a concentrated effort to determine their risk tolerance. The amount of resources and security budget that an organization has does not necessarily equate to a silver security bullet.”
Gourley says that because the software on satellites is designed by humans, this will mean it will have flaws that are not discovered till the systems are on orbit. “It is hard to keep Earth-based systems patched, just think of how hard it is to safely keep on-orbit systems patched! This means space-based systems will always have vulnerabilities that need to be mitigated,” he says. “Most all our satellites are designed to send and receive data. That is how they are controlled and how they pass value back to the earth. By their very nature they must be connected. This means we will always need to be on the lookout for vulnerabilities to mitigate.”
Davis adds, “Although technically possible, the resources required to attack the telemetry, tracking, and control (TT&C) communications links or the satellites themselves from the ground, are likely to be significant. This type of attack is most likely to be restricted to nation state actors. However, it is much easier to trick the people with legitimate access to the control infrastructure (via social engineering or phishing attacks) into unwittingly providing systems level access to hackers attacking over the internet.”
I ask Davis hypothetically if he was to hack a satellite, how would he look to do it. The answer makes for interesting reading. He says, “I would first use open source intelligence gathering techniques (Google, LinkedIn, Facebook, etc.) to identify key personnel with privileged systems access at the ground station. I would then target them with a spear phishing campaign via email and social media in order to trick them into inadvertently providing access to their workstation and then onto satellite control systems. These systems could then be manipulated over the internet to control the satellites or gain access to sensitive data.”
On this same question, Clifton says it is no secret that the human element is always the weakest link in the chain — in the physical security world historically statistics have shown that as much as 60 percent of attacks can be traced to insiders, often unwitting. Increasingly however, given the ubiquity of IP connectivity, the threats are coming from external actors, including nation states. “Ground systems are the most vulnerable weak points in a hierarchy that starts with the TT&Cs/Satellite Operations Centers (SOCs) and flows down through the Network Operation Centers (NOCs) and gateways, teleports, and earth terminals. The higher up in that hierarchy, the greater the risk and also, fortunately, the fewer they are in number so easier to protect. As you go down the chain, the risk declines somewhat, but the sheer quantities increase as does the number of potential vulnerabilities,” he adds.
What the Industry Needs to Do Moving Forward
There is little doubt that the threat is not going away anytime soon for the satellite sector, particularly if it becomes part of an overall souped up Internet of Things (IoT) 5G eco-system in a world of connected things and people. So, what should the industry do? Gourley says, “At OODA our preferred technique is to red-team out as many nightmare scenarios as possible. When you consider what a well-resourced attacker can do given current technologies it always leads to well informed mitigation strategies.”
Turgal said even though the satellite industry is moving fast, building cyber and human focused security measures into the systems from their inception, good cyber hygiene, limited privileged access, clean supply chain and third-party governance and an understanding and appreciation of the cyber-physical security convergence that needs to take place to protect these systems and assets will be key.
While the satellite industry has been a leader in this, Clifton has some advice for new comers to the industry. He says, “For the newcomers, again I strongly suggest they adopt the NIST Cybersecurity Framework and put an active set of physical and cyber controls in place if they have not already done so — either the full set defined in ISO 27001 or, for less demanding applications, a more tailored set such as the top 20 controls defined by the Center for Internet Security (CIS). Bottom line, there is no substitute for experience, rigorous attention to established protocols, and vigilance.”
Lister says, “You cannot prevent targeting of your systems or attempted attacks. You can seek to prevent, detect, and respond to incidents. Acknowledge the threats to your unique critical assets, evaluate your security posture, identify any vulnerabilities, and pursue risk mitigation strategies to enhance your defenses. It will be critical that IT and OT teams in the satellite sector work from the same business continuity or disaster recovery playbook when an incident does occur to contain the event efficiently and minimize negative impacts.”
NewSpace Companies and the Cyber Question
The satellite sector is seeing a wave of innovation right now. Right now, the days of long lead times to build satellites could be a thing of the past. The lack of GEO satellite orders over the last two years is evident of this. However, as sexy as “NewSpace” is, it brings a great deal of risk that perhaps did not previously exist in the industry. Turgal says “everyone should be worried” about the potential for a hack here. He says. “New and start up satellite companies should have a higher sense of what the cyber risks are going into the market and understand that they are not just building satellites, they are building an information ecosystem, that if breached and used for the wrong intent could have catastrophic consequences and place millions of lives in danger.”
Gourley also adds a note of caution. He says, “At this point, mitigating the cyber threat seems to require much more attention than it is getting.”
Davis adds, “All companies who are deploying assets into space should be made aware of the cyber risks, especially new companies who are racing to be first-to-market with their own unique satellite-based application and not necessarily considering how their systems may potentially be compromised by hackers.”
With an industry high on innovation and a huge-start up culture developing, these are fundamental questions. It will be interesting to see what happens over the next few years as these companies come to market, and whether, when and how they might be targeted. VS