Lisa Forte, founder of Red Goat Cybersecurity, and who has previously worked for U.K. Police in its cybercrime units, spoke to Via Satellite about how she perceives the cyber threat to the satellite industry.
Forte believes as we have become reliant on satellites as part of our overall infrastructure, they will undoubtedly become more attractive targets for cyberattacks. She thinks in the next few years, we will see a lot more sophisticated attacks leveraging Artificial Intelligence (AI) that will perhaps be on a massive global scale, far worse than the Wannacry attacks that we saw last year. She also thinks the more connected devices that companies, use the more open doors there will be into their networks. She adds that she expects that the attackers will start to target supply chains more and more, also using social engineering to get around good firewalls.
Forte thinks in terms of protection, companies will need to start sharing information on threats and start reporting attacks, no matter how big or small, in order for different stakeholders to all share intelligence. “We know that hackers are very good at sharing intelligence in hacking groups. We have to start to doing the same things to defend ourselves. Apart from the financial services sector, it tends to be seen as a weakness that they don’t want to share with competitors. So, sharing of information has been poor,” she adds.
It goes without saying that an effective large-scale attack on satellite could have huge consequences. “The commercialization of space has meant more satellites, so more targets and cheaper technology. From a high-skilled level of attacker (your state actors, hacktivists and large organized crime groups) these will be an attractive target indeed. The other thing about the satellite sector is their ground stations, which could be their main points of weakness.” says Forte. “They might not be defended as well as other areas are. Hackers will always go for the low hanging fruit and the path of least resistance. It is about looking at your whole estate and everything that connects into your operations and finding those weak links in the chain which is what attackers will go for.”
She believes there are weaknesses in satellite that could enable effective attacks. Forte says that in the satellite industry, the supply chain could very well be the weak link and the bigger your supply chain is, the more that can get out of control. “It has to be a fusion of everyone working together,” she adds.
Forte talks about how this could impact the connected maritime industry. She says when talking about technology that can be deployed on ships and on aircraft, there are the three Ds: secure by design, secure by default and secure by deployment. “This means that you ensure that the product’s design has been secured and vetted. It means the default settings are also at their most secure, and the way you deployed it and networked it is also secure. I think companies need to have three strands to approach security. They need to be thinking about ways to prevent an attack, ways to detect an attack if it happens, and ways to react to an attack if it happens,” she says.
What seems pretty scary right now is that it could take months for a satellite company to realize that it has been hacked. “For instance, the current thinking is that a company won’t detect an attacker for nine months if they are in their system, which is an awfully long time. When I worked in the cyber-crime unit, what we saw a lot was the attack would do a significant amount of damage, but the decisions that the organization would make after they had been attacked would cause lots more damage from that point onwards. Organizations need to have a plan for the worst-case scenario. They need to try and test their plan. In fairness to Maersk, when they got attacked, they managed to get 45,000 desktops sorted within 10 days. Their plan was really good and they were able to get themselves back up and running,” says Forte.
The satellite industry in many ways can be viewed as a double-edged sword. It is incredibly sophisticated communications infrastructure, so Forte admits, this means it will not be going to be up against 16 years olds in their bedrooms. She admits that the industry is going up against incredibly talented, sophisticated hacking groups or state hacking groups that are going to be very difficult to keep at bay. “We need to bat away every single attack, where as an attacker only needs to be lucky once. I think in that respect we are quite vulnerable. The thing you have in shipping is that a lot of ships have completely different infrastructure and so in some ways, that is positive because a hacker needs to learn the set-up of each ship. It also means it is harder for you to secure your whole fleet. So, there are pros and cons to that,” she says.
Given her experience, Forte is an ideal person to give practical advice on how companies in this sector can deal with the cyber threat. She believes companies have to look at both the human side of security and technology side of security. With regards to the human side, things like staff training and really good face-to-face training is essential. “You need to make sure that your staff are vetted; and not just your staff, but the supply chain who are putting together the components that are going on your satellite or your aircraft. These people need to be vetted as well. You need to make sure that access is restricted, so staff should only ever have access to things that are essential for them doing their job and nothing more. From a hacker’s perspective if you have loads of access and I manage to hack into your account, I now have all of that access as well. It is about restricting all of that from the human side,” she says.
On the technology side, Forte highlights the importance engaging in external testing which she believes is really important. “So, getting penetration tested, and having people attack your networks and components, is really good. I think companies need to sit down and work out what assets they have, what data they have, and rank them from most to least critical and then think about applying protections accordingly,” she adds.
A lot of shipping companies and operators are now looking to revamp their infrastructure and have more of a connected infrastructure. Many can use Commercial Off the Shelf Products (COTS). However, Forte believes companies need to be very diligent if they go down this road.
“When I speak to shipping companies, I always say you need to vet the vendor before you buy their products. You need to find out how many security incidents have they had, how frequently do they put out security patches, all things that the vendor should provide information on,” she says. “One thing to also be careful of is that some vendors have recently managed to absolve themselves of any liability under the contract if something does go wrong. So, make sure your lawyers are looking over this. The final thing on off-the-shelf products is make sure your staff are trained to know the value of that information. If I phone your company, would your staff tell me what off-the-shelf products they use? Make sure they understand that this information can be really sensitive.”
She continues, “The thing about off-the-shelf products is that they are always going to be more attractive targets because if I am a hacker and have managed to break that off-the-shelf product, I can not only get into your company, but I can also get into a whole load of other companies that use that off-the-shelf product. So, in terms of where I am going to spend my time and my money, that is going to be more of a target.”
Forte has been at the sharp end and has seen first-hand the lengths hackers will go to get into a system. She talks of one case where an employee had been contacted by an attacker, and told that their company had stolen intellectual property and had basically ruined his life. The attacker then asked if they could plug in this USB stick the next day so they can prove this in court. Forte says the employee felt really sorry for this individual and plugged in the USB stick, but then the attacker managed to exfiltrate two Terabytes of data from the company.
“They got around the technical security by targeting a vulnerable individual within the company. It is not just about looking at the perimeter security. Tech companies do their best. It has to be a matrix of the tech companies, staff and the companies themselves conducting due diligence,” she said.
While the satellite industry has not suffered any really huge cyberattack yet, Forte is not the first expert recently to point out that this situation is unlikely to last. Satellites are attractive targets but Forte does not believe the corporation between major stakeholders has been good enough. So, which industries could the satellite industry learn from to become better?
“I think the financial services industry is a really good industry to look at because they have been dealing with this for a long time. So, for instance, one thing that the financial services industry is very good at is sharing information and intelligence. If they get an attack, whether successful or not, they share that intelligence with banks and insurers to help overall protection. They are also very good at monitoring what users are doing and logging that activity, having mandatory holidays to stop fraud try and the insider threat. I think their model is quite a lot more mature than the satellite and aerospace industries are,” says Forte. “The other industry to look at is the nuclear power industry because they are very good at airgapping their super critical systems. There might be some parallels from the satellite industry from that respect.”
The cybersecurity landscape is constantly evolving and Forte believes there are going to be big changes on the horizon. She points to big players like Google and Amazon entering the cybersecurity market in terms of network monitoring, which will lead to a reduction in cost for these types of solutions. But, where it will go next? Forte believes we will see a lot more AI in terms of offence and defense in cybersecurity. She thinks buyers of cybersecurity solutions will start to have more knowledge.
“If you get approached by a company that says their solution is 100 percent cybersecure and future proof, we will start to see buyers turning and running. In Europe, we have the General Data Protection Regulation (GDPR) coming out later this year. That will make a big difference in terms of how people collect and process personal data of individuals. They are going to have to be more secure when it comes to that,” she says. “We will also see more cloud breaches. We haven’t seen an awful lot of those, but as people rely more and more on the cloud, I think that will also become a bigger target for attackers.” VS