Cybersecurity concerns continue to dominate headlines as one of the most far-reaching cross-industry threats facing an interdependent digital world. With space becoming more contested than ever before, the threat to space-based assets is growing.
Increasingly, operators, satellite manufacturers and the organizations they serve are coming together to fight the threats to their networks from a dizzying array of actors from lone-wolfs to well-funded nation-states.
The stakes are high, considering that much of the world’s critical infrastructure rides over satellites, whether the applications involve defense systems, environmental monitoring, broadcasting, financial services or communications. In the context of this threat, Via Satellite talked to a number of satellite industry experts on how they see cybersecurity preparedness occurring in their markets, and how they define the “new normal” as the industry evolves to counter these threats.
Advisory firm PwC in its annual Global State of Information Security Survey 2016 noted that the number of security incidents across all industries rose by 38 percent in 2015 — the highest-ever increase in the 12 years since the global study was first published.
In October 2016 a prolonged Distributed Denial-of-Service (DDoS) attack shut down many major websites in the United States and Europe. The type of attack involves hackers flooding a website with traffic so it can’t handle visits from ordinary web users.
These developments underscore an escalating problem for companies globally, including satellite firms.
“The threat environment is considerable. The amount of potential vectors out there are massively increasing,” says Vinit Duggal, Chief Information Security Officer (CISO) at Intelsat, which has seen a 60 percent increase in the number of DDoS attacks from 2015 to 2016.
While those attacks were unsuccessful, they still signal a dramatic jump in these kinds of threats, especially as the industry moves more toward IP infrastructure, hybrid networks and cloud-based solutions.
Duggal says that the amount of high-throughput satellites and consumption occurring on mobile devices and connected devices has caused the threat landscape to get “exponentially bigger.”
“Now you are dealing with ensuring security across all the different components that enable the entire ecosystem and that obviously hasn’t been done effectively to date. All these components have the potential to contain vulnerabilities,” he adds.
Duggal also notes that more advanced threats from the ground are using trusted ports and communication streams, underscoring the need for having the appropriate visibility, teams at the ready and partnerships in place to respond quickly.
“It’s a big issue. We face attacks originating from individuals, from groups and from nation states,” adds Dave Henning, director of network security at Hughes. In his 12 years at Hughes, Henning has gone from helping work on security features of Hughes’ first satellite, Spaceway, to overseeing the security operations team that monitors for threats.
“The speed by which technology changes is the tough part to keep up with, especially when you are dealing with things in space that are designed to be in orbit for 15 years,” Henning says. “You have to be very forward thinking in how you are going to protect those assets, knowing that the attackers are going to be faster with the pace of technology advances.”
Ransomware, which encrypts all the files on a computer until a person or company pays a “ransom,” is one of the fastest-growing threats. It renders any network vulnerable, especially if the network operator does not have proper anti-ransomware cybersecurity protocols in effect. This form of cybercrime cost victims $250 million in the first quarter of 2016. The FBI predicted that it would cost individuals and businesses $1 billion in 2016.
“We are not playing checkers anymore; we are playing chess. You have to be five steps ahead,” warns Ron Clifton, president and founder of CliftonGroup International, and a frequent adviser to companies on cybersecurity strategy. “One of the biggest challenges we have is awareness of the threats and being able to do a proper threat and vulnerability analysis so you understand what the threats are.”
But Clifton says cybersecurity awareness within the industry is growing, evident by the level of industry engagement and the number of conferences focused on the issue. “I don’t think the industry was taking it very seriously two or three years ago, but now momentum is growing like crazy,” he says.
The Obama Administration made it a priority, launching the National Cybersecurity Action Plan in 2013 and calling for $19 billion in the FY17 budget, an increase of 35 percent over the previous fiscal year. In addition, the Federal Communications Commission (FCC) formed a working group specifically to look at critical communications and security. Clifton says a key result of the Cybersecurity Risk Management and Best Practices working group was endorsing the National Institute of Standards and Technology (NIST) cybersecurity framework for the communications sector. It also included specific guidance and resources for various segments of U.S. critical infrastructure, including the satellite industry.
“The framework offers voluntary guidelines to help companies strengthen their resiliency. It has five core categories for protection, with links to very detailed standards such as ISO 27001/27002 and the [Center for Internet Security] CIS Critical Security Controls (CSCs),” says Clifton, explaining that major satellite manufacturers concerned about their ground systems or air assets would want to follow the more rigorous International Organization for Standardization (ISO) standards whereas the CIS CSCs would be more applicable to service providers and vendors.
Clifton emphasizes the importance of having a risk management framework — “if you don’t have one you are wasting your time and money,” he says.
Industry leaders say that the increases in attacks on networks have forced them to rethink how they build products and what solutions they offer to their customers who are looking for additional security capabilities.
“One thing the threat environment has created is the need for network protections against cyber threats at the design phase. We’ve gone to an iterative process to build our products such that we can insert value at any time during our release cycle,” says Andy Tomaszewski, chief security officer at iDirect.
iDirect helped develop GVF’s Product Security Baseline, designed for organizations that develop and produce VSAT hardware and software. Tomaszewski started a product security group within iDirect where he collaborates closely with engineering and product teams to continuously look at new threat information coming in so they can constantly find ways to enhance the security of their products. “For every major release we have security engineers break down our product and show us what needs to be corrected,” he says.
iDirect’s goal is to make sure its products “are properly hardened” and can integrate with other vendors’ technologies, so they can be as flexible as possible for their customers who face very specific threats depending on their industry, Tomaszewski explains.
According to Duggal, Intelsat thinks security first. “It is ingrained in our DNA,” he says. The company uses an internal security team and external third parties to evaluate their security posture. Duggal says Intelsat has a Service Organizational Control (SOC3) accreditation that is awarded annually after a detailed audit of the operator’s satellite and terrestrial service environments.
DataPath applied its decades-long experience developing networks for high-security government and military environments to offer commercial customers Managed Security Services (MSS) a little over a year ago.
“We built out our cybersecurity operations center and through that we are offering 24/7 managed security services to our customers, which involves watching their networks for any threats,” notes Peggy Rowe, VP of software and cyber solutions at DataPath.
The company works with channel partners and direct customers to provide vulnerability assessments, penetration testing, security device management, 24/7 monitoring of networks for threats and incident response.
Rowe says lately managers on sales calls often spend more time answering questions about DataPath’s managed security services than the company’s hardware products. “Cyber and protecting networks and systems is becoming part of the conversation,” Rowe says.
On the broadcast side of the sector, International Datacasting Corporation (IDC), based in Ottawa, offers content and data protection, leveraging encryption and firewalls to safeguard broadcasting clients from malicious viruses and other threats that could cause someone to hijack or interfere with a broadcast transmission. One of the company’s biggest encryption clients is the U.S. government.
“It’s all manageable but you have to be vigilant in a way you didn’t have to before,” says Diana Cantu, VP of marketing and sales at IDC. As the broadcasting industry migrates more and more to IP, the need for protected networks increases. The biggest challenge for broadcasters, says Cantu, is “calibrating the threat and understanding the tradeoffs.”
“This isn’t virus protection; it’s understanding what the real threat is and what the best practices are. It’s good we are starting to have standards; I am confident that with the standards body, the broadcasting industry will be able to start incorporating these practices. It’s really critical that the industry stay with open standards. To me, that’s the biggest challenge — no one wants to go back to the dark ages where everybody had a proprietary network.”
Looking forward, some industry insiders think the industry needs to be more open about sharing what they know to combat today’s cyber threats. “Information sharing between companies in our industry is still in its infancy,” observes Intelsat’s Duggal, who says there is much more transparent exchanges within the traditional terrestrial and wireless sectors. “It makes everybody better — it would make us better,” he adds.
iDirect’s Tomaszewski agrees. “The more we work together to talk about the threat actors, the better we can move the industry forward.” He anticipates that in the next year to five years, the industry will operate extremely adaptive networks, frequently updated and changed to counteract the threat of the day.
“That’s where we need to be — able to update or upgrade on a very rapid basis without jeopardizing the resiliency of our environment,” Tomaszewski says.
Cantu says the most important next step is acknowledging that the cybersecurity threat “is very real” and then to put a plan into place to address it. She adds that any plan should embrace a holistic approach to cybersecurity — addressing the network itself and the corporate environment operating the network, including personnel.
Henning believes the industry is headed in the right direction, and needs to enhance the speed of response to changing methods of attacks. “We also have to be very forward thinking in our design, making the satellites flexible enough to be updated and changed, and making sure that we have some minimum or basic levels security built into the design phase. That’s happening now and needs to continue going forward,” he adds.
Dropping oil prices have resulted in massive headcount and budget cuts, forcing oil and gas companies to look to satellite partners to help manage and protect the networking infrastructure in their remote sites. The need has intensified with the growth in cybersecurity threats hitting the industry.
Matthew Broida, VP of marketing and technology at Harris CapRock, has seen “a real uptick” in cybersecurity incidents over the last two to three years with CapRock customer segments, especially in the energy arena. He recalls how one rig was so infected with malware it took weeks to reverse the incident.
“The industry has even seen cases where relatively low-tech cyber criminals such as Somali pirates used GPS to track fleets to help guide their hijackers,” he adds.
In March Harris CapRock unveiled its SafePass Pro to provide proactive defense against cyberattacks targeting oil and gas IT infrastructures. The company has followed GVF guidelines for cybersecurity testing and protocols. CapRock has had its network audited using GVF standards, adding new processes and new security practices where needed.
Broida predicts cybersecurity solutions will soon be the industry norm for major satellite companies. “You are going to start to see large operators — the Shell’s and the Exxon’s of the world — make cybersecurity part of their [Request for Proposals] RFPs and even possibly annual or biannual cybersecurity audits,” he says.
Broida says that satellite firms unable to demonstrate that they have a secure network may eventually be forced into “very commoditized” roles in the industry. “Our end customers also believe that cybersecurity can be a differentiator for them in the sense that a Shell or Exxon is more likely to pick a rig that has advanced cybersecurity than an asset with another company that might struggle to do so,” he adds.
Harris CapRock’s investments in network resiliency have paid off — Transocean recently selected it for a three-year managed services contract that includes cyber protection for its entire fleet of offshore oil rigs. VS