10 Defining Moments in Cybersecurity and Satellite in 2023
July 24th, 2023It is hard to believe that this year, the CyberSat event will be seven years old. It has grown ever year, as the relationship between cybersecurity and satellite has become more important. While the hack on Viasat’s equipment in Europe was a watershed moment for the space industry, there are other events in the cyber landscape that satellite can learn from.
In this feature, Via Satellite identifies 10 Defining Moments in Cybersecurity and Satellite for 2023, for the second year in a row. Read last year’s feature here.
FAA System Outage
At the start of 2023, the Federal Aviation Administration (FAA) had a significant system outage that led to widespread disruption on Jan 11. While the outage was brief, there were significant ripple effects across the industry. It was a major incident and made headline news across the world. It could also foreshadow what could happen when critical infrastructure doesn’t work, even for a short time. While the system outage wasn’t caused by a hack, it showcased the level of disruption that could happen when critical infrastructure suffers an outage.
[Dates and tracks announced for CyberSat 2024! Discover this year’s expanded program here]
Vince Walisko, COO of Optimal Satcom tells Via Satellite, “I think this event is an example of the potential far-reaching results of the failure of a single element in a system or network. In this case the stated cause was not an attack, but an attack could have had the same effect and could have been more difficult to recover from.”
In terms of the potential ramifications to the space industry, Walisko says it’s frightening to think of an event like this happening to a satellite control system of Low-Earth Orbit (LEO) network.
“In the case of some LEO constellation a control system is central to flight dynamics, maintaining orbits, confluence avoidance and managing fuel and power. This type of event could result in the Kessler Syndrome and a debris field that would take at least decades to dissipate,” Walisko says. “The ramifications could be profound with interruption or destruction of communications, PNT, EO and other systems taken for granted by the general population. The economic impact of some types events like this could approach trillions of dollars.”
Lloyds of London Publishes Dire Forecast
In October last year, insurance marketplace Lloyds of London published a system risk scenario that models the global economic impact of a hypothetical but plausible cyber attack on a major financial services payments system that would result in widespread disruption to global business. Lloyds forecast that this could lead to potential global economic losses of $3.5 trillion. Lloyds published the model a year after it announced it was investigating a potential cyber attack on its network.
Lisa Donnan, partner at cybersecurity private equity firm Option3, said the attack and follow up model was a “significant warning shot” about the importance of protected financial services platforms.
Such attacks could also have huge ramifications for the space industry. “A cyber-attack on an insurance company, especially one insuring space assets, could significantly impact the space industry by disrupting financial protection and risk management strategies,” Donnan says. “It could lead to delays in claims processing for damaged assets, affect trust and increase premiums or even lead to the unavailability of certain types of space insurance coverage. This would increase the risk and potential costs for space missions and companies relying on satellites and other space technologies.”
Donnan believes critical infrastructure will be targeted more as cyberattacks become more frequent. “An attack on one critical infrastructure has impacts on other critical infrastructures so the rising number of attacks in general plus the monetary gain from attacking the financial system is definitely going to lead to this infrastructure being targeted more,” she adds.
Hack-A-Sat Showcases the Good and Bad
Over the last few years, Hack-A-Sat events have grown in prominence and are now a staple on the calendar for those interested in cybersecurity and space. As more and more people take part in these events, it is proving a double-edged sword. While getting more people involved in these events is a good thing, the speed at which participants are able to hack satellites shows how the dynamic has shifted.
Madeleine Chang, space policy fellow supported by Horizon Institute for Public Service, believes the latest iteration of Hack-A-Sat was significant. She says, “Hack-A-Sat 4 marked a milestone as the first on-orbit satellite hacking exercise open to the public. The winning teams gained control of a U.S. government satellite in only a matter of hours. Although the satellite, Moonlighter, featured intentionally configured security parameters for the competition, its inclusion in Hack-A-Sat underscores the U.S. government’s dedication to addressing satellite cybersecurity as a crucial national security concern. This event also emphasizes the imperative for vigilant and adaptive cybersecurity measures across satellite systems in a broader context.”
Setting the Standard
The launch of the IEEE International Technical Standard for Space System Cybersecurity was a significant event in an industry where standards play such an important role. The IEEE working group was approved in Feburary last year, and kicked off in June.
Greg Falco, assistant professor of Aerospace Security and Autonomy at Cornell University called it a “transformative development” given the international nature of the effort.
“Policies, regulations and doctrine relating to space security are severely outdated and this is the first truly international effort to engage technical experts and government/policy stakeholders on establishing enforceable, cross-border cybersecurity standards for the space ecosystem,” Falco says. “There are over 20 countries engaged on the effort, where the output will be technical specifications that are usable for engineers to design and develop better space systems.”
Falco expects that the standard will be a tide that raises all ships. He believes a technical standard that government and industry can point to as the minimum requirements for cybersecurity will give a starting point to improving the industry’s cyber posture.
“Standards are a starting point to improve the security of satcom networks. Satellite communications networks are not only comprised of a communication protocol or the physical link enabling the network – it is the entire ecosystem of space assets ranging from the ground, space vehicle, integration, user and link segments,” he says. “By creating secure-by-design technical specifications for each, attack surface will be eliminated across the ecosystem which can improve the security of the application, which may be the satcom network.”
Winds of Change for CISOs
One of the most famous (if not infamous) cybersecurity breaches was against SolarWinds, a Texas-based network management software company. The large-scale attack on a firm with products widely used by the U.S. government makes it one of the most high-profile, and potentially damaging, attacks in recent years. Even in 2024, the shocks from it continues to reverberate.
In October of 2023, the Securities and Exchange Commission (SEC) bought charges against SolarWinds CISO Tim Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. The complaint alleges that from at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.
It is a huge development. Bob Gourley, CTO and co-founder of OODA, tells Via Satellite that the SEC has provided security reporting guidance for 10 years, and that their basic principle has been that investors expert companies to take security seriously. “Over the last few years they have been getting stricter about their guidance and their investigations. In the case of SolarWinds and their 2020 breach, the SEC claims that the CISO himself not only oversaw a poor security program but intentionally misled the public. This has sent shock waves around the security community. Now CISOs can be sued if their company does not take steps to reduce cyber risks,” he says. “As a technology heavy industry, security has always been a consideration in the space sector. Now CISOs will have even more reason to ensure they are making others in management know how serious it is to mitigate risks.”
Charging Brown could change the game for CISOs of space companies and beyond. “Every CISO I have spoken with is tracking this. CISOs already have a hard job where adversaries are trying to find a way in. Now they have to document their many defensive actions and watch out for lawsuits as well as intrusions,” adds Gourley.
MoveIT Vulnerability Impacts Organizations Far and Wide
One incident that gained major traction in 2023 headlines was the MoveIT file transfer protocol vulnerability. This impacted over 500 major organizations and compromised data on over 34 million individuals. Some of the reported organizations impacted by this breach include the U.S. Department of Energy, motor vehicle departments in at least two U.S. States, BBC, Ofcom, Ernst & Young, Aer Lingus, and British Airways.
“Companies that used the secure data transfer application called MoveIT were opened to an attack no one anticipated,” Gourley says. “Users of this secure file sharing solution actually had back doors to their sensitive data that adversaries accessed. Besides stolen data, the vulnerability also allowed attackers to implant ransomware for further exploitation. It was a double whammy.”
The attack could have ramifications for the space sector, according to both Walisko and Gourley. Gourley says, “Many companies that transfer sensitive data, including most companies in the space sector, use tools like MoveIT, which means mission critical data could have been exposed.”
Walisko added, “The satellite industry touches most people and organizations around the world in one way or the other. This breach should make us consider what the cascade effects of a breach in the satellite industry could be and hopefully refortify defences. This was a pernicious attack that kept moving further down the supply chains and across industries. It didn’t make organizations more vulnerable as much as it demonstrated how vulnerable they are.”
Troubled Waters
2023 saw multiple hacking attempts on critical infrastructure. Recently the attack of the Municipal Water Authority of Aliquippa in Pennsylvania by an Iranian-affiliated hacking group was major news among the cyber community. It underlined the boldness of attacks against critical infrastructure such as water utilities. Dave Pearah, CEO of space cybersecurity company SpiderOak, called it “a politically motivated attack” from a long time U.S. adversary designed to demonstrate Iran’s ability to damage the U.S. on the home front.
“The message is very clear. Iran can bring down critical U.S. systems and will do so if provoked. In some ways we got off easy, as the damage could have been much worse had the attackers chosen to do so,” he says.
Pearah believes the space industry should be very concerned by this, as Americans depend on space-based systems just as much as they do on power and utilities to conduct their daily lives.
“Satellite systems power navigation services, make accurate weather forecasts, enable rural internet access, provide public safety communications while supporting national security objectives. Any disruption or destruction of any of these services would be disastrous — especially if these attacks occurred in the run up to a hot military conflict,” he says.
Pearah also believes the space industry could be considered behind some of these industries when it comes to cyber defences. He says, “Perhaps even more concerning is that the space industry is way behind terrestrial industries such as water, power, financial services and transportation in their cyber maturity and ability to effectively deal with such threats when they occur,” he says.
In addition, Donnan, a partner at Option3, believes water systems are not protected to the level that they should be. Water is probably the most important critical infrastructure as people can die after just three days without water. The hack on the water system in Pennsylvania highlighted the lack of sufficient cybersecurity protection.
But, it could also have an impact on the space and satellite sector. Donnan adds, “An attack on water facilities from nation states can impact launches of satellites through delay in supply chain due to the amount of water needed to manufacture semi-conductors. NASA also sprays hundreds of thousands of gallons of water during launches so an attack on a water system can have a catastrophic effect if timed correctly. Attacks on critical infrastructure will become the norm because this Iran-backed cyber group was not the most sophisticated which just shows how vulnerable some of our critical infrastructure systems are.”
Two Years On, the Viasat Hack Still Dominates Conversation
The hack on Viasat equipment almost two years ago continues to be a key marker when talking about space and cybersecurity. Viasat shared many important updates at CyberSatGov and CyberLEO in 2023. Pearah believes one of the key takeaways is that when you you are hacked you need to operate with competency and honesty moving forward. He praised Viasat for doing a great job on both.
“Viasat has really set the standard for how a company should respond following a major attack,” he says. “They have made public all the information regarding the attack and their own shortcomings, outdated systems, and security failings. Rather than close ranks they have opened up for the good of the overall market.”
“Another valuable lesson from this attack is that vulnerability management continues to be 20:20 hindsight priority, the Viasat hack was the result of poor enterprise IT security, and the industry needs to get serious about building security into systems rather than waiting for something bad to occur before they act,” he adds.
Yet despite the attention on the issue, Pearah doesn’t think the industry took much action to fortify defenses. “There was much attention was paid in the beginning, a lot of good talking points, but very little action, the biggest change is that they are now more aware of the threat,” he says.
Daniel Gizinski, chief strategy officer of Comtech, talks of how gaining access to a satellite system by itself has limited financial value and there have been soft targets that had a more direct return. But he believes things are changing. “We’ve seen quite a bit more focus on satellite systems in the last few years and I think the industry is rapidly moving to pace the threat – but there’s a tough road ahead. In particular, many satellite systems have a very long expected life relative to other computing systems. When you look at a GEO satellite that might be on orbit for 20 to 25 years with supporting ground infrastructure that in some cases is a legacy from the previous generation,” he says.
Attacks Against Satellite Networks
At both CyberLEO and CyberSatGov last year, it was clear there are more attempts to compromise and attack satellite networks. Speedcast is one of the leading service providers in the industry and has been at the sharp end of seeing attacks. Last year, Speedcast stopped multiple cyber attack attempts related to direct internet access to a remote site.
“In the cyber threat instances we identified last year, Speedcast was able to protect customers by catching brute force attack attempts against specific routers with public IP addresses,” says Will Mudge, vice president of Global Infrastructure for Speedcast. “The cyber threats we identified were not overly sophisticated, but as with any public internet connection it is only a matter of time. Using public internet on remote sites generally comes with inherent risk and can open customer operations to cyber threats that public IP network designs are not set up to handle or protect against.”
Mudge says the company has been working to communicate to customers that Speedcast is seeing a shift in fundamental architecture from a consolidated firewall, to a distributed architecture where public IPs are now available at remote sites. Those remote sites need to be thinking about firewalls and management of links and traffic at the remote end. “In general, more connectivity options – like the addition of LEOs – typically mean more attack surfaces for bad actors. We have been diligent about looking for malicious traffic and helping customers mitigate threats,” he adds.
A Storm Came
One of the most talked about stories in the cybersecurity realm in 2023 was when Storm-0558, a China-based threat actor, used forged authentication tokens to access Microsoft email from approximately 25 organizations. Significantly, these included government agencies and related consumer accounts in the cloud.
Gizinski said that Storm-0558 attack is an example of how advanced threats have been able to assemble a series of pieces over an extended period of time. Gizinzki talks about that even with several layers of defense in depth at play, these email accounts were compromised for multiple weeks. “The time horizon, scope, and scale of effort that went into this attack to provide access to accounts for less than a month is illustrative of the unprecedented effort being put into gaining system access – and the criticality of designing in good security practice and leveraging highly automated cyber defenses to counter the pace of play of modern threat actors,” he adds.
In terms of why this incident could be considered concerning to the satellite industry, Gizinski said that within the satellite industry, the industry often think of satellites communications in a silo, but they provide critical underlying infrastructure into a number of other systems across industries ranging from electrical grids to U.S. military use.
“A lot of thought goes into direct vulnerabilities, but nearly every computing system plugged into a satellite hub carries with it vulnerabilities of their own,” Gizinski says. “For companies today, holistic cyber discipline is critical. Every organization, regardless of the industry, needs to be very thoughtful about system architecture designs, and ensuring that good cyber hygiene is being followed across the board. In the case of the satellite industry – events as simple as a network management password being reset via email alone should be thought of as part of the larger security ecosystem.” VS
[Dates and tracks announced for CyberSat 2024! Discover this year’s expanded program here]