KPN CISO Examines the Cyber Threat

“Telcos worldwide are actually not prepared.” That is the somewhat surprising answer I receive when I ask KPN Chief Information Security Officer (CISO) Jaya Baloo if she feels companies are prepared for the emerging cyber threat that they all face. In an exclusive interview with Via Satellite, Baloo admits there is a catch-up process taking place. “Being prepared means you understand your past well enough to have a situational awareness of the present and can also predict some of the consequences that it will have on your future,” she says. “We are not capable of doing any of those sorts of things from a security perspective at all. We are always caught off-guard. We are always running like firemen to any security fire that we have to put out,” she says.

It is a sobering analysis, and a reminder for any satellite company, should they need it, that no company in this sector is immune from a large-scale hack. Even the biggest companies in satellite have had to deal with some particularly nasty situations when dealing with hackers.

KPN is a dominant telco in Europe and plays a role in providing critical communications infrastructure throughout the Netherlands. Whether it is airplanes taking off from Schipol Airport, offshore networks being used, or the delivery of broadcast and communications services throughout the country, KPN’s networks are at the heart of Dutch society. So, it could be argued that Baloo has one of the most important jobs in the country, keeping these networks safe and working at all times. It is not an easy job, as any high-profile hack now gets global attention.

Now, you might think these telcos would be well-placed to deal with the myriad of cyber threats coming its way. However, like other companies in the sector, including Telefonica, KPN needed a wake-up call to really ramp up its efforts on the security side.

KPN’s wake-up call took place around six years ago when it was hacked by a local teenager. This teenager managed to find a single vulnerability in the perimeter of KPN’s network and worked through 300 different systems within KPN. Luckily for the company, he didn’t change any data, and just really hacked the operator as a badge of honor. But the fact of the matter is he could have done irreversible damage to KPN had he chosen to. It was a lucky escape, but pointed out, rather shockingly, where the operator’s weak points were. While this hacker may not be top of KPN’s Christmas card list, they do owe this person a debt of gratitude for illuminating the glaring weaknesses in its networks.

Baloo says this was the moment when the Dutch operator realized it needed to do something about security. Baloo was hired later that same year after this hack took place and decided to focus on two things: vulnerabilities and incidents.

“If we know about a high-risk vulnerability on Monday, we need to have it patched as soon as possible — preferably within 24 hours, assuming a patch or workaround is available. We need to have it patched as quickly in order to limit the opportunity window for an attack and not wait for a release cycle that would leave it open for 180 days,” she says. “If you look at the average patch cycles of most companies, they don’t move quickly enough to close these issues or, in the worst cases, they don’t know about them.”

However, KPN is by no means alone when facing an unwanted cyber intrusion. Baloo points to Telefonica and Wannacry as an example of how a huge telco can be blindsided by a cyber threat. KPN got a malware sample within a few hours from Telefonica, and was able to analyze it to understand the ransomware and help others.

“Before that had happened, luckily we were already following the events around the Shadowbrokers and had already scanned for any Small and Medium Business (SMB) reachability from the outside. When Microsoft released a patch for MS17-010, we had to patch that as quickly as possible. Regardless of who was behind it, it presented a huge problem. So, we had to make sure we were not exposed to it. Had Telefonica taken similar actions, they may not have been compromised either. The result of that was we had zero incidents of Wannacry then … and we were lucky that we were on top of patch cycles.” she said.

The whole ecosystem is also not designed to help companies like KPN. Baloo puts the situation in a geopolitical context, pointing out that we are all using the same products and technology. She talks of people using similar chipsets, software and applications.

“We are all using the same protocols. So, if you have problems, they tend to be across the board. It is easier to attack, rather than defend. You have to defend all of these old protocols that were never created with security in mind. They were engineered to connect everybody easily and ubiquitously. Then you have hardware and software vendors who are only interested in time to market and not concerned with time to hack. They don’t carry the responsibility and liability needed to protect end users. You also have to secure old legacy equipment as well. But, the attacker only needs to find one point of entry, one weakness anywhere across the stack. Once they are in, they are all the way in. This is what we have to compete against,” she says.

While KPN is much bigger than most satellite operators, Baloo’s experience in the cyber world means she is a unique position to offer advice to satellite companies in terms of how to deal with the cyber threat. I ask her where she thinks the threat may come from if she were a satellite CISO. She says she would not initially look at the asset in space, but rather the ground station and how one can manipulate it.

“I would start looking at it from an offensive point of view. I would start with the ground station. Then I would look to how you could spoof or clone the communications over a poorly authenticated or an un-authenticated channel. I would assume on the un-authenticated channel, there would be one or two bands you could communicate with from your ground station to the satellite. If it was un-authenticated, you could pirate your own signal communications to that satellite,” she says.

When talking about satellites and cyber, Baloo also explains how the authorities in China are worried about attacks that could happen from a quantum computer. She talks about the Chinese authorities building a 2,000 km terrestrial quantum key distribution network all the way from Beijing to Shanghai.

“A quantum computer is a threat to all of the current asymmetric public key cryptography systems we have running on the planet right now, which are used by banks as well as enterprises. So, a quantum computer can potentially crack all of those communications. It figures out how to decrypt that conversation by factoring in the very large prime numbers that you used as a basis for the cryptography. A quantum key solution would use the same principles of quantum mechanics to actually defend the network that could be under attack by a quantum computer,” she says. “They have already launched a satellite to allow communications back to China terrestrially from the satellite and have also proven quantum entanglement and quantum teleportation. This is very interesting when communicating with multiple nodes.”

So, what does this mean for the satellite industry? Baloo says this kind of development could offer future opportunities for satellite. She talks about how in the current geopolitical context, the security and vulnerability of some terrestrial networks is becoming more of a concern, and this opens up possibilities to have a layer of meshing with satellite communications. “It could be GEO or LEO. If you see the developments to cover areas through the Google Loon project in Puerto Rico, or in 5G meshing with satellite, I think there is a lot more potential here to exploited for the satellite industry,” she says.

I end the interview by asking Baloo what her main challenge is for the year ahead. She says KPN and the industry as a whole really needs to be able to better understand the threat intelligence aspect. She says there is a need to understand your own position is in terms of your data and services, and what that looks like to an attacker.

“If you know what you need to protect, you then need to examine your situational awareness and understand what you need to defend against. You need to have an awareness of opportunistic and targeted attackers, their potential, and what they’re up to. They may not be hacking you right now; they maybe hacking someone else in the industry or your competitor. Therefore, a goal would be to have a threat intelligence map where you can see all those vectors in one place,” she says. VS