Cyber Experts: The Truth About The Threats to Satellite
It seems every day there is news related to a new cyber attack. This is the new reality we must all live in, and space is no different. However, quantifying and evaluating the threat is far from easy. We talk to some of the new companies in the cybersecurity space, as well as one or two cyber experts to see how they view the threat to the satellite industry.
May 15, 2017
Cybersecurity is a topic that everybody from any industry is talking about. The threat is very real, and as we live in an Internet of Things (IoT) world and adversaries become more sophisticated, satellite assets are likely to find themselves in the firing line sooner rather than later. Ahead of our much-awaited CyberSat event in October this year, Via Satellite talked to a number of companies outside of the traditional satellite industry about how they see the potential threat.
The Satellite Industry Isn’t Ready
Satellite assets are unique; they are often two-to-three years in the making and then stay in space almost two decades. However, as space becomes more crowded and contested, how vulnerable are these assets to a cyber attack? Andy Davis, transport assurance practice director at the NCC Group, a company that provides cybersecurity solutions to the transport sector, believes the fact that space-based assets communicate solely with radio-based wireless protocols will make them an attractive target for attackers. This is both from the perspectives of access and attribution, as attempting to identify the exact source of a wireless attack over a long distance is often a significant challenge. “These type of direct attacks on space-based assets are more likely to result in denial of service scenarios. However, attacks mounted via a compromised ground station network may potentially yield access to sensitive data or the ability to manipulate command and control systems, therefore resulting in a considerably greater impact,” he adds.
Chris Childers, chief executive officer of the National Defense Group, highlights the fact that most satellites have been up for a long time, which means they have old technology that was made before cyber threats were a real issue. He thinks this makes space-based assets particularly interesting targets to nation states.
“Sun Tzu once said, ‘The supreme art of war is to subdue the enemy without fighting.’ All offense and defense these days currently relies on communication networks. If some crazy dictator decides to invade his neighbor, it would be in his best interest to have a switch he could throw to knock out all their communication capability before he did it. The fastest way to do that in the current age would be to put remote malware on satellites. In that sense, I think they are already key targets,” he says.
When asked whether he thinks the technology industry is doing a good job in protecting communications assets such as space-based and terrestrially based networks, Childers answers with an emphatic “no.”
“Look at commercial software updates. These updates happen for a few reasons: one reason is to add new features; the other is to patch to mitigate the threat of exploits when discovered. I have never heard of a satellite company doing anything to find exploitable code and patch it. Think about how often you see ‘X has installed new updates’ on your computer. Can the same be said about satellites? I think the only thing that keeps them remotely safe at this point is the level of effort it would take to exploit one,” he says.
Marc Kolenko, a subject matter specialist contractor at PricewaterhouseCoopers (PwC), echoed these sentiments and believes space-based assets are more vulnerable. He agrees that the satellites which were conceived 10 to 15 years ago did not overly concern themselves with cyber threats because it was believed that the space segment of on-orbit assets and systems was sufficiently isolated from the ground segment, and furthermore wasn't directly connected to the internet. However, Kolenko believes things have changed.
“Intercepting uplink or downlink transmissions that carry Internet Protocol (IP) datagrams or payloads is certainly feasible,” he adds. “Nation states have developed satellites that can park themselves in close proximity of another satellite, and interfere with Telemetry, Tracking, and Command (TTC) uplinks and downlinks. Now, that may not directly equate to a cyber exploit, but if I can insert myself into the uplink or downlink, I can certainly start manipulating the data payloads they carry.”
Kolenko thinks satellites represent a rich target set for adversaries that want to exploit them. He says you only have to look at the reliance the U.S. government and in particular the Department of Defense has on satellite-based assets to command and control troops and equipment, or to capture and cultivate intelligence.
“Because many of these assets are on orbit presents some unique defensive challenges. Practically speaking, hardening these platforms during all phases of their Systems Development Life Cycle (SDLC) will eliminate many vulnerabilities. Stronger uplink and downlink encryption and anti-jamming capabilities will also improve the cybersecurity posture of the platform significantly,” Kolenko adds.
Darktrace is a company that may be unfamiliar to a number of Via Satellite readers. Mathematicians and machine learning specialists from the University of Cambridge in the U.K. together with intelligence experts from MI5 and the U.K. Government Communications Headquarters (GCHQ), founded Darktrace in 2013 to bring transformative technology to the challenge of cybersecurity. It already works with companies in the aerospace and satellite sector.
Emily Orton, the co-founder of Darktrace, says today’s reality is that every organization in every sector is now vulnerable to attacks. No matter how large or well trained the security team is, no company is immune to the increasingly advanced and sophisticated threats executed today.
“There is always the risk of insider threat. Threats facing the aerospace and satellite sector are particularly concerning given the risk to physical safety,” Orton says. “Organizations need to adopt the best tools to protect against these types of cyber threats, and legacy approaches are proving insufficient on their own. It’s no longer possible to secure networks on the border. More and more organizations are turning to ‘immune-system’ approaches which, inspired by the human immune system, protect the network from the inside, just like the body does.”
Orton believes that using unsupervised machine learning and mathematics, these immune system technologies establish a “pattern of life” for every network, device and user. By learning “self” for an organization, the technology can spot anomalies or suspicious behaviors in real time — irrespective of whether or not the threat has been seen before, she says. Orton believes the key is to catch emerging threats early, before they escalate into crises.
Orton says Darktrace tells every organization to assume they are already infiltrated, or will be soon. She believes it is impossible to keep sophisticated and silent threat actors out, as they will always find a way in. “That means that internal monitoring of everything going on in those networks becomes absolutely critical. Even sophisticated hackers will behave in ways that deviate from normal activity, but your technology must be sensitive enough to catch those subtle movements,” she says.
Orton is uniquely placed to look at the evolving threat landscape, which is getting more and more sophisticated. She says a major trend that Darktrace has already seen is the use of artificial intelligence and machine learning for advanced hacks. According to Orton, Darktrace recently saw an attack on an organization in India where the hacker used artificial intelligence to learn how to blend in to the network, unnoticed. Darktrace caught it before it totally blended in, but it serves as a testament to how subtle new types of threats can be.
“Additionally, the security market needs to address the growing challenge of the Internet of Things, which further expands the attack surface. As our lives continue to become hyper-connected, the market will need to adapt to reflect this new, borderless world. At the forefront of this change, from a security standpoint, will be to continually monitor and get visibility of everything that is going on, and to automate the process of threat detection. Humans cannot possibly keep up with the security scene at the rate it is now moving. Machine learning will be absolutely vital in this battle,” she says.
The NCC Group works in the area of “connected” transport, which is a big deal for the satellite industry as it looks to connect planes, ships and cars, for example. Davis says that, in this area, we are already starting to see new and innovative security product solutions being applied to transport systems in the field of intrusion detection and prevention.
“However, it is always important to remember that any new product added to a system or network (including security products) potentially increases its overall attack surface. Within the transport sector especially, we are experiencing a greater demand for services such as escrow (the secure storage of software and other assets that can easily be recovered in the event of a system being attacked and data destroyed). We are also increasingly receiving requests for our more proactive, cyber defense operations services to identify when attackers are attempting to mount attacks, but prior to them achieving their ultimate goal,” he says.
With more and more satellites going up, the use of Commercial Off The Shelf (COTS) technologies is likely to increase. This also presents some interesting cybersecurity challenges. Davis says until relatively recently the operating systems and control software used on-board spacecraft and satellites has been proprietary in nature and therefore protected to a certain degree by security through obscurity. He believes unless you were involved in the development or support of a system, it would be difficult to gain access to the technical details and therefore more difficult for an attacker to compromise.
“However, increasingly we are seeing the use of COTS products, more specifically open-source software, including operating systems such as Linux, being deployed in space. There are two cybersecurity concerns here; firstly the vulnerabilities are significantly easier to discover as the software is freely available, and secondly, due to the regularity of vulnerabilities being identified in open source software, a mechanism needs to be in place to regularly install and test security patches once the software has been deployed onto space-based assets,” Davis says.
Childers echoes this by saying COTS products are most certainly more susceptible to cyber threats than custom-made solutions. He says vulnerabilities are found by poking around on a particular device or examining its firmware or software. If a technology is readily available for anyone to download or purchase, anyone with the resources to obtain one has access to it.
“Think about the uncountable vulnerabilities patched every month on everyone’s favorite operating system. This happens because hackers can easily get their hands on a copy of it. If a satellite company makes its own operating system from scratch instead of just using a common Linux distro, only they have access to the inner workings of the satellite. This turns the satellite into a black box that is harder to figure out. The bottom line here is that knowledge is power. The less knowledge hackers have about a product, the harder it is to hack,” he says.
More Talent Needed
Childers believes there will certainly be a spike in need for security experts in the computing world, and talks of a need to improving the talent pool among young people. “For decades, and probably much longer than that, curriculums in schools have lagged behind problems the real world throws at you. Take that concept and combine it with a field that changes faster than anyone can keep up with. You end up with a field that you can only perform in if you evolved with it. Bringing educational institutions closer to the bleeding edge of real world cybersecurity problems is the only way the war on cyber threats can ever be won,” he says.
The issue of cyber insurance is one that could be really relevant to the space industry going forward. Kolenko talks of new financial and risk assessment models that feature Cyber Value-at-Risk (CyVAR), which accurately quantify system-level risk and liability in terms of real dollars if compromised. Kolenko believes this is particularly important to chief financial and chief risk officers, as it aids them with focusing their cyber protection investment dollars. He says that, despite the level of investments that have been made in the area of information technology over the last 20-odd years or so, we really aren't any more secure.
“CyVAR not only aids in focusing protective investment dollars, but it identifies those mission-critical and essential systems that need higher levels of protection. This in turn assists the cybersecurity insurance industry with more accurately quantifying the level of coverage required for those systems in their policies. Liability and exposure are more accurately quantified. So I do think the trend toward securing and insuring ground segment and space segment assets with insurance policies, specifically targeting cyber vulnerabilities, will continue, if it has not already begun,” he says.
Darktrace and the Fight Against Cyber Threats
Darktrace is one of a number of new cybersecurity companies that is working on solutions to keep enterprises safe. Its technology, known as the Enterprise Immune System, is powered by machine learning and mathematics developed by specialists from the University of Cambridge. Darktrace claims this self-learning technology is unique because it can understand what “normal” looks like for any organization, any device and even any user, without requiring prior knowledge. Instead, it automatically learns the organization’s “pattern of life” from what it observes, and can spot developing anomalies as they manifest themselves on the network.
Whereas the rest of the industry tries to predefine “bad” behaviors or categorize known threats, Darktrace surfaces any activity where a significant deviation from the normal behavior has occurred — which means it can catch insider threats, criminal groups, sophisticated malware, state-sponsored attacks, and so on. Ultimately, Darktrace aims to catch the stuff that every other security tool misses — and early.
To counter the most challenging and rapid attacks that we are now seeing, Darktrace developed the ability to fight back automatically. Like antibodies in the human immune system, Darktrace Antigena is a technology that automatically responds to threats, but in a highly measured and precise manner — such as immediately slowing down a particular connection. This allows security teams to gain back the time advantage, and mitigates risk in real time. VS