Satellites need cybersecurity measures too

The Space Hour spoke with Bill Harrod, Public Sector CTO for Ivanti.

You’ve heard a lot about cybersecurity within government networks, especially if you’re a devoted listener of us here at Federal News Network. Well now there could be a similar ongoing battle in space, particularly with the nation’s and international satellites that we all rely on for our daily lives now. Some experts are ringing the alarm bell saying nation states are already crafting cyber-attacks against space-based assets, and the government is taking notice. To learn more about this, I spoke with Bill Harrod, Public Sector CTO for Ivanti.

Interview transcript: 

Bill Harrod It’s an interesting concept and I actually was out at a Space Force conference last fall in in L.A. at Space Systems Command out there. And and it’s really interesting because I think we don’t understand fully the impact on satellites and space systems that cyberattacks have. And the attack surface is one of the things that’s often overlooked. So the attack surface for for satellites and space systems is everything from ground systems, the relays, attacks on communications like the command links. You know, if you think of that command link injection is similar to something that we in cybersecurity have talked about for years, many years, when we’ve talked about sequel query injection attacks. It’s the same idea. If we can inject something into the  command link, which is already authorized and authenticated, then there’s a way to insert a command, a malicious command, into that command stream, and you can control the space system. And then there are replaying attacks and spoofing attacks. And space systems are endpoints like traditional network endpoints that we think about. But there are obviously some some underlying differences, but the operating systems are more and more becoming similar to commercial off the shelf operating systems, but they’re significantly more difficult to to manage and to patch and maintain. And and the result is that the potential damage of a compromise to a space system really can affect the integrity, the reliability and availability of those space systems and could impact significantly cloud computing applications, communications, everything from I mean, we talk about food, fuel and and finance. And that is the kind of thing that attacks against satellites and and space systems could really have as a significant impact.

Eric White Yeah. So though the targets are unique, it sounds as if the methods of a cyber attack aren’t so unique when it comes to the space front. And you mentioned how hard it is to update and patch certain vulnerabilities that are discovered, and maybe we don’t have the answer yet, but I wanted to ask you, what do you do to mitigate those risks that you take in having those vulnerabilities up there when you know you can’t just necessarily go up there and install new hardware. Or maybe you can. Tell me about it.

Bill Harrod No, you really can’t. And and the problem is that you don’t have the same kind of real time communication and instant feedback that you would from, you know, a traditional operating system. So it’s much harder to manage them. But the preventions really are when we talk about how do we protect, particularly, how do we protect the security of space systems, some of them are typical network infrastructure controls. We need to have a good inventory and discovery of what the endpoints are and of the entire operating system and all of the assets. So it’s you know, what’s on that device, what’s on that endpoint, what is the operating system, what are the applications, what are their versions of all of that? It really is a sort of a more traditional asset management type of discussion. Obviously, patching is is going to be critical. It’s more difficult because you have a limited amount of time in which you can send a patch up to a satellite or a space system and you have limited packaged space to do it. There are limitations on the space system, right? There are power constraints, there are memory constraints, footprint constraints in in a software scenario. But things like network access control, stronger authentication, good authorization as to what a command stream can and can’t do and then policy management are all things that that we need to be making sure are applied and consistently enforced, whether it be on a network endpoint or on a space system.

Eric White And who are the bad actors or potential bad actors here? Because I imagine, you know, space may not be the first target of, say, you know, a cybercriminal, but who could potentially, you know, do us harm or, you know, do just the international infrastructure in space harm? Are there non nation-state actors that have the capability to actually hack into international satellites?

Bill Harrod Yeah. So the Air Force runs annually a Hack-the-Sat competition. And there are a number of of teams that compete and much of that information is is widely available online. So there are lots of people that have the potential of doing it and there are lots of people that are looking at how do we how do we do it and then how do we prevent it? How do we protect it? Nation-states are obviously the the key bad actor that we’re concerned with in this. And even if it is not directly a nation-state, there are a number of cyber criminal organizations that are working on behalf of nation-states. But just as we look at anybody who would provide ransomware against a hospital or think of the Colonial gas line interruption, all of those things, ransomware is is going to be one of the key factors and an attack vectors both for traditional network endpoints and space systems and the same actors are going to be responsible. So we can certainly see a criminal organization, cyber criminal organization, try and get ransomware loaded onto a satellite and then hold it for ransom, just as they’re doing with hospitals and schools and and organizations that are land based.

Eric White So obviously, that would be bad. And any anything cyber the federal government has, you know, incrementally, maybe not as fast as most people like, but they have tried to take those matters more serious. You mentioned the Hack-A-Sat competition that is done by Space Command. Are there any other sort of initiatives from, whether it’s our federal government or with our international allied partners, to go after this topic? And then we can also get to the role of the private sector for folks like yourself?

Bill Harrod Sure. So the White House had the conference at the end of March. Coming out of that really were the initiative to do more study and more learning. But NIST, the National Institute for Standards and Technology, has been tasked with providing some goals and guidelines around how we should be protecting satellites, space systems and communications. And then part of the executive order, the President Biden’s Executive Order 14028 that came out about a year and a half ago, talked about supply chain software, supply chain controls and having software building materials. And both of those are things that we ought to be applying to all endpoints, whether they be traditional endpoints or these more esoteric, ethereal endpoints that are space systems.

Eric White And as I mentioned, you know, nowhere else is there probably more collaboration between industry and government than in the space industry. And so what is your role as you see it for the private sector? I imagine where there’s a need for the government, there’s probably some money to be made for cybersecurity. What kinds of initiatives are you all taking or are you seeing with your colleagues and your competitors?

Bill Harrod Sure. So Eric, I think that one of the things that’s really important is to understand that although the space systems are unique in many aspects, in many ways they are like a traditional network endpoint. Ivanti’s a U.S.-based enterprise software company with a mission to help agencies like Space Force or Space Command discover, secure, manage and be able to service all of their I.T assets and to enable the everywhere workplace. And part of that is being able to to provide a way of being able to do discovery on all devices, whether they be traditional endpoints, whether they be endpoints in the Internet of Things or even if they be a space system command and then be able to do risk-based vulnerability management be able to provide prioritized patching. And and understanding what the risks are and being able to address the real risks and making sure that we have remediations available, whether they’re whether it is a patch or whether it’s some other compensating control to mitigate the risk.

Eric White You talk about them being traditional endpoints. So is it, you know, just like trying to log in to your Facebook account, you get a notification. Did you actually try to log into the satellite or was that you? How does how does cybersecurity actually look for these satellite systems?

Bill Harrod Well, obviously, it’s much more difficult because there are only certain windows of opportunity in which you can communicate, particularly with a satellite. But during that time frame, you have to be able to to do some sort of secure authentication. It’s hopefully it’s a little more a little more secure than managing or logging on to your Facebook account. It is doing that. Yeah, it is doing that strong authentication, making sure that the command streams and the communications are encrypted. And that’s going to be looking at the ciphers and how do we do that encryption and some of the quantum computing to to make sure that that encryption is sufficiently strong and then making sure that the command stream or the user who is issuing those commands has the authority to be able to to do certain tasks. But there needs to be some some role based access control as well, so that they can only do things that are within their purview based on their authorization. So in some ways it is similar to a traditional endpoint, but with some additional constraints obviously. So I think I think it’s an important topic. I think that security is is one of those things that is relatively recent for space systems. You know, the things that were primarily the primary concerns when space systems were being developed were those power constraints, the battery and electrical power availability, the footprint and the virtual software footprint. Those were all the primary things that were being considered. And security, as is often the case, got relegated to to second place. And now we’re trying to come back and retrofit security in, which is always more difficult. But I think that we have some, some good models, and I think there are some ways of being able to enhance security and be able to provide greater risk mitigation of cyber attacks against space systems.

 

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories