From Via Satellite
As the cyber threat landscape intensifies for satellite operators and the world at large, Via Satellite examines how the industry is tackling the issue on multiple levels. To stay ahead of the threat, manufacturers, operators and customers all must band together, increase their vigilance and collaborate more closely.
Cybersecurity concerns continue to dominate headlines as one of the most far-reaching cross-industry threats facing an interdependent digital world. With space becoming more contested than ever before, the threat to space-based assets is growing.
Increasingly, operators, satellite manufacturers and the organizations they serve are coming together to fight the threats to their networks from a dizzying array of actors from lone-wolfs to well-funded nation-states.
The stakes are high, considering that much of the world’s critical infrastructure rides over satellites, whether the applications involve defense systems, environmental monitoring, broadcasting, financial services or communications. In the context of this threat, Via Satellite talked to a number of satellite industry experts on how they see cybersecurity preparedness occurring in their markets, and how they define the “new normal” as the industry evolves to counter these threats.
Advisory firm PwC in its annual Global State of Information Security Survey 2016 noted that the number of security incidents across all industries rose by 38 percent in 2015 — the highest-ever increase in the 12 years since the global study was first published.
In October 2016 a prolonged Distributed Denial-of-Service (DDoS) attack shut down many major websites in the United States and Europe. The type of attack involves hackers flooding a website with traffic so it can’t handle visits from ordinary web users.
These developments underscore an escalating problem for companies globally, including satellite firms.
“The threat environment is considerable. The amount of potential vectors out there are massively increasing,” says Vinit Duggal, Chief Information Security Officer (CISO) at Intelsat, which has seen a 60 percent increase in the number of DDoS attacks from 2015 to 2016.
While those attacks were unsuccessful, they still signal a dramatic jump in these kinds of threats, especially as the industry moves more toward IP infrastructure, hybrid networks and cloud-based solutions.
Duggal says that the amount of high-throughput satellites and consumption occurring on mobile devices and connected devices has caused the threat landscape to get “exponentially bigger.”
“Now you are dealing with ensuring security across all the different components that enable the entire ecosystem and that obviously hasn’t been done effectively to date. All these components have the potential to contain vulnerabilities,” he adds.
Duggal also notes that more advanced threats from the ground are using trusted ports and communication streams, underscoring the need for having the appropriate visibility, teams at the ready and partnerships in place to respond quickly.
“It’s a big issue. We face attacks originating from individuals, from groups and from nation states,” adds Dave Henning, director of network security at Hughes. In his 12 years at Hughes, Henning has gone from helping work on security features of Hughes’ first satellite, Spaceway, to overseeing the security operations team that monitors for threats.
“The speed by which technology changes is the tough part to keep up with, especially when you are dealing with things in space that are designed to be in orbit for 15 years,” Henning says. “You have to be very forward thinking in how you are going to protect those assets, knowing that the attackers are going to be faster with the pace of technology advances.”
A Growing Threat
Ransomware, which encrypts all the files on a computer until a person or company pays a “ransom,” is one of the fastest-growing threats. It renders any network vulnerable, especially if the network operator does not have proper anti-ransomware cybersecurity protocols in effect. This form of cybercrime cost victims $250 million in the first quarter of 2016. The FBI predicted that it would cost individuals and businesses $1 billion in 2016.
A New High-Stakes Game
“We are not playing checkers anymore; we are playing chess. You have to be five steps ahead,” warns Ron Clifton, president and founder of CliftonGroup International, and a frequent adviser to companies on cybersecurity strategy. “One of the biggest challenges we have is awareness of the threats and being able to do a proper threat and vulnerability analysis so you understand what the threats are.”
But Clifton says cybersecurity awareness within the industry is growing, evident by the level of industry engagement and the number of conferences focused on the issue. “I don’t think the industry was taking it very seriously two or three years ago, but now momentum is growing like crazy,” he says.
The Obama Administration made it a priority, launching the National Cybersecurity Action Plan in 2013 and calling for $19 billion in the FY17 budget, an increase of 35 percent over the previous fiscal year. In addition, the Federal Communications Commission (FCC) formed a working group specifically to look at critical communications and security. Clifton says a key result of the Cybersecurity Risk Management and Best Practices working group was endorsing the National Institute of Standards and Technology (NIST) cybersecurity framework for the communications sector. It also included specific guidance and resources for various segments of U.S. critical infrastructure, including the satellite industry.
“The framework offers voluntary guidelines to help companies strengthen their resiliency. It has five core categories for protection, with links to very detailed standards such as ISO 27001/27002 and the [Center for Internet Security] CIS Critical Security Controls (CSCs),” says Clifton, explaining that major satellite manufacturers concerned about their ground systems or air assets would want to follow the more rigorous International Organization for Standardization (ISO) standards whereas the CIS CSCs would be more applicable to service providers and vendors.
Clifton emphasizes the importance of having a risk management framework — “if you don’t have one you are wasting your time and money,” he says.
Rethinking Networks, Products
Industry leaders say that the increases in attacks on networks have forced them to rethink how they build products and what solutions they offer to their customers who are looking for additional security capabilities.
“One thing the threat environment has created is the need for network protections against cyber threats at the design phase. We’ve gone to an iterative process to build our products such that we can insert value at any time during our release cycle,” says Andy Tomaszewski, chief security officer at iDirect.
iDirect helped develop GVF’s Product Security Baseline, designed for organizations that develop and produce VSAT hardware and software. Tomaszewski started a product security group within iDirect where he collaborates closely with engineering and product teams to continuously look at new threat information coming in so they can constantly find ways to enhance the security of their products. “For every major release we have security engineers break down our product and show us what needs to be corrected,” he says.
iDirect’s goal is to make sure its products “are properly hardened” and can integrate with other vendors’ technologies, so they can be as flexible as possible for their customers who face very specific threats depending on their industry, Tomaszewski explains.
According to Duggal, Intelsat thinks security first. “It is ingrained in our DNA,” he says. The company uses an internal security team and external third parties to evaluate their security posture. Duggal says Intelsat has a Service Organizational Control (SOC3) accreditation that is awarded annually after a detailed audit of the operator’s satellite and terrestrial service environments.
DataPath applied its decades-long experience developing networks for high-security government and military environments to offer commercial customers Managed Security Services (MSS) a little over a year ago. Continue article>