SINGAPORE — The satellite industry has done a good job bolstering its cyber defenses absent the sort of high-profile attack that has spurred other industries to step up their efforts. But the risk of a “defining cyber event” remains, a panel of experts said June 25.
“We have not had an industry event really publicly embarrass the industry in a big, broad way,” Stuart Daughtridge, vice president of advanced technologies and business development at Kratos Defense and Security, said at the CASBAA Satellite Industry Forum here. Such attacks are often necessary to awake an industry’s “cyber ecosystem” to the threats it faces.
Kratos, along with providing ground systems for satellite operators, works with companies like Amazon and Microsoft to make sure their cloud networks meet U.S. government standards, Daughtridge said. Conversations with those corporate customers show the satellite industry has a strong reputation for cybersecurity, he said.
“There’s two types of industries: there’s industries that have had a defining cyber event and there are industries that haven’t,” he said. “And we’re one of the industries that haven’t, from their perspective.”
But the lack of a cyber equivalent of 9/11 for the satellite industry doesn’t mean the risks aren’t there. Last year Symantec caught a China-affiliated hacker group called Thrip that had attacked two satellite companies, a U.S. Defense Department contractor, and a geospatial-imaging firm, and was actively rooting around for ways to take control of satellites in space.
“It doesn’t take a bunch of cases to know there is still room for improvement,” said Chris Hill, CEO of cyber specialist company Aurora and former chief technology officer of ITC Global, a provider of satellite networks for remote locations like mines and oil rigs. “If you are already aware of the issues, then you don’t need help. It’s the elements of our industry who don’t have that skill set in-house and are still blissfully unaware of the issue that need help.”
Rocking the boat
Dave Hartshorn, the departing secretary general of the Global VSAT Forum, said his organization noticed an industry-wide strengthening of cybersecurity following a 2014 report from cyber-security specialists IOActive that claimed vulnerabilities in several satellite terminals.
That report, which called out Inmarsat, Hughes, Cobham and others, triggered a “scramble” across the industry to address cyber risks, he said.
Hartshorn, who helped create the GVF Cybersecurity Task Force in response to that report, admits he was “surprised to see that there were significant gaps” in industry preparedness.
For example, many satellite network operators were not changing the default password for the hubs used to control Very Small Aperture Terminals (VSATs) scattered across remote regions of the world for broadband connectivity. A map of those VSATs was available on the “darkweb” for hackers to easily find, he said.
“Fast forward to today, it’s night and day, really,” Hartshorn declared. “I’m not saying it’s perfect, but what we see now is an incredible gain in providing for that level of security, and it’s happening at every level of the ecosystem — terminal manufacturers, we see it there, [and] satellite operators all the way down through to their customers.”
Hartshorn said satellite companies are coordinating with each other regularly to close off cyber vulnerabilities.
As cyber becomes more important, satellite companies are increasingly using their strength in this field as a selling point for their products. Several satellite operators say they are on constant guard against new malware and other threats. Last year RigNet, a company that provides satellite connectivity to oil and gas sites, acquired a cyber firm called Cyphre Security Solutions and now includes cybersecurity solutions as one of its services.
A gaping reservation
One cyber-defense measure experts expressed concern about was a possible over-reliance on “air gapping” — a practice of keeping systems disconnected from the internet to prevent the introduction of malware.
Daughtridge said air gaps are “definitely great protection,” but don’t guarantee safety. Isolated networks still need to be updated, and malware hidden in flash drives or other devices can still infect an offline system if physically introduced.
Air-gapped systems can also get cumbersome to sustain, leading to situations where “you end up with companies running Windows XP 15 years after it was released,” Hill said. Older computer systems that no longer get regular updates become increasingly vulnerable to new hacks for which no patches are available.
“Just on the satellite terminals, the vendors have done a good job of addressing a lot of the vulnerabilities, but they can’t help it if someone is running a six-year-old version of software on a modem,” Hill said. “And it’s not too hard to find modems or systems that are simply years behind.”
“There are still other measures that you have to follow to guarantee as much as you can your safety,” added Daughtridge.