WASHINGTON — The biggest known cyberattack of the Ukraine war happened more than a year ago when Russian hackers targeted satellite modems and knocked Viasat’s KA-SAT customers offline in Ukraine and other parts of Europe.
Viasat, a global communications firm based in Carlsbad, California, recently introduced a new threat-detection tool that can be applied to its entire global network, Craig Miller, president of Viasat Government Systems, told SpaceNews on the sidelines of the Satellite 2023 conference.
“Unfortunately this capability was not deployed on KA-SAT at the event that happened in 2022,” Miller said, although the development of this service began long before the KA-SAT event. The new service uses a “zero-trust approach” for network threat detection, the said.
Unlike traditional cybersecurity techniques that focus on perimeter defense and access control, a zero-trust architecture assumes all devices are potential threats. “We’re always looking at behavioral patterns,” Miller said. “Does it look different than normal? Does that look like a malicious thing? And we’re often able to find things that would be considered zero-day attacks.”
Viasat developed this tool under the Enhanced Cybersecurity Services program run by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. CISA created the program to help U.S. businesses and critical infrastructure organizations reinforce their capabilities to identify malicious threats by leveraging classified threat intelligence. Viasat also uses its own threat intelligence.
Since the new tool started to get deployed across Viasat’s network, “we’re starting to get some very interesting data,” Miller said. “It’s hard to say categorically that this has stopped a cyber attack, but we have caught things and stopped things that potentially wouldn’t have been stopped by other tools.”
Anyone could be a threat
Protecting a global commercial network with a million users can be harder than defending DoD networks that restrict access, Miller explained.
Government agencies “have total control of the population that’s allowed to come onto the network,” whereas a satellite internet provider like Viasat has to deal with the reality that ‘anyone with 50 bucks a month and good credit can come on our network. And in the developing world, anyone with a couple of bucks a month is welcome to come on to our network.”
The whole network is “exposed all the time,” he said. The zero-trust approach assumes that an attacker has a way into the network and “prevents them from doing anything malicious or moving laterally within the network.”
Viasat created machine-learning algorithms that were trained against data collected from its own network. “You get a pretty good sample of all the malicious effects and malicious data patterns that are out there.”
“Our algorithms have advanced to a point where we have our own set of proprietary threat indicators that detect a lot of things that can’t be detected by commercially available tools,” Miller said. “And in some cases, we detect things that even the NSA and DHS threat intelligence feeds don’t detect.”
DoD’s reliance on commercial satcom
Zero-trust architectures are now the preferred approach to defend not just commercial but military networks, Sam Visner, technical fellow at MITRE Corp. and vice chair of the Space ISAC, said March 13 at the Satellite conference.
“All of these systems are essential to our national interests, as we’ve seen in this war in Ukraine,” said Visner. He said DoD is looking to deploy zero-trust cybersecurity as part of a broader plan to rely on “hybrid” networks of commercial and government satellites.
“As you saw at the beginning of the war, some of the principal attacks against were against the commercial systems on which the military depends,” he said. “Systems that have been built by the private sector are therefore subject to the same threats as military systems and require the same mitigation.”