Satellite Cybersecurity 'Not Where It Should Be,' Says Former DHS Official
Satellite industry self-protection against cyberattacks, particularly through sourcing of components and software, "is not where it should be," said Greg Garcia, Signal Group executive vice president and former Department of Homeland Security assistant secretary-cybersecurity, Wednesday at a CompTIA panel. The industry's awareness about and sophistication in response to threats also "has more room for growth," he said.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Lack of satellite industry consensus on cybersecurity best practices may not be bad, Garcia and other panelists said. As long as individual operators evaluate their systems, the proliferation of standards works because there's also a proliferation of network architectures, said Inmarsat Director-Regulatory and Public Policy Ethan Lucarelli.
The Satellite Industry Association and Global VSAT Forum (GVF) issued a set of cybersecurity core principles last fall that pushed voluntary, industry-led efforts in partnership with the public sector (see 1611170011). "The jury is out" on what the Trump administration's cyber policy approach will be and whether, when it comes to satellite, it takes an SIA/GVF-like stance or looks more to regulatory solutions, Garcia said.
Cyberthreats include foreign and nonstate sponsors of hacktivism, industrial and state-based espionage, cyber terrorism, state-sponsored disruptions and criminal activities, Lucarelli said. The particularly large threat posed by criminals trying to steal banking data or manipulate IoT data will require an "all of the above approach" that involves safeguards by satellite as well as integrators, software providers and others, he said. There's also fear of operational control of a satellite being taken over, or of malware being distributed to or from a satellite, Garcia said.
Satellites can be a solution to cybersecurity risks, Lucarelli said, citing such possible applications as satellite distribution of software patches on connected cars and the premium that industry has long put on security, particularly for military and remote communications applications. He said all satellite operators are active in cybersecurity measures, but Inmarsat sees its work there as a business differentiator.
Boeing increasingly is looking at designing satellite systems that better use hardware and software to monitor onboard processes and incorporate more robust software code and enhanced architectures, said John Toomer, director-intelligence, information and cyber systems. He said the company is looking at a self-repairing feature in satellite systems, and closely monitoring dashboards for gauging health of systems and ways of training operations people.
The Communications Information Sharing and Analysis Center and other industry ISACs need to help better facilitate information sharing both ways between government and industry than what currently happens, Toomer said. Garcia said DHS' Communications Sector Coordinating Council has been exploring best practices and running exercises on cyberthreats. He said the National Institute of Standards and Technology update of its Cybersecurity Framework released in January (see 1701100084) is a route for the satellite industry to integrate itself with other industries also considering ways of better managing cyber risk.
Methods of better safeguarding terrestrial IP networks are similar to what is done for satellite networks, but the key difference and challenge is that "we can't alter what's already up there," Toomer said. He said new satellites with reprogrammability features will allow more effectively controlling for cyberattacks.