CyberWire Daily - T-Minus Overview- Space Cybersecurity. [t-minus]
Episode Date: December 29, 2023Welcome to the T-Minus Overview Radio Show. In this program we’ll feature some of the conversations from our daily podcast with the people who are forging the path in the new space era, from industr...y leaders, technology experts and pioneers, to educators, policy makers, research organizations, and more. In this episode we’re covering cybersecurity for space. What is it? What are the threats to space systems, why is there such an emphasis on it right now, and what are people doing about it? Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our weekly intelligence roundup, Signals and Space, and you’ll never miss a beat. And be sure to follow T-Minus on LinkedIn and Instagram. T-Minus Guest Our first guest is Renee Wynn, former CIO of NASA. Our second guest is Matthieu Bailly, Vice President of Space at CYSEC, a cybersecurity company based in Lausanne, Switzerland. Our third guest speaking to T-Minus Producer Alice Carruth, is Steve Luczynski, Board Chairman of the Aerospace Village. T-Minus Crew Survey We want to hear from you! Please complete our 4 question survey. It’ll help us get better and deliver you the most mission-critical space intel every day. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at space@n2k.com to request more info. Want to join us for an interview? Please send your pitch to space-editor@n2k.com and include your name, affiliation, and topic proposal. T-Minus is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the N2K Space Network. In this program, we'll feature some of the conversations from our daily podcast with the people who are forging the path in the new space era.
From industry leaders, technology experts, and pioneers to educators, policymakers, research organizations, and more. And I'm going to start our show with a phrase that might sound a bit odd.
Space cybersecurity.
And if that made you go,
huh? You're not alone. I can assure you, however abstract it might sound, space cybersecurity is a very real concern. So, cybersecurity for space. What is it? What are the threats to space systems?
What is it?
What are the threats to space systems?
And why is there such an emphasis on it right now?
And what are people doing about it?
Well, let's start off with the basics here.
What are the threats facing space systems?
Well, when you're working with cutting-edge, hard-to-replace, and dare I mention it, expensive systems,
a lot of people need those systems to stay working.
And there are also people with less than great intentions who may want to shut them down
or steal the information on how they work
or what they're looking at.
And I'm going to bring in a chat I had with Renee Nguyen,
the former CIO of NASA,
and she'll set the stage for us.
As the CIO of NASA,
cybersecurity is a serious threat
to national security
and to personal security.
So yeah, satellites can be hacked.
So if you're a scientist and you're depending upon satellite data coming down
to write your papers or make discoveries or inform your models about space and that,
then you need the highest integrity of data and you need that assurance.
So you need to assure that.
And how do you assure that?
And that is you put mitigations in place to protect from a denial of service,
a change of data, or other events that can happen in the cybersecurity world.
There's spoofing in that and we've seen some stories on it. But that can happen in the cybersecurity world. They're spoofing in that, and we've seen some stories on it.
But that can happen at the satellite.
Now, some of the satellite stuff to do
is on the higher end of cost.
But since nation states invest in cybersecurity
on the offensive side,
let's just assume they've invested properly
and they can make a difference in those satellites.
There's another, this is a cool thing,
but to me it's a very scary thing.
We can catch satellites now.
Yeah, it's so wild.
Yeah, yeah, yeah.
Yeah, so if I can catch it to like fix it,
that means I could probably catch it to do something nefarious.
Or just deorbit it, right?
Just completely just go, yeah.
Yeah, just it, right? Just completely just go, yeah. Yeah, just whatever, right?
You know, just make your next sci-fi movie
about space and cybersecurity.
Oh, that's already been done.
So you have the cybersecurity threats
and those threats are in the uplinks and downlinks,
the satellite themselves,
as well as your ground systems as well.
And frankly, you have insider threat as well,
which people always forget to talk about.
But we have a recent leak, right,
from an insider threat and the signs,
they're harder to detect than outsiders.
Yeah.
So when we're talking about the cybersecurity of space, we're talking about the safety and integrity of systems both on the ground and in space.
And there are risks to all those things by what are called outsider threats,
like targeted attacks from hackers who want to steal specific intellectual property.
like targeted attacks from hackers who want to steal specific intellectual property.
And then there are insider threats, meaning someone like a disgruntled former employee
who might still have access to sensitive systems that they shouldn't.
And it's not just civil organizations like NASA and the military
that are concerned about the security of space systems.
As space becomes increasingly the realm of commercial enterprise,
and as corporations become increasingly dependent on space assets and their data to operate,
businesses need to think about securing their space systems too.
For more on that, let's talk with Matthew Bailey,
Vice President of Space at SISEC,
a cybersecurity company based in Lausanne, Switzerland.
Cybersecurity for space is a little bit of an unknown topic.
It's a very recent topic for civil space missions.
It's a very recent topic for civil space missions.
And it is absolutely permanent that now we all realize how much we depend on satellites and space assets in general.
And as a result, these are very valuable in terms of physical assets like satellites, but also digital assets like data.
And they need to be better protected.
And to do that, we need to create an ecosystem of companies, agencies, startups, researchers,
students, everybody needs to be involved to really be able to respond to the challenges of operating satellites in the near future.
Since the very beginning of space,
defense and military missions have always been secured.
This has always been a topic for military agencies,
but not so much for commercial and civil missions.
And this is really the big change that we have seen
in the space market in the last couple of years.
And these commercial civil missions
are taking more and more importance.
So you see the number of satellites
that are being launched.
SpaceX, Starlink is a big example,
obviously with hundreds, thousands of satellites
that are put into orbit.
But there are lots of other companies
going into the space market
for really business purposes.
And again, this is linked to the data
and the value that these data are bringing
to society and companies.
And value attracts criminals.
So we see more and more interest from criminals
to target space assets,
especially since space engineers
have not been educated with security.
This is a new topic for the industry.
So we're not at the level of maturity
that finance or medical or other sectors are currently
because they have been targeted for years and decades.
Space is a new thing for hackers, for attackers,
as well for engineers.
So we need to do a better job to defend ourselves
and to defend these satellites that, again,
provide services that are absolutely critical
to our modern digital life.
Yeah, that's so many great points in that.
And it still feels like awareness of aerospace security
in general in the security world is sort of nascent,
but it's there.
And then the same thing with the space economy,
where awareness of security as an issue that needs to be addressed is somewhat there,
but not where it should ideally be.
And it does it feel a little bit, at least to me, that people are trying to meet in the middle.
So we need to bring space engineers, ground segment mission control,
flight software engineers, you name it,
Space engineers, ground segment, mission control, flight software engineers, you name it.
But also project managers of space missions, executives, quality assurance, and so on.
All the space professionals, we need them to meet the security professionals.
We have lots of people knowledgeable about security. Operating a satellite is not so different from operating another critical piece of infrastructure.
You have lots of cloud services, you have traditional IT servers,
equipment, operating systems, lots of traditional stuff,
including onboard the satellite.
So it's not that much different.
We just need them to talk together to stop these silos
and really build the bridge where we have a place
where we combine these two levels of
expertise. And that's exactly the goal of the conference, is to bring these two worlds together.
Excellent. And yeah, especially as the space industry starts to rely more on commercialized
services, off-the-shelf services, I imagine these challenges are just going to continue to scale
instead of everyone trying to do something sort of homebrew and figure it out
on their own. Yeah. The space industry has been very much
a security by obscurity type of mindset.
And this is changing because we see commercial missions relying more and more
on COTS components off the shelf, as you just mentioned.
And these are related to open source material,
lots of public information that you can find on the internet,
which provides both advantages and inconvenience.
But it's still trying to advocate for better security practices
in the space industry, including security by transparency.
So, and again, I really feel that this is related
to bringing all the lessons learned from other markets,
financial services, all these guys that have been learning
the hard way that they've been attacked and breached.
And we have all these lessons learned
that we can leverage to the space market
to be a bit more faster at building the defense mechanisms that
are badly needed today as we see it with the geopolitical context getting more and more tense.
So how do you make space systems more resilient to cyber attacks?
And what's being done to tackle this challenge?
resilient to cyber attacks, and what's being done to tackle this challenge.
Thankfully, there is a fantastic roster of cybersecurity professionals already hard at work in the aerospace industry, and their ranks are growing.
At a recent conference, my colleague, T-minus producer Alice Carus, caught up with Steve
Luzensky, who is the board chairman of the Aerospace Village,
which is an international peer group focused on improving aerospace cybersecurity and growing
space cybersecurity expertise and leadership.
Now, Steve's a leading voice in bringing more cybersecurity knowledge to the world of aerospace.
And Alice asked Steve for some of his thoughts on how that's
going. It's a matter of trying to get engineers and practitioners who don't have that deep
cybersecurity background to understand what it is. And I think appreciate it in the sense that
most people are like, oh, great, here comes the cyber guy, making it no fun for me and difficult to do my mission.
But being able to appreciate, no, this is why it's important.
This is why it's a growing concern.
And here's how you do it in a way that doesn't hurt your mission.
It only supports it further and helps you be successful.
I think you've absolutely nailed it on the head
what the industry is like when it comes to cybersecurity.
We all know it's very important,
but we tend to stick our heads in the sand a little bit.
How are you trying to help nurture them
to come towards the idea
that they need to think about this from the offset
and really start implementing it early on in their mission?
So that notion's out there,
but I think showing examples, having discussions,
it's a matter here of where with the village,
we are bringing government industry and hackers together. In this sense, put academia in there.
It's bringing that cybersecurity knowledge, that government knowledge, the other parts of industry
that do cybersecurity into their world. One example, what brought me here primarily was being part of a panel
where you have folks who have government background,
industry background,
and they're talking about the collaboration,
that's the theme of the conference,
the collaboration that they did
that's going to be in a report
that's soon going to be published
by the Cybersecurity and Infrastructure Security Agency.
It's not out yet,
but some of the thoughts and ideas
that they have formed from the research they did with that report and sharing that with an audience
and one of the panelists asked a great question about who knew about this kind of activity and
they were like three hands. No surprise, this is not a cybersecurity crowd. And so hopefully by
having these kind of talks, having these kind of engagements,
being able to just talk about it and getting people to think about it, next year we'll come back, we'll do something similar with another project and more hands will be raised and more
people will be understanding and appreciating what's going on in that space. There's so many
things that have to be talked about. And I think that's the nature of cybersecurity. Everybody's trying to figure out,
well, where do I add one more thing in a student syllabus?
Where do I add one more thing in my company
for an employee to deal with?
So trying to get it where I call it second nature,
it's just something you do.
And the cyber people have to understand it
in the mission context.
The mission people have to understand it
and why it's important, safety and security.
That's a great thing that I think
the operational engineers here are learning
and can understand that it's not just
securities over there to the side.
By making your mission secure,
it's also making it safe.
And the safety word,
that's something they deal with all the time with operational risk.
Part of our mission in the village is to promote what's going on out there with security in the aviation and space sectors.
So I think part of that is just these things are happening.
The common person doesn't know it.
That's okay.
They don't need to know it.
They need to know it's being handled by smart people. And they need to know there's a security layer to all of that. So the systems
that make the satellites operate, the systems that do the monitoring that can detect those
close passes, all of that coming together, it's just constant work to continue building on that
throughout. Do you think the US.S. government could do more
when it comes to cybersecurity regulation,
or do you think it shouldn't fall on the government side?
Yeah, that's a tough one,
because I see it both on the aviation side
where there is lots of regulation,
and there's goods and bads that come with that.
And my experience from working in government
and dealing with the government
regulations is, again, there are goods and bads. Careful what you wish for, because you're going
to get it. And if nothing else, what's really interesting to me here is, yeah, that's cool for
you, but space is not U.S. It is absolutely international. So there's so many more issues.
And again, conferences like this, being able to
understand the full extent of those issues, the fact that it is well beyond just a U.S. problem.
Cybersecurity similarly, yeah, there may be a niche that's specific to the U.S., but then after that,
there's so many other considerations that it's very easy to see those cyber problems and then apply it in the
context of what's being talked about here. I know we've mentioned it before on the show,
but if it's somebody who's new as a listener who haven't heard you speak before, how do companies
when they're starting up think about cybersecurity? At what point should they start thinking about it?
So I will answer from a more of a personal background and what I do with the Aerospace Village.
I was a chief information security officer.
The fact that some companies do not have those, the fact that some companies have that very adversarial type of cybersecurity for the employees, they're going to punish them, things like that.
Just having the conversation and thinking about it, that's a good step. And then being able to find the expertise,
to incorporate it in a way that employees at a basic, I'm just talking about a basic,
call it a typical company, that they understand the security. I'm going to teach you what to do
at home so you can benefit it in your personal life. And if you can carry
that habit to work and protect that work stuff also, even better because they're going to respond
to that. Now, if I take that then in an operational context, which is not most companies, but from a
flying background or here in a space background, understanding the operational implications,
the value of security or the safety of the mission,
the success of the mission, those concepts. And again, just having those conversations and
recognizing the value early on is the key step.
And we'll keep an ear out as these conversations continue and evolve.
And we'd like to thank our guests, Renee Nguyen, Matthew Bailey, and Steve Luzenski, for shedding light on this admittedly complex topic and helping make space systems more secure for everyone.
flex topic, and helping make space systems more secure for everyone.
If you're interested in hearing more about the space industry,
join me every day for T-Minus Space Daily,
available on all major podcast platforms.
Find out more at space.ntuk.com.
We'd love to know what you think of this show. You can email us at space at n2k.com.
Your feedback ensures that we deliver the information
that keeps you a step ahead
in the rapidly changing space industry.
This episode was produced by Ellis Carruth,
mixing by Elliot Peltzman and Trey Hester,
with original music and sound design by Elliot Peltzman.
Our executive producer is Jen Iben. and Trey Hester, with original music and sound design by Elliot Peltzman.
Our executive producer is Jen Iben.
Our VP is Brandon Karp.
And I'm Maria Varmasis.
Thanks for listening.
We'll see you next time.
T-Minus.