PRIME: Cybersecurity Risk Management Strategies For SATCOM Networks
A Sweeping and Evolving Challenge That Highlights an Effective Program
In recent months SATCOM-related cybersecurity events have taken center stage. Most visible was the background provided by the government about the orchestrated disruptions of the Landsat 7 and Terra imaging satellites. More recent was the Pentagon and NASA breach by Romanian hacker TinKode who allegedly posted to the Internet an image of files related to confidential satellite data from Goddard Space Flight Center.
There have been numerous similar news reports from across government and industry.
Satellites, cybersecurity and related forms of service disruption are converging. A report from the conference on Securing Space Assets for Peace and Future Conflict at the National Defense University in November 2011 reported, There was a consensus among participants that an attack on space capabilities will almost certainly be preceded by a Cyber attack.
The Evolving SATCOM Cyber Threat Environment
Historically, satellite networks largely have been spared the brunt of the cybersecurity attacks that plague terrestrial networks, due in part to their use of non-IP communications technologies. It is no secret, however, that satellite missions are increasingly moving toward an end-to-end IP environment. In fact, the forward trend in SATCOM ground system architectures is to create multi-mission SATCOM systems that are interoperable.
As Stuart Daughtridge, Vice President of Advanced Technology at Kratos Integral Systems notes, Satellite ground networks are migrating away from stovepipe serial interconnections to lower cost, interoperable IP-based technologies. Though this migration satisfies cost, performance and interoperability requirements, the newer systems bring with them additional cybersecurity risks.
Cyber defense company FireEye has said that, based on its detection methods, more than 95 percent of all enterprises have had malicious infections somewhere in their networks each week80 percent averaged an infection rate of more than 75 per week. The numbers may be higher in organizations dealing with highly sensitive or highly competitive information, as evidenced by the recent wave of targeted attacks against U.S. defense contractors.
Net-centric SATCOM systems with their increased connectivity to commercial IT infrastructure create additional surface area for cybersecurity attacks on SATCOM networks. In fact, according to a 2008 NASA report, satellites from certain U.S. space programs use commercially operated satellite ground stations, some of which rely on the public Internet for data access and file transfers. Increasingly, cost-sensitive satellite operators are leasing commercial telecommunication lines for long-haul communications. The trend from dedicated to shared lines for communications also expands the surface area for cyber attack.
A new era of cyber threats is emerging for IP-based systems at the same time SATCOM dependence on IP networks is increasing. Complicating the challenge is that many SATCOM professionals are not well versed in IP technologies, let alone the additional issues involved in IP cybersecurity; understandable given their technological focus on RF. Luckily, it is changing, however, yet there is still a distance to go as mission needs lead to a merger of communities and SATCOM operations increasingly encounter the vulnerabilities in both IP and RF technologies.
A Risk Management Framework For SATCOM Cyber Defense
The National Institute of Standards & Technology (NIST), which is in the process of standing up a National Cybersecurity Center of Excellence with the goal of improving responsiveness, has recommended that: Implementation of a cyber-security strategy requires the development of an overall cybersecurity risk management framework.
By focusing on the management of risk, the security framework for a satellite ground network starts with implementation and verification of appropriate security controls based on industry best practices. NIST has published several Special Publications under the NIST SP 800-xx series of documents that provides a basis for documenting a security strategy that identifies, mitigates and monitors risks.
Today, many security practitioners are accepting the idea that boundary protection alone is no longer sufficient against high-end threats that are capable of launching sophisticated cyber-attacks. This is due to several factors, including the increasing complexity of the systems and undisciplined behavior by users, especially those with authorized access.
Even the best security policies can be rendered ineffective if they are not consistently followed. Continuous monitoring of the security controls is the first line of defense against attacks and ensures that operational risks are kept to an acceptable level in light of the inevitable changes in the environment. Strong situational awareness of the cybersecurity infrastructure can be a powerful tool for enabling that monitoring and responding quickly.
A Clear View OF Cyber Situational Awareness
When most people consider cybersecurity they think of firewalls, intrusion detection systems (IDS), virus scanners and similar devices and applications. Modern threats often present themselves across multiple devices, however, making them difficult to recognize while the attack is under way and even harder to respond to.
Cyber situational awareness is about being informed of events related to information assurance (IA) and security across operational networks in near real-time. The more timely the information, the more likely the threats are to be countered, or at least the impact minimized. As General William Shelton, commander of Air Force Space Command, recently noted in emphasizing the importance of cybersecurity situational awareness, we cant defend [against] what we cant see.
An important foundation for cybersecurity situational awareness is implementation of a Security Information Event Manager (SIEM) that monitors and consolidates data from the independent security devices such as firewalls and IDSs into a single dashboard. While relatively common in commercial enterprise networks, they are less so in the satellite industry.
While nearly all SIEMs provide compliance monitoring as part of their core functionality, some have features that are especially helpful for the satellite industry, such as compliance with specific NIST or DoD policies for SATCOM. With this capability, non-compliance is immediately flagged and made known to security personnel. This will become a broader need as even commercial vendors are increasingly being governed by these compliance regulations when doing business with U.S. defense or other federal agencies. The Future COMSATCOM Services Acquisition (FCSA) contract vehicle, for example, requires service providers to comply with NISTs Information Assurance 800-53 and DOD Instruction 8500.2 controls.
SIEM contenders for the satellite industry tailor themselves to unique SATCOM devices such as modems and TT&C servers and can also offer features such as file integrity monitoring, vulnerability assessment, endpoint control and IDS capabilities.
For broader situational awareness, the SIEM should be integrated into the larger management systems if possible to provide stronger continuous monitoring and show the relationship between network events. For example, performance degradation in network devices can often be an early indicator of certain types of cyber attacks.
Capturing Forensics
Whether or not they use SIEMs or other tools for real-time situational awareness, all network operators can mine log files after an incident has occurred to piece together what happened. While reactive rather than proactive, logs are nonetheless critical tools for preventing recurrences, discovering root causes and gathering evidence for prosecution.
Todays systems have built-in logging related to security events and diagnostics. Often the root-cause analysis of security incidents is masked by inadequate logging information or gaps in logging caused by systems going down or sophisticated malware that is designed to cover its tracks. Missing forensic data can make the difference between identifying the smoking gun and an unsolved mystery.
An additional tool that can be used to protect against the loss of critical forensic data due to log file gaps is one that is already well known in the satellite world for other uses, the IP recorder. Cyber-focused recorders can supplement system logging by independently capturing IP network traffic and other key data sources in the system and securely storing this information for forensic analysis.
System logs and recorders can also be part of a defensive plan against one of the more difficult cyber risks to managethe insider threat, whether intentional or accidental.
Defending Against Insider Threats
Although many SATCOM systems are physically isolated from the outside world and, therefore, may be relatively uncontested by external entities, the Achilles heel can be insider threats ranging from inadvertent errors to intentional malicious actions by trusted persons who have full access.
A recent Cybersecurity Watch Survey conducted by CSO magazine found that 21 percent of security breaches were caused by insiders. The study found that 33 percent of CSOs viewed the insider attacks to be more costly (up from 25 percent in 2010), and that insider attacks are becoming more sophisticated, with some 22 percent of insiders using rootkits or hacker tools (compared to 9 percent in 2010). Sometimes, the threat is as simple, and unintended, as picking up and using a stray memory stick that has been salted with malware, one of the reasons removable media is increasingly being banned in many organizations, both government and commercial.
According to a study by the CERT Insider Threat Center of the Carnegie Mellon Universitys Software Engineering Institute, the fundamentals of combating insider threats are real-time alerting, continuous logging and targeted monitoring. For example, in their analysis of intellectual property theft cases, CERT found that 54 percent of data exfiltration events they studied occurred over the network and could be observed through proper network instrumentation.
As part of a thorough IA process, periodic audits should include: Remote access accounts, login accounts, DBA accounts, customer and company accounts. Physical and logical access controls can aid with user accountability for actions and protects system logs from attempts to conceal activities or identities.
Here is another area where recording systems can provide a more thorough defensive position by capturing data about user behavior inside the network as well as outside. By recording operator actions on the console, they build a far stronger obstacle to system and data compromise. Whats more, making it known that such systems are in place can potentially deter bad behaviors.
To further strengthen defense, both against sophisticated insiders and determined outsiders, experts recommend hardening the network components themselves. Under normal circumstances certain operating systems become targets for malware, especially when left unpatched. Hardware-assisted system hardening and anti-tamper technology can help protect these systems by preventing unauthorized code from executing even if malware is installed by an authorized user.
Denial Of Service: From IP To RF
One of the most common forms of cyber attacks is Denial of Service (DoS) or Distributed Denial of Service (DDoS) which attempts to make a computer, network or service unavailable to legitimate users. Common techniques include flooding a website with traffic or disrupting connections between machines. While most satellite ground networks are secluded from this type of attack in IP form, they are subject to an RF version in the form of intentional jamming or accidental interference which can produce a similar result.
The RF link is just another connection between networked devices, much like an Ethernet cable. As systems become net-centric and more dependent on unimpeded RF signals, the rapidly emerging threat landscape extends traditional cybersecurity thinking to include protection of the radio signal links over which the network operates.
Radio signal interference can cause degraded SATCOM service quality, or a complete network outage, just as a traditional cyber threat can. Accidental interference or intentional jamming can be transmitted at the satellite or at the receiving site, and can be as simple as a disruptive signal that appears within the frequency range of the intended SATCOM signal.
RF sensors and automated RF signal monitoring, analysis and alerting tools are required for protecting SATCOM networks. Such tools allow SATCOM operators to detect and characterize interference and jamming, guiding them to efficiently resolving the resulting communications problems.
The Foundation For An Evolving Strategy
Cybersecurity is such a sweeping and evolving challenge that the techniques presented here represent only highlights of an effective program. According to NIST Special Publication 800-137, ... security is a dynamic process that must be effectively and proactively managed for an organization to identify and respond to new vulnerabilities, evolving threats, and an organizations constantly changing enterprise architecture and operational environment.
With cybersecurity threats continuing to morph, mutate and increase in stealth and sophistication, breaches will happen. The key is a framework that mitigates risk as much as possible and has the resiliency to adapt.
At the highest level, two tactics seem to be critical for a successful cybersecurity framework. One is formulating and implementing a continuous monitoring program that can be integrated with other technology management and situational awareness goals. The second is implementation of policies on the human side that train personnel in proper procedures.
As Lt. General William Lord, CIO of the U.S. Air Force told Federal News Radio in March, There are things we expect every airmanwhether thats an officer, whether thats a civilian, whether thats a contractor on our network or whether thats an airman basic whos getting ready to go to tech schoolon cyber hygiene, on how you behave when your fingers touch a government keyboard.
* * * * * * * * *
Phil Carrai, the President of the Technology & Training Solutions Division of Kratos Defense and Security Solutions, answered a few questions regarding the Kratos acquisition of Integral Systems. Phil has decades of experience in IT and telecom and has held executive management and board positions in public, private, and early-stage companies.
QThe Kratos acquisition of Integral Systems is about six months old now. How are things going?
Phil CarraiIt has been simply incredible for me as a technology industry person. I have been able to meet a great many people in the Integral Systems family of companies and each time I come away consistently more impressed. Companies such as RT Logic, SAT Corporation, CVG-Avtec, Lumistar and Newpoint, and of course the original Integral Systems team who run the Epoch product line, brought together some of the best engineering minds in their fields.
That brain trust is already paying off in numerous projects were cooking up to cross-fertilize our solution sets, including integrating our Compass and NeuralStar® products in the Situational Awareness and Network Monitoring domains, strong crossovers with our Herley microwave-based solutions, and some very exciting ideas in the cyber security space, such as the recent introduction of our CyberC4 products from RT Logic.
QWhat was the thinking behind the Integral Systems acquisition?
Phil CarraiWell, let me give you some background for that. Kratos is a specialized national security technology company working in a number of areas, particularly C5ISR applications. People may not realize, however, that we are very oriented toward products with approximately a 60-40 split between products and services today. That separates us from many defense contractorsin fact we view ourselves in large part as a supplier to the companies building the militarys critical platforms.
Another thing that distinguishes us is that our emphasis on products means that we are deeply immersed in commercial markets, not just defense. The NeuralStar product I mentioned earlier, for example, had its origins in managing telecom provider networks, and our Public Safety division is one of the nations leading suppliers of physical security solutions in cities around the country.
The Integral Systems companies fit right into that mix. They are a balanced products/services provider especially services that are highly attuned to the intellectual property in their products. They are equally well regarded in commercial circles as they are in the defense sector. And they are absolute leaders in one of the key C5ISR technology domainssatellites, especially SATCOM and satellite ground systems.
The fit couldnt be better, and it has direct synergies with some of our other recent acquisitions, including Herley, Gichner and SecureInfo.
QYes, we read about your acquisition of SecureInfo at the end of last year. How does that fit?
Phil CarraiEven if you havent followed it closely you cant miss the fact that cyber security is one of the most critical challenges facing defense, government, industry, even individuals. The more ubiquitous networks become and the more we rely upon them, the more the risk grows. Kratos provides specialized services and solutions in that area, and SecureInfo brings us greater depth, especially in the key areas of Cloud Security and Continuous Monitoring for situational awareness. The SecureInfo folks also have considerable expertise in satellite ground networks and Information Assurance as applied in satellite networks. That is going to be a huge opportunity for combined solutions with the Integral Systems folks.
QSo you see this as a combining principle?
Phil CarraiAbsolutely. Just look inside the Integral Systems family at SAT Corporation for example. They specialize in RF Interference monitoring, identification and geolocation. Historically most interference issues have been inadvertent, but the opportunities for intentional and criminal events are growing. This is a growing problem for everyone in the SATCOM arena, including the smaller players who may not be able to affordor may not have the desireto operate, complete NOCs with those capabilities. So SAT is expanding its solution portfolio to offer their industry-leading Monics, satID® and SigMon products as managed services.
Additionally, we are integrating these products with NeuralStar, just as we are with Compass, to give the broadest possible situational awareness for satellite operators, broadcasters and others who need the complete picture across RF and IP, such as the work we are doing with DISA, the Air Force and Army PM DCATS.
QInterest in service assurance ties into the recent announcement out of RT Logic about a new line of cybersecurity products as well?
Phil CarraiWe are very excited about the new CyberC4 product family which we see as a practical, economical and fundamental first line of cybersecurity defense for the satellite industry. Satellite networks are not radically different from other networks, but there are important differences, such as the unique devices, protocols and special DIACAP regulations. The RT Logic team has been immersed in traditional and IP-based ground stations for many yearsover 80 percent of missions around the globe use RT Logic productsso they know those differences and have engineered solutions to address them.
RT Logic also recently announced an ongoing program to offer Armored versions of many of its core ground system products that will harden them for increased resistance to cyber attack. I think thats a great move. Look, cybersecurity may not have been a big problem in the past for satellite providers, but there seems to be little doubt that over time that fact is likely to change. When that occurs, companies and government agencies will need to be prepared.
* * * * * * * * *
End-to-End Situational Awareness Across Satellite + Terrestrial Networks
With their networks growing in complexity and frequently under attack, industry and government agencies are seeking every way possible to bolster their ability to monitor, protect and respond to challenges in real-time.
The military in particular has declared its need for increased network situational awareness in the form of a sharable Common Operating Picture (COP) across its environment to help overcome management stovepipes.
Historically, different tools have been used to manage IT, satellite and hybrid networks; and within those lanes multiple tools manage servers, network, cybersecurity and other specialized systems.
This patchwork is a constant challenge to any real-time picture of infrastructure availability and security. Kratos Defense & Security Solutions is working to deliver true end-to-end situational awareness for satellite ground networks and others by integrating its NeuralStar® manager of managers with Newpoint COMPASS, and SAT Monics as well as other satellite-oriented management products acquired through Integral Systems.
COMPASS specializes in monitoring and controlling RF equipment and operational technology for satellite Earth stations, microwave towers, remote sites, and a range of other hybrid networks. SAT Corporations Monics provides satellite carrier monitoring and interference detection.
In addition, SATs satID product geolocates the source of that interference. Kratos has integrated the three products to provide a unified management dashboard able to collect data from the NOC to the networks edge and across the integrated terrestrial and satellite ground networks.
In the combined solution, NeuralStar seamlessly aggregates data from COMPASS-managed sites as well as Monics-monitored interference data from the carriers based upon the spectrum plan; integrating it all with management data from other systems, including network devices, servers, applications, cybersecurity and IA, ancillary systems (such as UPS and generators), and even physical security equipment. Event sources can include anything from cryptographic devices and video surveillance feeds to virtually any device that can be connected to the network.
Tailored applications such as SATs One Touch Recovery sit alongside using correlation techniques to mitigate against RF interference with the touch of a button and further enhance mission assurance.
Deployed in some of the worlds most rigorous and security-conscious enterprises, including DISA where it is used as the core network management solution inside the Integrated Network Management System (INMS) to oversee the DoDs Global Information Grid (GIG), NeuralStar provides a platform for collecting and fusing specialized data into a common end-to-end operational picture that can be customized for each command level.
The combination of the three products provides situational awareness for the complex terrestrial/SATCOM/microwave environment.