Home >> October 2017 Edition >> The Coming Satellite Cyber Crisis
The Coming Satellite Cyber Crisis
by Ryan Johnson, Global Cybersecurity Analyst, Access Partnership


A revolution is occurring in the satellite industry that will make 5G connections more robust, power the global Internet of Things (IoT) and bring broadband internet to the world’s most remote places.

These diverse new applications are powered by lower launch costs, innovative designs like smallsats, global mesh networks, and terabit speeds. However, as these new applications make satellite connectivity more mainstream, the industry may struggle to adapt to the new cybersecurity issues that come with them, triggering increased regulatory scrutiny.

One key challenge for the satellite industry is a shift in their user base. Traditionally, satellite communications carried highly controlled communications — for example, from an embassy abroad back to the capital, or from a television content distributor to viewers. The users knew their communications were sensitive or proprietary and sought to protect them through a variety of means, chiefly encryption. Services such as Direct to Home (DTH) broadband and connected cars will bring satellite connectivity into the lives of many users who aren’t prepared to manage their own cybersecurity.

At the same time, satellites are at the forefront of broadband access for developing countries. This is something the industry is rightly proud of. However, new users in these regions carry additional risks but provide lower revenue per user. More widespread use of off-license software in many developing countries reduces access to basic upgrades and patches that would otherwise reduce the impact of attacks, while growing use of mobile finance and other applications increases the attractiveness of these new users to cybercriminals.

Finally, satellite network operators are in business with the exploding IoT industry, which brings another set of attack vectors onto their networks. In dispersed IoT devices, data is sent via satellite from sensors to data collection centers and vice versa.

Some of this data will inevitably contain some sensitive customer information or authentication data to enable software updates — for internet-connected cars, for example.

When IoT device manufacturers don’t provide adequate security, this data can be intercepted, leading to data breaches that leave no fingerprints on the network.

Alternatively, people may use the satellite system to hide their malicious traffic and elude authorities. Research published by Kaspersky Lab suggests that hackers have been doing just that — they use tools that can be easily acquired for a few hundred dollars and they can coop satellites as unwitting links in a global malware network called Turla.

In this way, criminal organizations can use satellite links to bypass a major obstacle in the command and control of their malware networks, evading law enforcement activities as well.

It’s entirely reasonable to think that in the next few years as billions of IoT devices proliferate, many with questionable security designs, some cunning hacker will find a way to launch a Distributed Denial of Service (DDoS) attack using something as simple, yet ubiquitous, as oil well pressure monitors or weather sensors.

If the Mirai botnet wreaked havoc on global data flows with only around 100,000 devices, an IoT botnet of 1 or 2 million devices could bring the global digital economy to a standstill, affecting satellite and terrestrial networks alike. Such bad actors may very well be even more motivated to target the satellite networks that handle sensitive military and government communications.

The increased amounts of sensitive data — say financial data from satellite-connected banking platforms like ATMs or personal health information from telehealth apps — will serve to increase the attractiveness of satellite data streams to criminal hackers. Breaches of this kind of data increase the likelihood that governments will favor stringent data localization laws, shutting off the benefits of cross-border data flows that satellites are well-suited to provide.

State sponsored cyber actors will also use these vectors to collect data on targets, infiltrate hardened networks, and disrupt or distort data flows to manipulate their adversaries. The geopolitical “wilderness of mirrors” extends out into space with just as much acrimony as it does on land.

As governments continue to research vulnerabilities in satellite networks, it is possible for their discoveries to get out of their hands and into those of criminals, as happened with the WannaCry attacks, where (likely) U.S. Government cyber tools were harnessed for a disruptive global criminal attack.

Of course, it’s entirely possible that some of the satellite terminals themselves face security issues which could endanger the increasing numbers of planes, trains, ships, and automobiles relying on them. IOActive alleged this in 2014, and the industry responded by further hardening its products and ensuring secure design practices.

In short, the satellite industry is headed towards its ILOVEYOU or Mirai moment. Security questions that have been ignored for too long will suddenly come to the fore and the outcome will be a loss of trust in the product. When consumers lose trust in product, regulators tend to come running. As satellites operate on a global scale, the threat from adversarial regulators comes from many different countries.

Satellite operators, for their part, are taking some meaningful actions. For example, the Global VSAT Forum (GVF) and Satellite Industry Association (SIA) jointly released a policy statement articulating the industry’s commitment to common-sense cybersecurity. Some operators have added cybersecurity officials at a high level, ensuring the whole organization is participating in its cybersecurity efforts.

However, as operators increasingly deal with industry sectors that are much less cyber-secure, they remain an easy target for regulators seeking to control the security and privacy of their citizens’ data. The regulatory position the United States has staked out — voluntary, risk-based mechanisms that allow for tailored solutions — works well when industry meets the sometimes-unwritten standards of regulators. However, there are more than enough examples of reactionary regulation that comes in the wake of a major breach or failure in the market.

The GVF/SIA joint policy statement is a good start. It embraces the elements that have put the United States among the world’s most cyber-secure countries, according to the International Telecommunication Union (ITU)’s Global Cyber Index. Beyond this forward-looking policy stance, operators need to work with their customers to secure data, facilitate encryption of traffic across the entire network, and engage with regulators around the world to promote understanding of their role in the security of networks.

Each company in the satellite space should understand the risks their customers bring to their network, and take appropriate steps to respond. Operators should be prepared to cooperate with governments, industry, and consumers to reduce risks and respond to threats and attacks.

In addition to intra-industry work, they should participate in the global discussions on cybersecurity in the variety of venues that matter: the Global Conference on Cyber Space (GCCS), the ITU’s study groups on technical and development issues related to cybersecurity, and the capacity building work being done by organizations like the Global Cyber Security Capacity Centre at Oxford University.

The industry should also work to build links with government cyber regulators and responders to have contacts and procedures in place before an incident occurs. Mitigating risk and minimizing impact before an incident compels regulators to enact stringent rules is the best way to ensure that the satellite can keep driving global connectivity solutions.

Ryan Johnson leads Access Partnership’s global cybersecurity public policy practice. He advises clients in industry, government, and international organizations on policy developments in the fields of cybersecurity and internet governance.