Satellite Vulnerabilities Must Be Addressed Transparently, Experts Say

The satellite industry is starting to have the cybersecurity talk, which is crucial for the industry and consumers, said experts Monday at a panel at the satellite week conference in Washington. The industry will see more cyberattacks in the next few years, said SRT Group Chief Technology Officer Conrad Smith.

Very small aperture terminal (VSAT) vulnerabilities were disclosed in the IOActive report and at security conference Black Hat 2014, said Rakesh Bharania, chairman of the Global VSAT Forum Cyber-Security Task Force and Cisco tactical operations support engineer. “We don’t have to reinvent the wheel for the industry, we just have to adapt to more security. It’s one thing to create products that are hardened from the get-go, but the reality is there’s thousands of systems out there today that have problems.” There are issues with hard-coded passwords, vendor backdoors and insecure management protocols, he said. “It’s become very effective to engineer an [cybersecurity] attack,” said Phil Mar, ViaSat Network System Group CTO. Botnets can falsely generate high volume traffic and affect the performance of a network, he said. Network degradations are caused for cybersecurity reasons, he said.

“There’s a culture of not wanting to share vulnerabilities,” said Vinit Duggal, Intelsat chief information security officer. “That has to change. It’s the responsibility of everyone to address security in your products or services. That communication has to be open and honest.” He urged transparency among vendors, customers and operators. Some companies are more open about disclosing their security vulnerabilities, he said. Customers should demand a certain level of security, he said. Smith said companies don’t want to tell someone how to hack their system, so releasing vulnerability information isn’t always a good idea. “The right response to a vulnerability report is 'thank you very much, we’ll fix it,'” he said. “At least give us time to fix it.” Companies also can inform customers about security patches and offer the option to update, he said.

Government customers and consumers need to evaluate risks, Mar said. Customers won’t always know what they want “until you put it in front of them,” Smith said. When customers stop paying for something unless it has security features, that shows the market what they want, he said. “Designing a satellite system is all science and physics,” Mar said. “When you’re talking about cybersecurity, on the other side is another human. You never know what a human can do to you.” If "you really want to protect a terminal, you’ve got to spend $1 million,” Smith said. “You won’t see the good cyberattacks.” Technology to prevent attacks is available, including Microsoft's Secure Boot and digital signatures, he said. Codes need to be authenticated and firmware should be updated, he said. “Security is an ongoing process,” said Bharania. “It’s not a one-time activity.”

For VSAT modems and satellite terminals to be truly secure, some infrastructure likely needs to be rebuilt, said Michael Weixler, ND SatCom director-research and development. “We’re not strong enough to push that. We have to look into how can we move the industry to change their infrastructure.” Legacy infrastructure can be difficult to make secure because it remains in place for a longer time, Weixler said. Upgrading isn’t a quick and easy process -- it can take a year or two, he said. The SkyWAN modem his company uses has mechanisms to protect the management plane, including secure protocols, firmware that must contain a valid signature to boot and a Ka2Go antenna subsystem, he said. Even if a system isn’t encrypted, it needs to be authenticated, Mar said. “It’s much more secure and makes sure people can’t spoof the network.” Intelsat is assessing the VSAT infrastructure it carries, Intelsat's Duggal said. “We’re demanding that our vendors address security issues from the very beginning,” he said. “We’re addressing it in contracts.”

Improvements in technology are happening in geostationary (GEO) satellite systems, said satellite industry CTOs on another panel Monday. Low-earth-orbit (LEO) satellite constellations are complicated to operate and require continual refurbishment, some said. Satellites aren't very different from 30 years ago, said Yahsat CTO Marcus Vilaca. “There have been gradual improvements in certain areas. Solar arrays and batteries are better, payloads are more efficient.” The industry is “very conservative” before buying and launching something new, he said. “There’s still a lot of room for improvement” and reducing costs per bit, he said. Optimizing payloads is one way to offer more flexibility, said SES CTO Martin Halliwell. “Is a highly complicated payload the best solution for a DTH [direct-to-home] type of solution? That’s not obvious today.”

LEO systems “will remain complicated on the ground, on the satellite control part,” said Inmarsat Global CTO Michele Franci. “The important thing is what market are these constellations going to address,” said Intelsat CTO Thierry Guillemin. “They’re talking about serving billions of people who aren’t served today, so there’s room for that.” GEO and LEO could work together to provide better systems, Guillemin said. “GEO has a critical advantage of being very adaptable. LEO takes years to set up. Maybe combining them gives you the advantage of latency but also adaptability that GEO has?” Halliwell said there are still regulations that have to be addressed for LEO systems. “Can they negotiate rights over China, Russia or Cuba?” he said. “There are significant challenges out there. But never say 'never.'”