RESTON, Va. — Anyone who has dealt with pests knows there’s no such thing as one mouse or one insect. The same might be said of the cybersecurity threat environment for space and aerospace.
The cyberthreat intelligence group Mandiant recently reported that it found multiple threat actors operating within a single victim environment in approximately 27% of compromise cases.
“When you start to think about, gee, maybe you detected one compromise, one threat actor, keep looking. That’s what the data is telling us,” Senior Vice President of Strategy and Alliances at Mandiant Erin Joe emphasized at CyberSatGov last week that in more than a quarter of cases.
Additionally, Mandiant has collected data indicating at least 1 in 10 companies will experience a cyber “reinfection,” underscoring the importance of persistent threat monitoring.
Joe noted that threat actors will sometimes break into a network and take information that they work on for years “to effectuate a worse compromise next time.” She continued, “This is already happening.”
The threat of an attack by multiple actors was reiterated by Tim Schaad, Vice President of Innovative Engineering at ManTech, who also spoke on a panel about proactively seeking out network vulnerabilities. “We’ve seen certain environments…where there were so many threat actors running around that they were stepping on each other. They were actually interfering with each other’s operations because they were all using the same resources.”
Overturning Assumptions About Adversary Capabilities
Since the hacking of Viasat’s KA-SAT network in 2022, space and aerospace leaders have begun to be more public in checking assumptions about the security of space systems and the capabilities of sophisticated threat actors. There is also a growing appreciation of the size of the attack surface—from legacy ground systems to satellite payloads, cloud-based applications to hardware, software and firmware.
Potential on-orbit vulnerabilities were highlighted in the past year, with researchers demonstrating the ability to take control of an ESA nanosatellite. Similarly, DEF CON hosted Hack-A-Sat 4, where more than 6,000 white hat hackers attacked and attempted to operate a 3U CubeSat.
According to security experts at CyberSatGov, threat actors are demonstrating increased capabilities. Exploits considered unthinkable several years ago are now being seen inside satellite operating environments, including breaching of firewalls as well as compromising edge devices, VPNs and hypervisors. Ethical hackers have demonstrated an ability to gain complete control of a satellite from an external location on the ground exploiting nothing greater than Category 3 (CAT 3) vulnerabilities, which are typically considered minor enough to be overlooked.
Dr. Ang Cui, Founder and Chief Scientist at Red Balloon, which specializes in firmware security solutions, described a satellite system breach that involved moving from machine to machine. “We were able to pivot from outside to the satellite in a typical ground control system setup without touching a single general purpose computer.”
Given the security conditions, it won’t take long for a company engaged in a threat hunting exercise to find vulnerabilities, Cui said. “The interesting question is, OK, now that you have this big old bucket of problems you found, what do you do? Which threat do you take care of first?”
Death by a Thousand Patches
Experts agreed there have been an almost overwhelming number of vulnerability reports concerning space networks, devices and across supply chains. Ignoring the threats certainly won’t make them go away. At the same time, addressing every vulnerability is also a losing battle. That is why experts recommend “risk-based management” to prioritize a mitigation approach based on relevant parameters, such as the most severe or most likely risk.
“Right now, [we] are seeing a lot of customers who are trying to keep up with every vulnerability that comes out and trying to patch it. And they’re wearing out their people and they’re using resources that might not be most effective,” said Joe.
New threat alerts are released almost daily from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) with recommended mitigation measures. Additionally, the number of Zero-Day exploits reported this year is on track to exceed the exploits reported in 2021 and 2022. “That is a tremendous amount of work,” Joe continued. “So, making sure that you’re able to do that risk-based management will be more important than ever, given the volume.”
Experts also recommend implementing automation and AI within security environments. Automation can help a security officer detect more easily when something is off, for example if a credential is being used inappropriately or data is being accessed in an unusual way.
Combatting the Stigma
While no industry is immune from cyberattacks, reporting on compromises or data breaches is touchy, especially for companies working in space.
“Last year … the community [had] not had a single public vulnerability disclosed,” Cui said referring to the aerospace sector. “That has changed.” In June, an aerospace company became the first to file a Common Vulnerabilities and Exposure (CVE) disclosure related to ground segment infrastructure. Compared to a company that had not gone through the process, Cui argued that the one that made the disclosure “is the better, more reasonable, more secure company to do business with.”
Organizations like the Space ISAC as well as national and international law enforcement agencies are working to improve the availability of industry-wide threat intelligence. There is also a greater awareness of supply chain risks and more rigorous parameters being developed for space asset security, including zero trust architectures and IA-Pre requirements.
Still, experts report there is still reluctance among some space and aerospace vendors to accept the challenges. “If anybody ever says to me, ‘We have never been compromised,’ I immediately understand that you have no idea what you’re talking about,” said Schaad. “Security by incompetence, I guess, is an approach. But not a good one.”
Explore More:
Podcast: Threat Tracking, Information Sharing and the Watch Center
An Insider’s Look at DEF CON’s First On-Orbit Hacking Competition
Threat Briefing Year in Review: Top Threats to the Space Sector
Industry Split Over Designating Space Sector as Critical Infrastructure