A

You're listening to the Cyberwire Network powered by N2K.

B

When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com.

C

Space assets have traditionally been protected at least from nation state attack by these very strong nor, but in cyberspace there just aren't the same norms. Historically, there's been no penalty for attacking in cyberspace and frankly, that's a little worrying.

A

Welcome. I'm Maria Varmazes and you're listening to T Space Cyber Briefing. In this show we examine the evolution of cybersecurity in the global and orbital infrastructure that powers, protects and connects our lives. 3, 2, 1, 0. Hi everybody. Thank you for joining me today. In our show today we are featuring my recent interview with journalist Sean Waterman, and he's been covering emerging technology and the space industry for decades. Space cybersecurity specifically has also been a part of his beat. You may have seen his byline in Satellite Today or in Newsweek. Sean recently wrote an article about how the newest Space Race is Cyber in which he covers recent work in the industry to bring incident detection and response onto satellites themselves rather than focusing solely on the ground systems. And well, as you might imagine, that really piqued my interest. We have a link in the show Notes for you so you can read that article. But even if you haven't read it yet, I know you'll get a lot out of our conversation about the current state of space cyber. Let's start off with Sean telling us a little bit about himself.

C

So I am a reporter, freelance journalist. I write about cyber security and other emerging technological threats and I write about the space industry and I used to write more about federal it. My background is I. I came to Washington with the BBC originally for six months in 1999, but I liked it so much here that when they wanted me to go back to London, I quit. So I and I, you know, never look back. The rest history.

A

As I say, that's wonderful, Sean. Well, thank you so much for joining me today. I reached out because you wrote this fantastic article with the headline the Newest Space Race is Cyber. Would you mind walking me through a little bit about how you put this article together and what your pitch was for creating this.

C

Well, actually in some ways this was a follow up to a story that I wrote last year. After the Cybersat conference in Reston in November, there was a presentation by the DHS Science and Technology Division and the Aerospace Corporation about a couple of things that they were doing, open source projects basically designed for on orbit cyber detection and response space companies, you know, think about cyber security or operationalize it anyway. They, it tends to be on the ground, protect their ground assets, you know, they protect their assets in the cloud, they encrypt their links. Hopefully they do. Hopefully, yeah, but can't take that for granted. But no one really knows how to protect the satellite itself, you know, the software that's on there. So. And I have been writing about this for about five years. You know, I first wrote about it in 2020 actually, which is the first hackersat contest at Defcon. So there's a history there of, you know, what hackersat was doing and they were building up to it. Eventually in I think it was 2024, there was actually a CTF, you know, capture the flag contest between these teams of hackers on a satellite actually in orbit called Moonlighter. Yeah, it was an Aerospace Corporation and Air Force Research Lab project. So, so there's been on the offensive side, there's been quite a lot of work to demonstrate the dangers of this hacking presents. But on the defensive side, by contrast, there really didn't seem to have been much work done. I wrote a couple of articles, one via Satellite magazine and one for Air and Space Forces magazine about these efforts last year. And so the story in OT today for Information Security Media Group was, was really a sort of continuation of that, an update of it, you know, what had happened since, because they were going to try and open source some of these projects so that people could toy around with them. And because, you know, it's a very difficult thing when the hackersat people were looking to try and find a satellite that people would let them hack in or you know, in the end they had to launch their own. Right. Because everyone was like, no, I don't think we're gonna do that.

A

A multi million dollar asset on orbit.

C

Yeah, so part of the problem is, you know, people need to have confidence, have a trust and familiarity with the tools. Right. That was what DHS Science and Technology Division and the Aerospace Corporation were trying to do. And then there were also a couple of other different initiatives which I touched on in the ISMG story. Deloitte is actually they have a small constellation now in orbit, there are three satellites altogether that have this on orbit intrusion detection system. And they've been testing it out. They and their partners have been trying a series of increasingly complex attacks on, on the satellite. None of them succeeded so far. So that's a good thing. The guy Ryan over at Deloitte did say to me, you know, the, the, the one we're going to really learn from is the one that succeeds, right? Yes, yes, they have their silent shield, which is their cyber product. You know, they're on orbit intrusion detection and response. Well, on the first satellite was behind a one way diode, right? So that meant it could receive information from the satellite payload, but it couldn't actually, you know, transmit to. It couldn't actually do anything. And that again, is for the confidence issue. But with the second two satellites, they wanted to demonstrate on orbit updateability. Right, because they were not just trying to sell new satellites, they're trying to sell this tool to people who have satellites in orbit and, and you can update them over the air. You know, if they're software defined, if they're software capable of being updated, which, you know, all the satellites in these new LEO mega constellations are, then, you know, you could upload silent shield to your satellite and, and it will be protected, not just on the ground, but actually, you know, in orbit itself. And then, and then the final initiative was an initiative. Well, it's a Space Force contract, actually, with a couple of startups to build a tool that will look not in the software, but in the behavior of the satellite itself. You know, what's it doing, what's it transmitting, is it maneuvering? What's its orbital status and where's it pointed? Is it pointed in the right direction? All of this stuff, it's dangerous to rely on telemetry for detection, you know, because one of the things that a hacker might be able to do, and this is a big part often of hacking operational technology systems, is you get the system to keep sending telemetry that says everything's fine. I mean, that was how Stuxnet worked, right? The weapon that was deployed against the Iranian nuclear program. These centrifuges that spin at enormous speeds to enrich uranium started shaking themselves to pieces. And the Iranians couldn't figure out why, because everything, all the telemetry, all the sensors were reporting all normal.

A

Right, Right.

C

So that's an important problem, and that's Space Force have focused on, that's called the cyber resilience on orbit.

A

Time for a quick break now. When we come back, Sean Waterman details why behavior is the key indicator for security incidents with spacecraft. Here's a hint. How often do you see space based CVEs? Yeah, more on that after this.

B

Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker allow listing, you stop unknown executables cold. With Ring Fencing, you control how trusted applications behave. And with Threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today.

C

No one goes to Hank's for spreadsheets. They go for a darn good pizza. Lately, though, the shop's been quiet, so Hank decides to bring back the $1 slice. He asks Cope Copilot in Microsoft Excel to look at his sales and costs. Help him see if he can afford it. Copilot shows Hank where the money's going and which little extras make the dollar slice work. Now Hanks has a line out the door. Hank makes the pizza, Copilot handles the spreadsheets. Learn more@m365copilot.com Work

A

and we're back. Here's more of my conversation with journalist Sean Waterman, jumping back in with indicators of behavior and what that means.

C

So indicators of behavior look at things other than the software to figure out if there's an intruder in the system. Part of the reasoning for that is that there isn't. In space, a tradition like you have with earthbound IT systems of people finding vulnerabilities and reporting them, and this huge bank of CVEs which are reported and validated software flaws. This is how a lot of detection is done in earthbound cyber through looking for the indicators of compromise that show that a particular CVE is being exploited now in space because you don't have this huge database of previously discovered vulnerabilities, it might be much harder to detect a cyber attack just through looking at the software itself. Especially because so much of the kit is, you know, it's sort of nonstandard.

A

Yeah, it's custom per satellite in many cases.

C

Right, Especially yeah, with the big sort of legacy GEO satellites in geostationary orbit. These huge exquisite satellites, they have custom built hardware like absolutely custom and it's run with firmware embedded software. Very difficult to analyze, very difficult to detect potential attacks. The indicators of behavior are a sort of collateral way really of detecting an attack. You know, not looking directly at the software but looking at possible impact that it's having on the way the satellite's actually behaving. The drawback, Maria, is that indicators of compromise, if they're done in the right way are pretty deterministic. Right. If you see this, you know, it's an attack, you know, it's exploiting the following cve, you know, its blast radius might be X, Y or Z. With indicators of behavior, it's much more probabilistic, you know. Well, this looks like it might be X, Y or z. That's the $64,000 question because, or challenge? Because you know, if you're trying to empower satellite owners and operators to defend their assets, they really need a yes or no answer. They're not going to mess with a multimillion dollar orbital asset, you know, because it might be, you know, something might be up. So. Yeah, but that's, I mean it is, it is, it is very interesting because it just, you know, that is cyber is not one thing and certainly not in space. You know, it's, it's, there's multitude of sort of different approaches that you have to take this multi layer defense to protect these assets.

A

Now we were talking a lot about when we're thinking of the more custom, the exquisite, I love that word that you use, the exquisite satellites and geo, the huge military especially assets. But I'm thinking for the proliferation of more commercial constellations in leo, do we see the paradigm changing dramatically or maybe not at all when we're thinking about that. Or maybe is it too early to even be thinking about. We've got these constellations in LEO that are more commercialized. Will they have their own custom Linux distro that they're running on or is it going to be sort of a similar situation?

C

Well, that's a really interesting question. So the big Leo mega constellations are all vertically integrated, right? So you know, it's a Starlink dish, it's a Starlink satellite, it's Starlink hardware, it's Starlink software all the way up and down the chain. At least with SpaceX, you know, they have used or tried to make much more use of commodity hardware, you know, regular chips and yeah, running, running Linux. I actually don't know what the operating system for Starlink is. I mean the firmware for the dish has been taken down a couple of times I think by researchers Black Hat and defcon. Obviously the satellites themselves, that's a very different kettle of fish. And, and I don't know, I'm not aware that anyone's, you know, done any sort of work trying to tinker with that. But yeah, I think the, the, the big Leo constellations, we are seeing a lot more commodity, you know, just because the scale, you can't, you know, you're not going to build your own, your own chips. You know, if you're putting 20,000 satellites into orbit, that is not going to work out.

A

Yeah, and SpaceX's vertically integrated approach, I mean they're SpaceX, they're the big, you know, an exception to a lot of things and they've, they've been able to do that walled garden approach. But certainly, at least if, if we listen to what the, in the space industry is saying about the way things are going to be going, they certainly won't be the only dominant player doing what they're doing if we give it enough time. And at some point, I wonder, they've been sort of able to keep things walled off and relatively protected. But there are going to be a lot more constellations out there that probably won't be as vertically integrated as Starlings is. I can't help but wonder what's going to happen.

C

I mean it's going to be very interesting. Amazon Leo, you know, which is probably going to be the first. Well, there's actually this one other operative Leo constellation out there, but I think it's one where Amazon LEO is coming online, I believe this year, is scheduled to come online and you know, and to have a global coverage next year. So. And, and they are apparently, it seems, taking a less walled garden approach. Although, you know, I mean, it's all within the Amazon ecosystem. But I think the objective from Amazon is that those AWS customers find it much easier to integrate the LEO connectivity. Yeah, yeah, you're right though, it is. And you know, there's going to be, I mean there's also all of the Earth observation constellations and you know, there's just, there's so much activity up there in orbit now and a lot more of it I think is going to be using commoditized hardware and software. Kratos is creating, has created an open source management platform for satellites. So, and, and the virtualization as well. I mean this is back on the ground replacing hardware switches and modems with, with software. You know, again, that arguably does open up the attack surface. So the convergence of cyber and space I think is unfortunately is going to create a lot of risks for space. Space assets have traditionally been protected at least from nation state attack by these very strong norms that all the superpowers have demonstrated. Kinetic anti satellite capabilities. None of them have ever used them. Part of the reason is that it's clearly a red line. You know, if you're doing nuclear command and control through your satellites and the adversary starts to mess with them, that is a very bright, thick red line that's been crossed and people generally don't want to do that. But, but in cyberspace there's just aren't the same norms. Historically there's been no penalty for attacking in cyberspace and frankly that's, that's a little worrying.

A

Well, it's a lot to think about. Sean, thank you again so much for speaking with me. I greatly appreciate it.

C

It was lovely. I enjoyed it Maria, and come back anytime.

A

And that is T Minus Space Cyber Briefing brought to you by N2K CyberWire. If you like what you heard today, you will also enjoy our newsletter Signals and Space. You'll get research and notes pulled together by our producer Ethan Cook and me, along with this week's top space cyber news stories. Subscribe by visiting TheCyberWire.com newsletters We'd love to know what you think of our podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing cyber security landscape. If you like our show, please share a rating and review in your podcast app. You can also fill out the survey in the show Notes or just send us an email based table is how you can get in touch. We are proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K helps cybersecurity professionals grow, learn and stay informed. As the nexus for discovery and connection, we bring you the people, the technology and the ideas shaping the future of security. Your innovation. Learn how@n2k.com thank you for listening to T Minus. I am your host Maria Varmazes. The show is produced by Ethan Cook and Liz Stokes. We are mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our Executive producer is Jennifer Ivan with content strategy by Mayan Plout Peter Kilpe is our publisher. Thanks again for joining us. See you next week. We. Some follow the noise, Bloomberg follows the money. Whether it's the funds fueling AI or crypto's trillion dollar swings, there's a money side to every story. Get the money side of the story. Subscribe now at Bloomberg.