Space Vulnerabilities with the Aerospace Corporation. - T-Minus: Space-Cyber Briefing

Summary5 min read

T-Minus Space Daily: Space Vulnerabilities with the Aerospace Corporation Hosted by Maria Varmazes | Released on April 19, 2025

Introduction: Changing Perceptions in Space Cybersecurity

In this episode of T-Minus Space Daily, host Maria Varmazes delves into the evolving landscape of space cybersecurity. The discussion centers around the growing recognition that space assets are not immune to cyber threats, challenging the longstanding belief in the inherent security of space-based objects due to their physical separation from terrestrial systems.

Guest Introduction: Jim Myers of the Aerospace Corporation

Maria welcomes Jim Myers, the lead of the Civil Systems group at the Aerospace Corporation. With a rich background spanning satellite design, cybersecurity business management, and extensive experience in the aerospace defense sector, Myers brings invaluable insights into the current state of space cybersecurity.

Jim Myers:
"I'm the lead for what we call our Civil Systems group, spanning customers in the civil, federal space as well as commercial and international sectors."
[02:10]

Evolving Awareness of Cyber Threats in Space

Myers highlights a significant shift in cybersecurity awareness within the space industry. Fifteen years ago, many organizations underestimated their vulnerability, often dismissing potential threats with an overreliance on the perceived "air gap" in space. However, recent years have seen a paradigm change, with senior leaders acknowledging that "Space systems will be the next front of the cyber conflict."
[04:30]

Maria echoes this sentiment, noting the persistent challenge of moving away from the complacent "we're fine" mentality. Myers attributes the growing acknowledgment of cyber threats to increased sophistication among aerospace customers and the Aerospace Corporation's trusted, independent relationship with them.

Challenges in Protecting Space Assets

Myers discusses the inherent vulnerabilities in space systems, especially those with extended operational lifespans. Many satellites, designed decades ago, lack built-in cybersecurity protections because such threats were not considered during their creation.

Jim Myers:
"You just don't have any protections built in, because nobody was having that conversation with you 25 years ago. It wasn't anywhere in the requirements."
[10:10]

He emphasizes that modern satellites, especially those part of large constellations like Kuiper, OneWeb, and Starlink, present unique challenges. The interconnected nature of these systems means a single vulnerability can potentially compromise an entire network of satellites.

Defense in Depth and Cyber Hygiene

A cornerstone of effective cybersecurity, as discussed by Myers, is the concept of "defense in depth." This involves implementing multiple layers of security to protect assets, ensuring that if one layer is breached, others remain intact to prevent a full-scale intrusion.

Jim Myers:
"Whatever you would define as traditional cybersecurity for space-based assets... it isn't defense in depth and you need that."
[23:18]

He advocates for integrating cybersecurity measures at the system architecture level, ensuring that protection is built into the very foundation of space systems rather than being an afterthought.

Aerospace Corporation's Tools and Solutions

Myers provides an overview of the Aerospace Corporation's suite of cybersecurity tools designed to enhance the security of space assets:

Space Cop (formerly Starshield): An intrusion detection system deployed on a cubesat, utilizing early AI applications to differentiate between legitimate signals and potential intrusions.
Sparta: A tool focused on identifying and mitigating cyber threats in space environments.
Dark Sky: A training range dedicated to cybersecurity training, ensuring that teams are well-prepared to handle cyber threats.

Jim Myers:
"We have Sparta, Dark Sky, and the DARs detection and reporting System, which is another prototype."
[13:36]

These tools are continuously evolving, informed by real-world incidents such as the Viasat hack, to provide robust protection and proactive threat management for their clients.

Understanding the Threat Landscape

Addressing the current threat landscape, Myers notes that federal customers like the Department of Commerce, NASA, and DHS are highly attuned to cybersecurity risks. However, legacy systems remain vulnerable due to their age and the absence of initial cybersecurity considerations.

Jim Myers:
"If we were just talking about those three organizations, Kuiper, OneWeb, and Starlink, my intuition is they know what to do there."
[21:02]

He underscores the importance of continuous monitoring and updating of cybersecurity measures to protect both existing and new space assets, especially as missions expand to include lunar operations and beyond.

Advice for Private Industry

When addressing private sector stakeholders, Myers offers pragmatic advice:

Integrate Cybersecurity from the Outset:
"Build cyber into your requirement set. That's the best advice I can give."
[18:01]
Consider the Unique Challenges of LEO Constellations:
The proliferation of low Earth orbit (LEO) satellites necessitates robust cybersecurity measures to prevent vulnerabilities from cascading across entire constellations.
Maintain Cyber Hygiene Despite Design Constraints:
Balancing the need for lightweight, cost-effective satellites with the imperative of cybersecurity is crucial to prevent threats from exploiting system interconnectivity.

Myers emphasizes that even in mass-produced satellite systems, maintaining a high standard of cybersecurity is essential to safeguard against potential widespread impacts.

Final Thoughts: Securing the Future of Space Operations

In his concluding remarks, Myers reiterates the necessity of embedding cybersecurity into the architectural design of space systems. He highlights the Aerospace Corporation's commitment to supporting customers in designing secure and resilient systems, ensuring their longevity and reliability.

Jim Myers:
"The way you get cyber right is at the system architecture level... setting your requirements and getting those requirements right."
[23:18]

He remains optimistic about the industry's progression, noting that proliferated LEO constellations are becoming smarter and more secure through continuous design evolution. Myers looks forward to ongoing collaborations aimed at enhancing the security and resilience of space assets.

Key Takeaways

Shift in Perception: The space industry's view on cybersecurity is evolving from complacency to proactive protection.
Legacy Vulnerabilities: Older satellites often lack built-in cybersecurity measures, posing significant risks.
Defense in Depth: Implementing multiple security layers is crucial for protecting space assets.
Proactive Tool Development: The Aerospace Corporation is developing and refining tools like Space Cop and Sparta to enhance space cybersecurity.
Private Sector Advice: Integrate cybersecurity from the beginning, especially for large satellite constellations, to mitigate widespread vulnerabilities.
Continuous Evolution: The space industry's security measures must adapt continuously to counter emerging threats effectively.

This episode underscores the critical importance of cybersecurity in the rapidly expanding domain of space operations. Through insightful discussions with experts like Jim Myers, listeners gain a comprehensive understanding of the challenges and solutions essential for safeguarding the future of space exploration and utilization.

Loading summary

Transcript36 lines

[00:02]
Maria Varmazes
You're listening to the N2K space network.
[00:10]
Jim Myers
Looking for a career where innovation meets impact. Vanguard's technology team is shaping the future of financial services by solving complex challenges with cutting edge solutions. Whether you're passionate about AI, cybersecurity or cloud computing, Vanguard offers a dynamic and collaborative environment where your ideas drive change. With career growth opportunities and a focus on work life balance, you'll have the flexibility to thrive both professionally and personally. Explore open cybersecurity and technology roles today@vanguard jobs.com.
[00:52]
Maria Varmazes
When it comes to space cybersecurity, tell me if you've had some variant of this conversation before. Goes a bit like this. Objects in space are safe from terrestrial vulnerabilities, right? I mean, there's an obvious air gap. It's certainly more difficult to connect and hack an object miles above us traveling at speeds of 17,500 miles an hour. Surely there's fewer vulnerabilities in space, right? Welcome to T minus deep space from N2K Networks. I'm Maria Varmazes. The perception of space not needing much, if any, cybersecurity seems to be finally a thing of the past. Of course it's more difficult, but with thousands of objects in space connected to each other and to the ground, those vulnerabilities are still there and they are very real. I spoke with Jim Myers from the Aerospace Corporation about this shift in cybersecurity threats and the need for better cyber hygiene in the space industry.
[02:10]
Jim Myers
I'm the lead for what we call our Civil Systems group and that spans customers in the civil, federal space as well as commercial as well as international. I ran a cybersecurity business before I came to aerospace. I've done satellite design all the way back to just good old fashioned design to running businesses that say, deliver solutions that are space based electronics businesses and cyber businesses, among others. So I've touched the aerospace defense world in a whole bunch of different domains and different types of business models and about 15 years ago got pretty involved in cybersecurity for a period of time. What I noticed then, which hopefully isn't as pronounced now, but I hope it's not a strategy. What I noticed then is we would go and interact with customers, prospective customers, and, and bring forward to them some areas that we thought they should look at in more, in more detail, we thought they had vulnerabilities and what we heard back is we're fine. And of course they were. Some of those customers that we went and talked to ended up with problems. They had various impacts. And so our traditional Tech, terrestrial, aerospace, defense. Customers are much more savvy about cybersecurity now than they were say when I got into that about 15 years ago in space. It's only in recent years that seemingly customers have started to pay attention. And I remember, I think it was 2020 and aerospace has been right in the middle of something that I think it's called cybersat Gov.
[04:30]
Maria Varmazes
Yes.
[04:30]
Jim Myers
It's a gathering conference, a chance for senior folks and experts to interact on this topic. And if you've ever met Kim Kreider, who is now a retired Air Force two star, who was right in the middle of standing up Space Force and was on the cutting edge of a bunch of things that Air Force and Space Force have done in recent years. And she I wrote it down at the time, the quote that I wrote down. Space systems will be the next front of the cyber conflict. She knew it then. And here we are almost five years later or around five years later.
[05:13]
Maria Varmazes
And, and that attitude that you described of like we're fine is something that I've heard many people anecdotally saying that they had encountered that same mentality and that it was, it's been not impossible, but like surprising how hard it's been to sort of move the needle a little bit. But it does seem like things are finally moving in the right direction on that. But that we are fine mentality has been hard to shift.
[05:37]
Jim Myers
Yeah. And one of the having come from industry, one of the things that attracted me to aerospace was we have as an ffrdc, we have a position in the customer community where we're trusted because we don't do the work that the contractors do, we don't build systems, we'll develop prototypes and we have a bunch of pretty neat cyber security oriented prototypes, but we don't build things because that's what the contractor base does. So. So we're not competing, we're independent, we're objective. And so I could come to aerospace and have a more trusted relationship with customers than a contractor that's trying to win a job. That's not what we do. So to sit with customers and collaboratively talk about their cyber posture and their vulnerabilities, that partnership is much easier to realize as a member of the aerospace team than I was able to do previously in my career.
[06:42]
Maria Varmazes
Can you tell me a bit about that conversation when you're approaching the customer? And I'm sure nobody's starting at ground zero. I mean people have some, oh gosh, I would hope so. Some familiarity with space cyber. But how do you kick off that conversation. I mean, is it, you know, have you all done an assessment? I mean, how do you, where do you even begin?
[07:03]
Jim Myers
Well, so first of all, I mean, the government customers are pretty sophisticated, so.
[07:09]
Maria Varmazes
I would hope so.
[07:11]
Jim Myers
Right, right. So the anecdotes that I was sharing from earlier in my career, where I was interacting with cyber customers, think about those as more traditional companies, maybe not as sophisticated and, well, surely not as sophisticated as the government. And so you think about just, I, I love the language that I was introduced to when I first got involved with cyber 15 years ago about, about hygiene. Right. What are those basic things that you have to do? And, and back in those days, it was not, it wasn't even any more complicated than defense and depth. So you would just talk about, well, you know, and we'll come to the space context. But the space context is, oh, well, we were air gapped, so we're fine. Well, that's not defense at all. But okay.
[08:02]
Maria Varmazes
Yeah, so.
[08:02]
Jim Myers
So defense in depth meant you had multiple levels of defense, so that if the intruder got through the first one, you had the second and so forth. So, so sophisticated organizations, if you're having that conversation with them, they resonate with that. You know, you're, you've got a good start. If they have a CISO chief Information Security officer, you're feeling better about things because again, they've made the investment in somebody who's steeped in this and government agencies, maybe not 15 years ago, but today they all have them. And then those CISOs bring their teams along and now you're creating some infrastructure. So it becomes a conversation when it comes to the space domain about. Because these customers are well aware of cyber at this point, are they aware of potential vulnerabilities in the space domain? And so when you think about as an engineer doing satellite design back in the 80s, little did we know, but it's been true for so long that whether we were building systems for commercial customers or systems for government customers, these systems go far beyond their design life. Typical engineers coming together, putting a lot of margin into their design, in effect over designing it. Like not what you see in an automobile, but what you see in a spacecraft. And so you get much more life. And so you've got these systems that have been out there for 20, 25 years. And imagine for a second how vulnerable those systems are. They're really vulnerable. So you're having that conversation about you just don't have any protections built in, because nobody was having that conversation with you 25 years ago. It wasn't anywhere in the requirements. There just wasn't any language like that in the requirements.
[10:08]
Maria Varmazes
Back in the day, that threat model didn't exist. Right. It's just not there.
[10:11]
Jim Myers
Exactly. Yeah, exactly. So you start there and then you say, okay, so there's the space segment. If we're myopic, we're talking only about the space segment, but obviously there are. I mean, today it's not just space to ground links. Now they're going to be optical inner satellite links. So there's a way in through the link. There's obviously the ground segment, there's the user terminals. Right. So there's all these different points of vulnerability. And then it becomes even a more poignant conversation when you point to say, for example, what happened with viasat just a couple years ago with their ability to support Ukrainian operations and they got hacked. So it helps when you can point customers to real world examples. So the fact that we have a trusted position with customers and we've got some tools and we've got some findings from, from basically putting those tools to work in space, we can have that, that conversation with customers to help them think about what are we going to do about our systems that are already deployed.
[11:36]
Maria Varmazes
We will be right back.
[11:42]
Jim Myers
Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. What's the common denominator in security incidents, escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets with bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks with attack path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by Spectrops. Head to SpectorOps IO today to learn more. Spectrops, see your attack paths the way adversaries do.
[13:28]
Maria Varmazes
Yeah, could you tell me a bit about the tool set that y'all use? I interviewed Brandon Bailey ages ago about the Sparta framework. Tell me a bit about that again.
[13:36]
Jim Myers
Aerospace doesn't develop long term operational space products. However, we launch a lot of cubesats and back a couple years ago, I think it was first called starshield and then it was changed to Space Copy. We launched this intrusion detection system on a cubesat and learned a lot about how to identify using algorithms, so kind of early AI application, how to identify what looks to be intruders as opposed to signals that are good signals. So we have Sparta, we have, I think now it's called Space Cop. When you think about dod, right? It starts with equip and train. You can't go to the fight unless you equip and train. And so we've got another product called Dark sky that's a training range to do cyber training, cybersecurity training, and then the DARs detection and reporting System, which is another prototype. So different tools that I wouldn't say it's a holistic toolkit because cyber is ever evolving different ways to help customers address cyber challenges. Space specific. And, and we're continuing to, to develop tools like that and evolve them as we learn from our literally in space experience. And then of course, when something like viasat happens or something else happens that relates to an intrusion in space, then we can study that and bring that back to our customers.
[15:46]
Maria Varmazes
I'm very curious in the conversations that you've had about sort of the perception versus reality in terms of the threat landscape as it pertains to space cyber. Are organizations sort of on the mark for what they're seeing, or is there a gap there? What are you seeing?
[16:05]
Jim Myers
Yeah, so I would have to caveat with, I'm not close to what the intel customers are seeing and doing and the defense customers, because again, the part of aerospace that I spend almost all my time in terms of my customer interactions is with the federal customers. So think in terms of Department of Commerce, Department of Energy, NASA, dhs. So the federal customers, and universally, they're without exception, they're very, very.
[16:53]
Maria Varmazes
Attuned, I would imagine.
[16:55]
Jim Myers
Yeah, they're very attuned. Now, if we were to look at Department of Commerce, the satellites that NOAA is flying today and the age of those satellites, some of them have been around pretty long time. Same thing with NASA. So. So two examples of customers that have some assets that are potentially vulnerable. So they're aware of that. And yeah, I have no evidence of anything other than, okay, what are we doing to support defense in depth and other techniques to protect our assets? And we do that work today. I won't say for which customers, but we do that work for customers in the federal civil space today.
[17:49]
Maria Varmazes
I'm curious what private industry maybe could adopt as a best practice from what you have been working on, Any sort of advice or takeaways for private industry?
[18:01]
Jim Myers
So one of the things that you want to be careful about is regulation, right? So before we got into this discussion we were talking about should it be critical, infrastructure should not be. So putting that aside, let's stay away from a regulatory perspective and instead just be pragmatic about how are you going to give your system the best chance of survival. You're going to build cyber into your requirement set. That's the best advice I can give. Let's keep in mind that we've got constellations like Kuiper, like OneWeb, like Starlink that are either massive already or will be massive. And so you got to be careful about what that requirement says because these, these satellites need to be, they need to be light, they need to be cost effective. Right. So light, so they're easy to launch, small volume, cost effective because you're turning out a bunch of them. And, and you know, lifetimes are less of an issue because there is some infant mortality that's expected. So you got to be thoughtful about the requirement, but you still need the requirement because again, if you think about any of these Leo constellations, they're interacting with each other too, let alone bringing data down to the ground. And so you could imagine a scenario where somebody injects something, a virus of a sort, and that affects multiple satellites in your constellation. So you do want to maintain some level of hygiene. Even if you've got this kind of luxury of numbers, there's still vulnerabilities there. So I think my first piece of advice for commercial space players is build, build your cyber requirements in right there at the beginning.
[20:15]
Maria Varmazes
Absolutely. Especially as we're talking about these proliferated Leo constellations and a lot of them having, you know, off the shelf parts. And I'm just thinking of really traditional satellites where there are these extraordinary one offs, right. You know, custom built from, you know, soup to nuts as opposed to these massive constellations where, you know, I'm just imagining, you know, if there's one vulnerability in one, then you know, the whole constellation potentially is vulnerable. Very different scenarios, but at the same time potentially a threat multiplier for the Peleo situation. So that's something that I really hope people are taking note of on that. But yeah, it's a different. Yeah, yeah, I can tell you've got some thoughts there.
[20:53]
Jim Myers
Yeah, yeah, I don't have like, I Don't have access to those designs. Right. They're proprietary.
[21:03]
Maria Varmazes
Of course. Yeah.
[21:05]
Jim Myers
Having said that, I feel pretty good about if we were just talking about those three organizations, right. Kuiper, OneWeb and Starlink. My intuition is they know what to do there.
[21:22]
Maria Varmazes
They had it locked down.
[21:23]
Jim Myers
Yeah. But we spend time thinking about that and supporting that because we have customers who are dependent on some of those systems all the way to. All right, we're headed to the moon and we're going to have assets supporting, orbiting, you know, the Artemis gateway, which is going to be in a near rectilinear halo orbit and we're going to have people on the moon and we've got to have communications that we can depend on, we've got to have navigation that we can depend on. Right. I mean the, the things that people talk about. The analog here is the GPS spoofing that happens terrestrially in the US A bad scenario is where something happens to an aircraft. Right. From a spoofing point of view. So same thing, we're thinking about that for deep space applications, literally cislunar. So there's this whole spectrum of applying the learning that we have to this range of missions. And I am staying very specific to civil federal. I'm staying away from defense and intel just because I don't have the specific knowledge there in recent years.
[22:57]
Maria Varmazes
I understand that distinction. Yeah, absolutely, I appreciate that. I want to make sure I give you the wrap up the podium, as it were, for final thoughts, especially to leave our listeners who I know have heard me wax poetic a lot about space cyber, but it's much better hearing it from folks like yourself who are actual experts. So anything that you'd like to leave with, folks, please, the floor is yours.
[23:19]
Jim Myers
Absolutely. Thank you, Maria. And thank you for the time today. I would go back to a couple things we touched on. One being that whatever you would define as traditional cybersecurity for space based assets, satellites and other spacecraft, whether it's encryption encrypting your link, some other form of kind of first boundary security that won't get you there. It isn't defense in depth and you need that. And so the way you get cyber right is at the system architecture level. And aerospace has a lot of experience in working with customers to help them design secure and resilient space systems, which like I said before, it really starts with setting your requirements and getting those requirements right. And then you test and verify. And if you're doing a proliferated constellation, you do have the luxury of numbers. So if you can get it right with your early systems, then you'll just use that. You'll just replicate that design. And what you do see with these proliferated LEOs is they're continuously evolving their designs, so they're getting smarter and they're getting more secure as they go, which is also really encouraging in terms of the longevity of those systems. So, so we look forward to continuing to support our customers in this way and being available for interactions like this, Maria, and hopefully providing insights to your audience.
[25:17]
Maria Varmazes
That's it for T minus Deep Space, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. You can email us@space2k.com or submit the survey in the show notes. Your feedback ensures we deliver the information that keeps you a step ahead in the rapidly changing space industry. N2K Senior Producer is Alice Carruth. Our producer is Liz Stokes. We are mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kielpe is our publisher and I'm your host, Maria Varmazes. Thanks for listening. We'll see you next time.
[26:25]
Jim Myers
Bad actors don't break in. They log in. Attackers use stolen credentials in nearly nine out of 10 data breaches. Once inside, they're after one thing your data. Varonis AI powered data security platform secures your data at scale across las SaaS and hybrid cloud environments. Join thousands of organizations who trust Varonis to keep their data safe. Get a free data risk assessment@varonis.com.