Cybersecurity for the space supply chain.

When we were looking through the presentation list during commercial space week, one panel really stood out to us. It was about cybersecurity and the space supply chain. Could we finally be seeing a shift in the industry to a better understanding of cybersecurity and how it touches everything, every department in space? Well, we spoke to two of the panelists at that talk to find out more. [MUSIC] Hi and welcome to commercial space week here in Orlando, Florida. I'm Maria Varmazis, host of T-minus. And we're going to be talking about cybersecurity and space today, which is honestly my favorite thing to talk about. So I'm really excited for this conversation. Gentlemen, thank you for joining me today. Why don't we start with introductions first? Frank, why don't you start? Tell us a little bit about yourself. Hi, I'm Frank Chimenti. I'm the director of programs at the Titus Hill facility for Beyond Gravity, basically the site leader. And my name is Regan Edens and I am the founder and CEO, de facto CEO I suppose, of DTC Global and we provide highly specialized consulting for supply chain securities, CUI compliance and CMMC. Wonderful. Gentlemen, thank you so much for joining me. So you're going to be on a panel here at Spacecom talking about your areas of expertise. And I imagine there was a lot of conversation before the panel was sort of proposed about the need for what you're discussing. Can you give me a little behind the scenes on what went into the idea behind this panel? Why is this so important now? Yeah, I'll start. So cybersecurity used to be the responsibility of the IT department. So it's back room. Everyone was like, OK, as long as they're dealing with it, we don't have to. That is no longer the case. You have the government has realized that they're a competitive disadvantage because cybersecurity data leaks. We've lost tons of data and our competition, our international competition is taking advantage of that. So they realized, OK, we need to lock this down. Our supply chain is our biggest risk. How do we lock down that data so they came up with CMMC? I believe that leadership needs to take a responsibility and own that and push that response down to the teams so that everyone is thinking the same way about cybersecurity, how to prevent the data leaks. Because it's not just the CUI or the controlled, unclassified information, but it's your IP, your money, your time to be invested to come up with new products, new services for your customers. You don't want that taken. But you also have the data of your employees. Yet that sensitive data, their personal information, you don't want that leaked out. So I believe that all corporations don't have to think about not just the CUI, not just your IP, all three of those are very important. To me, it's as important as safety and quality. All three of those are critical for your organization to be successful. Absolutely. And the remarkable thing is that we have to do this. As Farin points out, the estimates are $900 billion a year lost to our adversaries. The entire defense budget every single year lost through exploitation, sabotage, and the opportunity really for adversaries to gain advancements, not only in extracting that technical information, but making it better. Developing and short-cutting and compressing their advancements in technology and decreasing their overall investment and also minimizing their risk because they can build on top of and improve their systems and capabilities. The challenge for us is that how does the defense industrial base, the defense supply chain, navigate really bringing and standardizing their cybersecurity, their data security, when that has not been a priority? And you have this enormous disparity between manufacturing organizations and small ones and big ones and little ones. 98% of the defense industrial base has employees less than 100. Right? So you can't think of it in terms of Lockheed Martin or Ray Theon. These companies have enormous resources and fabulous capabilities to defend themselves. So now how do we navigate this from really managing real people and real organizations who have to figure out how do I implement these requirements? How do I determine what is the control and classified information that I need to protect versus my own IP or IP that's not controlled? And then how are we a good steward of that trust to ensure that these systems that we're developing are not compromised, that we are delivering them in compromise? So we have this tension and the tension is we must secure the data, we must secure the supply chain and the other side of the tension is just the confusion and difficulty of how do we do this, how do we make it efficient and how do we manage those costs to be able to navigate this because it is difficult, it is complex and it is not easy. Yeah, Frank, I feel like that you would be a great person to kind of tell me a bit about what is it like implementing CMMC, I mean compliance is never easy. It is never easy. So it's saying yeah, it's hard, it is. But what has it been like for you all? Well, it's never the technology, right? There's always solutions, right? We have a really good IT team. We had some complications trying to figure out different solutions because we're an international company. So our ITs are connected to, let's say Switzerland, that's where our headquarters is. So we had to find a way to kind of break that link so we could have a secure place to store our data. So that part was a little tricky but we came up with ways around that. It's now the people making sure they understand that when they bring in new equipment or we create new processes that interface with our manufacturing resource planning tools, that it doesn't create new threats. So for example, we had a very simple 3D printer. It was a great idea and the operations loved it. They bring it in, they can make cool little tools and you buy it, you drop it in, you connect it to the network. All of a sudden we can communicate, program things on day one. Actually goes out to the outside world and gives you new tools to make like little mini software things to improve the programming of it. We started looking at it from a security point of view and realized, "Oh yeah, we just created a huge hole." And so the operational technology, the equipment on your production floor, in my head, is probably the biggest risk to an organization. It's not so much the emails, it's bringing all of this technology, our CNC machines, you can have spectrum analyzers. In the past, you could sit at a bench to program these things and work on them. Now you could do it all remotely because it's all networked. Each one of those pieces of equipment are a threat, a possibility of being attacked. So I think having everyone aware of that, thinking that way, asking those right questions to the IT department so that before you bring in this new piece of equipment, they're ready to actually put into safeguards and to monitor to make sure that it doesn't happen. So I think it becomes more of a people thing, making sure everyone's on board and a technology problem. Well, for many years now, I've sort of said that necessity to safeguard CUI and CMMC really is driving digital transformation through compliance. And so this idea of operationalizing cyber security through the manufacturing process, is a behavior switch, is a transformation of the organization from sales all the way through to order fulfillment. And so this is that moment where people tell me, "Well, this is an IT thing." I mean, that's always the very first reaction. That's always the knee-jerk reaction. And then when Frank and I met and we had our first interaction, I'm like, "Okay, I've got good news and I've got bad news." The good news is, the IT thing we can figure out, the bad news is that the preponderance of the burden is carried by the people who receive that technical information, the CUI, and also handle it and also develop it every day in the performance of the work. So that's where you partner with your senior management and you say, "Okay, how are we going to do this for real?" And it's different from a compliance regime, because the compliance regime usually starts out with, "Okay, what do I have to do to meet minimum compliance?" And then 15 minutes after the assessment, we're going to do whatever we need to. And so this is a completely different thing, because now we're working with clients like Frank and saying, "Okay, Frank, how do we make this real every single day? How do we navigate the challenges between, "Okay, we work on this one system doing this and then we work on this system doing that, right? How do we bring in things like 3D printing and innovation and drive his ability to deliver effectively and faster? But how do we assimilate those things and do them in a way that is compliant and sustainable, right?" So these are the challenges that it really have to really be thought through that our initial reaction is, "Okay, well, what do I got to do to implement the technical controls, be compliant, and then get back to what I do?" Well, that's not this. This is really a generational shift to standardizing the defense industrial supply chain in a global sense, right? Because it's not just Florida, it's not Maryland or Dallas-Fort Worth. It's really Europe, right? It's European suppliers. It's folks in the UK and Canada. So the reality is that we get the opportunity to sort of proselytize the gospel, if you will, about how we need to protect the data, how we need to meet the requirements. And then the really heavy lift is embracing that very, very in the trenches detail about how do you make it work for real, right? And then how do you think about cost and doing this from Frank's supply chain down, right? Because Frank's thinking, "Okay, well, we have to get the plan." And then the first thing he said, "Well, Reagan, what about everybody else?" Everybody else. Yeah. So this is the eighties transformational. Yeah. It is transformational. Now, I want to ask a question that probably sounds silly. Could it potentially be a competitive differentiator? I know people need to be put. Is it? I mean, absolutely. I mean, just very simply, because I give you two examples. We wanted to buy a visitor management system. We had to check, just to check by somebody, come in, they fell out the form of who came in. It's really annoying. So I wanted to go digital. We found three different places, very simple software, really same features. Two of them, the data just went out to the cloud and it was no good. One of them didn't. So there was a differentiator with just our supply. Okay, let's get this one because it's protected. Same thing the other way around. So if you have a prime contractor that has a CM&C requirement and there's two or three that we'll call machine shops, we're sort of a machine shop, but what we do in Titusville for Beyond Gravity. And two of them may not. And if we do, so they're going to want to protect that data. So to me, it already means that they understand that we take the responsibility of taking their information, building that product, working with our suppliers and making sure they don't leak that information and deliver hardware to them. So I think it absolutely is a differentiator with our competition and when we go out to our supply base and picking who we want to select. Yeah, yeah. I'd love to hear you both tell me a bit about, you mentioned sort of the human equation and when it comes to compliance and infrastructure security, that's always the challenge. And I'm really curious to hear your thoughts on what has worked in sort of building that security culture around CM&C. What has worked to what hasn't in maybe preaching the gospel a little bit. Yeah, I'd love to hear your thoughts. Well, so do you mind if I tell a story about about competitive advantage first? I guess it is, so I discovered this by accident, right? In 2019, my very first client, large client, was the only company, their site within 500 miles of AirJet Rockadine, driving distance that was compliant back when AirJet Rockadine came up for the Federal False Claims Act. And they did, I got the call that, hey, AirJet's coming over for an inspection assessment. I'm like, oh, great. Yeah, that's fantastic. Hey, when are we going to schedule this? They're like, I said, well, I don't know. They sounded, well, let me call you back. So they called me, he called me back at like 10 minutes. He's like, they're actually on their way. Cool. And I'm like, wow, okay. Well, yeah, something must be going on. So sure enough, the issue came down with AirJet. But the reality was that that made me realize, because my first reaction was, well, did you ask them for more business? If you're the only compliant organization, right? And so that has transformed into, since 2019, almost every single client that we have has seen a top line revenue growth between 10 and 20%. That's enormous for companies, because what I would advocate for is, look, we're going to do this, we're going to do it right. And then you turn back right back to your, your buyer, your supplier, your contracting officer, or your prime contractor program, and saying, look, we have secured your data. We will show you how we do it. And we want our competitors business, right? Because you don't have to worry about that. And so in that regard, I see it as an extraordinary leap forward, ironically, even after five years of the CMMC rollout. Now, even in phase one, we have the opportunity for organizations to take what I call the largest market share opportunity, and probably the defense industrial based history, because there are going to be companies and Frank does this, companies that don't do it, they don't want to do it, that are late to doing it. And then now, folks like Frank or others are forced to make a choice. Do I, do I choose between compliant supplier A or non-compliant supplier B? Yep, right. Yep. And now it's just a matter of, okay, well, we're going to work with, with this organization and then navigate the path forward. And then now I have an investment in them. I have to re-qualify them sometimes and go through all of the supply chain dependencies. But at the end of the day, there's a trusted relationship, because they've done what they needed to do, which reflects the way that we approach our business and our stewardship of government's data. Data stewardship. I always love that phrase. That's the important one. Yeah, that's right. And when you internalize inside of a company, it's that cultural shift. Yes. Yes. And then so when you bridge that over to your initial question, which is, you know, what are the challenges that you face? One is that you, you have to realize that the message is not, we're doing this for compliance sake, because I was actually, that's the most demotivating thing I can think of. Absolutely. Let me get right on that. We'll be right back. Yesterday, I had a fantastic conversation with a VP of quality. And I said, you know why I love quality people? And she's like, you know, she's like, no, I'm like, it's because, yes, I come from a bro that compliance, although I'm not a compliance person. I, I, I actually pride myself on that because compliance is the house of no, no, you can't do this. No, you can't do that. No, you can't do this. But quality recognizes that there's a standard that our customer expects us to meet. We have to meet that standard. Yeah. And we have to do it in a way that's efficient and that's profitable. But if we don't meet the customer's expectations in that standard, we don't have a customer anymore. That's right. Right? Yeah. So that is an awesome opportunity for people to realize that, that data stewardship is the equivalent to quality. If we don't meet that stewardship goal, and we don't meet our quality standard, we do not have a customer anymore. And you don't have a job. Yeah. And, and, and it impacts real people and in their lives and their opportunities. And if we do this and do this well, just like quality, now we have the opportunity to actually do more for our clients and more for our customers. So for me, when the very first, the very first failure usually organizationally out of the gate is, okay, we're being forced to do this. This is a compliance thing. Everybody buckled down. We're just going to do this and then get it done. That's right. Yeah. We're just going to mull our way through it. And, and that attitude doesn't really capture the tremendous market opportunity that you pointed out. And so if you combine those two things, what I, what I always say when I first talk to people in organizations is we have to have a, we have to have a relationship. And the relationship is, is that you allow me, you give me permission to tell you the things that you don't want to hear, to tell you the hard things that you have to do. And then you have to trust me that we absolutely can do this. I promise you. And then when we do it and we do it well, there's a, there's a glorious outcome. Yeah. Right. Yeah. Yeah. I think with leadership, when they realize that, that the data security is critical for the success of their organization, until that point, they won't take it as a series. It's a compliance thing. Yeah. Yeah. And I'll be honest. In the very beginning, I'm like, oh, okay, we're going to have to bust. I mean, it's, it's an understandable reaction. It's just like, oh my gosh, there's so much more work now I got to do. Yeah. But when you, all of a sudden, there was a few things that happened. One was this three printer. We have other big equipment that are just as connected. But I was like, oh, wow, you know, makes you think the visitor management system. The, but another one was, you know, so simple is one of the questions is, okay, who has access to the different drives in your network? All of a sudden, we started looking, and there was people from four years ago, I'm like, oh, no, they couldn't get in. But the fact is, there was people that had access to these networks that no longer belong in the company, or they changed fields. Yes. So they no longer need this engineering, they needed sales. It's a remarkably common thing too. Yeah. And you start to realize like, oh, wow, we're messy. This is not, you know, this is not good. And, you know, AS9100 is a similar thing where it forces you to think about why is operations and quality so important. It creates these standards that you, it becomes part of everyday life. And the CMMC, I think is going, it's going, well, it is for us and it will, hopefully for other people when they start doing it, do the same for them where they create this. It's just part of your everyday life. Yeah. It has to be across the board, all the different functions, right? Sales, people and culture. And I always, I like, or we call people, cultures really human resources. And why it's so important for human resources to also be included, again, it goes back to that your employee data. And we have to respect that data as much as we respect the CUI or IP. And so I think that once you, once leadership understands that, and creates that culture of cybersecurity throughout the company, it's just as important, I said before, as safety. You don't want your employees, so the Bucksops leadership, you got to make sure everyone is safe, that you're being successful. The quality. And now, I think cybersecurity is among, is one of those three pillars. Yeah. You know, you know, the key to what Frank just said is leadership. Yes. Right? Yes. I know that. Leadership is not getting the next sale, right? Leadership, you know why I love space? I love space and, because they have 22nd century vision to operationalize and solve hard problems in the 21st century. Right now, how do I make it? How do we get to these amazing goals, to these amazingly difficult and sometimes austere and hostile environments, right? And am I really going to do that using 20th century industrialization and 20th century security? Yeah. And the reality is, is when you align that 22nd century vision with solving hard problems right now, to make this, to meet the goal, meet the expectation, deliver to the customer on time, and to solve these very difficult problems that we need to do what we need to do right now, and align that with that understanding that this is the stewardship of the data. Yes. Yes. Is our future because we cannot have our peers out distance, out distance us, and we can't out compete us, and we can't give alternatives because we have these goals, these incredible goals that we need to do. Yeah. And we need to do them right now. And if we don't do them, somebody else will. Yes. That's right. Yeah. You mentioned something that you were bringing it back to space specifically, which I also wanted, I'm thank you for doing that because I was thinking a question that I had three years ago when I started doing this job coming from pure cyber security and now thinking about space and cyber was basically yet another cultural question of I was noticing a lot of friction within the space world about InfoSec stuff, the stuff that I consider sort of table stakes. And my reaction was, what's up with this? For lack of better terminology, why? I mean, I understand nobody really likes hearing a lot of this stuff. I understand that. But I just, I had felt so much friction and I said, I would not have expected that from such a forward thinking sector. So that's just my read on it. I'm curious what you all think and I'm curious if you have any thoughts on why that might be or if it's changing or am I off base? I would think one of the hardest things for space and CMMC is our supply base. Everything we do is custom. Yeah. Right. I would think that is as what we do, we build the structures, the panels for the satellite is we almost, okay, it's aluminum, aluminum, phase, aluminum core, but there are parts that we have to get them custom made and the suppliers that we buy from space for them is a small portion of their entire business. So they don't, they're not interested. They may not be, and they may not do any military work, so they're not interested in CMC. So now suddenly you got to work on it. How do I make, how do I design something that is a COTS type part that's not custom and maybe you have to vertically integrate and bring it into your house and that's what we're doing. In some of our parts, we can't buy a custom part because they're not going to become CMMC certified. So it's like, all right, we have to design our parts different so that we can make something that's COTS, bring it in and then modify it for what we need and then that's how we can protect the CUI data part of it. So I think that to me is one of the challenges. It's hard. I would think that, so, you know, Frank as an engineer has really helped me see things differently, right? So you learn from your, you learn from your clients and one of those was his innovations in, okay, if we in house this portion of our manufacturing process, right, and we do the design a little bit differently, then now we obviously can protect the data. That's the goal. But what we've done is alleviated a high pressure burden on a supplier that's not ready yet, right? And in the end, there will be this massive migration. It will be the people who choose space and defense and dual use technologies because that is a portion of their business that they want to grow. It's a, they can increase their margins. It's not a commodity thing, right? They can, they will recognize that there is opportunity in this space, just like my very first client in 2019. They decided to go from commodity sort of surface coating parts to highly specialized. Why? Because, yes, the risk is larger, but there's also a much larger margin in these sort of customer unique parts and underneath these really difficult specifications. But here's the, here's the interesting part is that this tension in navigating this is really about vision. It's about the American supply, the American manufacturing has got to decide that America still has to cut and bend metal. And that is our path to success. And if we don't do that, then who is going to do that? It is in fact not the people who sell us things very cheaply at the dollar store, because those are our adversaries. They do not want America to succeed because their, their codependency on us is coming to an end, right? So the reality is that we will pour steel, we will cut and bend metal, and we will make things or we are in a very deep trouble. And that has got to return to America. And so what I see is that again, there's this tension between practical reality, right? It's only a portion of my supply, you know, beyond gravity. We do, you know, one to two million a year and, you know, that's not enough for us to make this switch because we do 30 million in oil and gas, right? And so, you know, these choices are real choices that companies have to make, but that goes back to opportunity. If there, if we have an ecosystem filled with CNC companies that decide opt out, well, I'm not going to do this, then that creates opportunity for compression and consolidation. And two companies that say, you know what, I'm going to fill that space. Absolutely. Thank you. I want to give you both a chance to give any wrap up thoughts for our audience. So Frank, you want to go first? Yeah, I would say when you think of CMMC, consider the why, why it's important. And of course, it's the CUI, the data for our government to make sure that they're successful. It is our IP as a business. You want to make sure what you've invested in the money that you spent over the years is protected. And of course, your employees, it's incredibly important that their data is protected. It's a huge advantage for your organization. It's a huge risk if you don't do it. For me, it really boils down to training education of the ecosystem, which is CMMC, the hard truth, right? The hard truth are it is complex. It is transformational. It is a business decision that you need to make deliberately in understanding those risks and the necessity to transform largely the operational and business side, the manufacturing side of the house, which is, you know, prone to resist, right? And I call that the seven stages of grief, you know, and there's a necessity to walk through that seven stages of grief. In the end, what you have to do is you have to be confident and to bring everyone goes through it. And I've started telling them this up front. And the reality is, though, that you need to go into this with eyes wide open. There have been 58 different revisions of key and critical documents and 3600 and like 83 pages of updates, right? This is not easy. It is not complex. And choosing who you seek wise counsel from and who you get advice and guidance from can incorporate into success or investments that are made that will not take you to where you need to be. So choose that and choose very, very wisely. Because with opportunity comes every Joe and Jane that wants to throw their hat in their ring and say, I'm an expert at this. And then the reality is that you can spend a lot of time and a lot of effort and not achieve the outcome. So be wise, be deliberate, understand that the risk that this is expensive, it is hard. But the entire cornerstone of space is that we solve hard problems that no one else can do. And this is another thing that must be done for to incorporate business opportunity. And you can do this. And you just need great guidance, accurate and consistent with the requirements. And you need that tenacity and that leadership that takes you there. Just like every other hard problem, right? And we can do this. We can do hard things. I love it. We love it. Love it. Rigen, Frank, thank you so, so much. Really enjoyed this chat. Two amazing perspectives on this. So really, thank you. This was really great. Thank you so much. Thank you. No, thank you for having us. That is T-Minus Deep Space brought to you by N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing space industry. If you like our show, please share a rating and review in your podcast app, or you can send an email to space@n2k.com. We are proud that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K helps space and cybersecurity professionals grow, learn, and stay informed. As the nexus for discovery and connection, we bring you the people, the technology, and the ideas shaping the future of secure innovation. Learn how at N2K.com. N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Maria Varmazis. Thanks for listening. We'll see you next time.[MUSIC]