Space assets and operations are critical to the security and economic well-being of many sovereign states. Commercial space is an increasingly important part of space operations and provides support to other sectors within critical infrastructure. So space is an inherently harsh environment for operations and space systems are subjected to cybersecurity threats from their own unique vulnerabilities. As space becomes more important to our critical infrastructure at large, the impact of a cyber attack and the corresponding risk increases. So what does the space cybersecurity threat landscape look like? [Music] Welcome to T-Minus Deep Space from N2K Networks. I'm Maria Varmasas. Our guest today is Rebel Space CEO, Kerry Hernandez Marshall. Kerry has unique experience in both space systems and cybersecurity, giving her a clear view of space's unique threat landscape and how attacks there continue to evolve. That's why she founded her company, Rebel Space, which blends artificial intelligence, cybersecurity, and radio frequency sensing to safeguard spacecraft, ground stations, and mission operations from complex and ever-changing cyber threats. Here's more from Kerry. We started the company in late 2019, really just doing a lot of consulting work at first and then decided to go into full venture-backed corporation world in 2020. My background is a little odd. I started out in the Air Force, the US Air Force, as an enlisted person, landed in, you know, they give you a job. The job they gave me was to be a signals intelligence person doing my Chinese Mandarin translations. So that was my introduction to the world of the military, and it was interesting. I spent a lot more time playing with equipment and signals than I did really getting better at Mandarin. I can maybe order in a restaurant. That's it. That's good to know. Next time I'm there, I'll be like calling you out. I can tell when people are talking about me. That's about me. That's handy skill set, honestly. So you wanted to play more of the equipment. Okay, so I can see where maybe that led to where you're at now. Yeah, yeah. Yeah, yeah. Then I was in attack. And so, all right, what do I need to do to do that? So I went out of the Air Force and I went into electrical engineering, got my electrical engineering degree at the University of Wyoming, landed back in the military as an officer right after 9/11. So I ended up in a strange position being an electrical engineer, a previous intel person in the military with no job. So I got sent to Vandenberg Air Force Base and they like go to this one organization. It was Space and Missile Center, or Space and Missile Center, debt nine at the time. And I go talk to all the commanders and see who needs your skill set. So I walked around to each one like, hey, I'm Kerry. I'm the brand new lieutenant. Here's my background. Here's what I do. And I landed at what became the fourth Space Launch Squadron working for Lee Rosen at the time, who later went on to do all kinds of crazy things in Space Launch and at SpaceX. Yeah, that's a big name. Yeah. So Lee's like, I like you. So yeah, brought me in. That core family at that unit just stayed together. Like we are all intertwined still working together quite a bit. We all ended up a lot of us at SpaceX and now have our own gigs. So that's how you end up in space. So I did Space Launch for a while. Then I went and I got into another strange world after that job in the military. I ended up as reservist and also defense contractor working in Space Electronic Orchery. So we were at this organization called the Space Range, where responsible for building and figuring out all the ways that space systems could possibly be broken and how we can prevent that from happening before we field systems. So now I'm on this trajectory. Yes, yeah, yeah, yeah. So now I'm learning how to, you know, all the ways to protect space systems. So after I did that for a while, build a whole bunch of really cool, you know, space simulations and environments and things that were used to both train Air Force operators for how to do space system operations. And then also, you know, kind of figure out where the gaps were. Which one's there into the world of network warfare. So this is where I start to intersect more into cyber world. And so I ran a pen test team of an assessment evaluation team for the software that was being deployed in the Air Force side. And so now I'm doing cyber. I done Space. So, you know, I kind of just lived in these worlds. You've had like three careers already. I think we got started, right? I know they all get together. They all go together. I'm always the person with like, and it goes back to their original premise on the person with the signals. Huh? Let's talk to you. During this whole time, I had been getting, you know, my graduate degree and I was in a PhD program, kind of early AI, you know, because I really had this obsession with like starting way back in grad school about, you know, just high and kind of just unsupervised machine learning. How can you use AI to do things that, you know, when you're talking about complex, I mean, they thought like magic, magic, right? Communication, some wireless and all this stuff. I'm like, there's got to be a better way. And so I started looking into kind of the beginnings of applying AI to communications and to networks and to the ARF environment to kind of figure out that, you know, it can be doing it better or not. We can do cognitive radios. We can have these smarter things. But about that time, when I was in my PhD program working and running the network work for a team, I got a call from Lee Rosen and he's like, Hey, do you want to come to SpaceX? At this time, it was 2014, things weren't, you know, as mature as they are now, things are still blowing up. He's like, Yeah, can you come to one site and run the RF and telemetry communications side of the house? I'm like, Yeah, that sounds like a lot of rockets are never boring. That's great. We're putting it then I often to commercial space land and I get exposed to both, you know, kind of just this new era of how things are done on space, you know, that go fast, build quick, fail fast mentality. And then I go from there into another tech startup, a slingshot aerospace for a while when they just get started, just kind of, I knew them from the military, you know, help put them out on on some of the tech development roadmap and, and that's where I kind of got the bug for startups. So when I finally decided to do that in 2019, I was like, All right, what do I want to do? What is my, what needs fixed? And that's where I got to, Hey, you know what, like when I was under defense in the government side, I assumed commercialized the best stuff, man. I thought they're going to have all the great software. They're going to know everything. So you saw, I was like, no, cyber security afterthought advanced any use of any advanced analytics tools for making sure signals and communications, you know, you understood what was going on, you know, the focus is still like I said, you know, to get on orbit. And that's not wrong. But, you know, you know, at some point we have to be moved beyond just we're happy we got there for happy the capability works. Let's pretend now that this is now important critical infrastructure and treat it in a lot of the ways that we treat other critical networks and infrastructure. Wow. Okay, your story is awesome. So thank you for walking me through that because it just speaks so much to how how much you have so much experience in both the space and cyber security world that you can really see that both of the landscapes truly. And what I'm always personally fascinated by as you just sort of touched on is sort of why why have the two not meshed as well as we know that they need to and and and we were sort of chatting about this earlier like is it a cultural thing like what's the deal. But also, you know, I think people who are more mature in this space recognizes as you said there's a lot that needs fixed. We are not there yet. And I just would love to get your thoughts on, you know, my God, where do we even start with this? Right. Well, you know, I mean, there's a running joke, right? Like, if you put something in space, who's going to mess with it, right? You're not for one thing. If something goes wrong, you're not sending the IT guy turned off and on again, right? Nick from IT just up there. Yeah, it's like everything has to be done ahead of time and it has to work. And you know, and in the past, we were, you know, the assumption is that it's just too hard, right? It's too hard to touch. It's too hard to get it up there. So it's definitely too much trouble for anybody to mess with it, you know, beyond, you know, maybe nation state kind of stuff. And in that case, everybody's like, well, I'll just use my insurance, you know, war clause or, you know, I'm not going to I'll just take the loss, essentially. And so I think, you know, it's not that, you know, they every kind of knows, you know, everybody knows that cyber is important. And it's just not a priority because we haven't had that sort of major event to drive us, right? There hasn't been the big hack. There hasn't been the big takedown as something that that we really, really need on a day to day basis. And now this keeps the, you know, the military, the government up at night, and not so that they funded us, you know, very well. But commercially, it's just, you know, the incentives aren't there, I don't think. Yeah. And unfortunately, it's one of those things like when that big hack does happen, there's going to be a lot of a scramble to catch up. But we, we really don't want that to happen. We'd like people to be proactive. But, you know, humans are what humans are. Can you give me a bit of a walkthrough of the threat landscape for space? Because this is something that even with my cyber background is it is a different flavor when it comes to space, not just because it's the in space. I mean, we have we're talking about RF signals and you know signals very well. So, yeah, we'll be there. Yeah, so, you know, that's just one layer. So we we're partnered with the space ISAC, which was stood up to really provide kind of similar ISACs like information sharing analysis center, same as energy and power and water and all these other critical structures. And so they would be great if you haven't had them on to come in and talk talking to them next month. Perfect. Yeah. Yeah. And they have just this running board of things that are going on. And so, you know, this kind of comes back to our whole space when we're building is the main the main problem is that it's in space. If you're if you're talking about the communication side or even the system side, troubleshooting, like anomalies determining what is an actual problem and the threat and what is it a just it's my it's me. Right. And I think that's true in a lot of, you know, complex physical systems, but specifically in space because you have to, you know, to identify something specifically as somebody is messing with me. I've been deliberately interfered with. I somebody has deliberately sent a command. I mean, those are those are seen like people do try all the time to take over satellites. They try to send commands and see what happens from all sorts of players because it's fun. It's in space, right? And you know, it's like the ultimate hack. I've owned a satellite. Yeah. Right. I got in and got access. But it's still hard, right. And so what we see is a lot of stuff that is just just getting, you know, we don't either don't catch it or we just kind of say, or I don't know if you take a hit in your operations, but then it comes back, you know, you know, how much does it matter. So the problem there is that, you know, I think as we mature and as things become much more juicier targets, right, when it becomes, you know, really interesting to try to, you know, a mess with a starting link or, you know, try to take down, you know, you know, some critical piece of a constellation. It's going to escalate. And if you don't catch things earlier, if you can't differentiate between something that is just anomaly in the environment or something that's something on your system, you know, it's just hard. And so we don't have to even begin to unravel that because again, we don't have access to these physical devices like we do in a physical network, right. So when something goes wrong in a physical network, and you don't know and you're trying to troubleshoot, what do you do? You go plug it, you swap it out. And that's not an option. We'll be right back after this quick break. I was wondering as you were talking me through this attributions tricky on a good day. This is a sort of a flippant question admittedly. If your satellite is being messed with, does attribution really matter if you're, I mean, in that moment or is long term I imagine you want to know. But in that moment, you're kind of like, I just need to get this thing non messed with attribution. I mean, it's always hard. And, you know, I think, I mean, ideally, yeah, it'd be great. And attribution in a way to like, it's just even when it's innocent, like that interference, find out who's doing it and tell them to turn it off. Right. Every time I fly over this ground station, something happens. Hmm. All right. You know, if I can pinpoint that and you can sometimes right, you can you can figure it out. But the more important question is, you know, what happens next. You know, so if I'm seeing this pattern of things and it's not me and I can know that it's not me, it's not my system. You know, then I can also say one I can avoid it. You know, take mitigation measures to standard risk management practice, you know, or, you know, the other thing I could do is I can just be responsive to it and understand that like, okay, I see that something this has happened and in this pattern I've seen before and say in our community, other people have reported that the next thing that happens is this. So, you know, maybe it's somebody just trying to see if they can spoof my signal, they can pretend to be something they're not, you know, trying to trick my satellite to think they're the ground station, you know, this understanding that attribution aside but understanding that that pattern. Yeah, like, is it an accidental interference or is it malicious? Or is it? Yeah, one masking as the other potentially. Yeah, this is the part where I get really fascinated by how this all works because it's, I mean, accidental stuff will happen. But, you know, I imagine it would be, now I'm just making stuff up now. It would be really fun to pretend. Anyway, I'm just going to leave that thread off to the side. Anyway, so. Well, another piece to part of that just real quick is that, you know, there's a supply chain piece to and interesting enough, you know, again, these are hard problems. We're trying to find things in space and in all these, you know, crazy physics, you know, that we have to deal with up there. You know, if somebody has put something in your system that you're aware of, right, if there's some small piece of, you know, code or, you know, something built in, you know, because you are trying to lean forward and do these really hard things in space, it's hard to tell sometimes that that's just your design. Does something go in there that is actually going to affect you? And so understanding and having that pattern analysis of what normal should look like for this particular satellite is really important because now you flag internally also things are okay, that's weird. You know, I got a weird command. It got rejected now suddenly this particular subsystem on my satellite's active study. Do we have the technical capability maybe at large to understand what threats are going on at what time? Do we have that visibility at this point? Or is it still kind of bits and pieces? I would say people, like in every industry, you know, if they know that they're seeing pattern, they're not recording them because it shows, you know, it's not something people like to admit, I think. Yeah, that's true. And so, and again, you know, I think a lot of times satellite operators or some of these more ambitious space systems, if you're seeing stuff, one, you're not maybe 100% confident if it's you and your system or if it's something external. If something happened that was, you know, a major interruption or something, you're not reporting it out because, you know, space market is already in kind of this precarious position where it's supposed to be, you know, grow and be giant and all those commercial markets. You're not advertising if you can't pinpoint why when something's happened. Yeah, yeah, it makes sense. So, I mean, there, we've covered a bit of, you know, what the current threat landscape looks like and there's a lot of different things that can happen. There's some more, you know, terrestrial pedestrian threats, I suppose, like, you know, doing even via sat when it was when it had its issues in 2022, it was a VPN, I think it was like a VPN issue, essentially, or I'm maybe misremembering that detail, I apologize, but it wasn't like a super sophisticated hack. It was pretty much like something wasn't updated that should have been. And that's kind of like keeps a lot of people employed in the cybersecurity industry. Yeah, when we think about the future of, you know, cybersecurity in space and you sort of hinted at it, we're getting these incredibly sophisticated constellations that are being built at a breakneck pace right now and, you know, going in and or already are in space right now. I mean, what does that mean for what we're, you know, looking forward? I mean, what kind of new threats do we think might be emerging there? You know, I think I think what's what's kind of hot right now hot topic that we are also, you know, looking at how to address is the use of autonomous systems and AI on the space systems itself, kind of a joke AI for AI. But we're going to rely on more autonomy, right, because, you know, again, we don't have that we're not flying these things are letting us so much. And so on orbit, especially if you're doing crazy stuff like this lunar, you know, on orbit, you need to be able to have these smarter machines that make smarter decisions and can reconfigure. And, you know, if they see something go wrong, you know, adjust one of our key things right now with space forces, we're supporting the orbital prime program, which is, you know, in space assembly manufacturing, you know, on orbit, you know, vehicle to vehicle, you know, type of action that really can't be done manually. That's that's really hard to build in the perfect non machine learning on autonomous system. So, so how do you know when those are getting poisoned? How do you know when when your data is off either intentionally or unintentionally? And how do you how do you understand when to kind of throw a stop on that. And so, you know, I think we see this in the autonomous driving cars now, right, all the deep safety concerns about how do you check the AI, you know, how do you do safety and resiliency. We need that same thing on orbit, especially if we're doing more ambitious things where vehicles are approaching other vehicles and, you know, trying to maintenance service them. Because yeah, you don't want to what happens if, you know, two cars crash, it's it's it's tragedy and people could get hurt. But if two major systems cross orbit that trash is in orbit. Yeah. And definitely we don't want the Kessler effect happening because to know I mean that would be an absolute nightmare of my goodness. Yeah. So even just somebody messing with it, even like to say not the super sophisticated happens to say, you know, somebody's aware that something's going on. They might try to know maybe I try to jam something. Maybe I try to see if I can spoof a command, you know, maybe the AI on there just has a bad day. I don't know. So, so we just need to be thinking I think like this about how we go forward and protect and, you know, from all different kinds of things. I'm going to ask a philosophical question because I feel like you're the first perfect person to answer. What do we need to do? Those of us who are sort of advocating for better cybersecurity within the space industry, especially on the commercial side. What do we need to do to sort of communicate better or get through to folks that sort of know but don't put it as a priority like you need to move this up the priority queue. How do how do we do that? Yeah, that is our question. I think there's a couple of key things. I think, you know, treating space as critical infrastructure and having it designated in that way is important because then it does officially kind of stamp it as like, hey, this is just as important for us as as our power systems, you know, as our public utilities, all these things right. We're relying on it. It has an impact. I know that's more regulatory or administrative, but I think that's important because it's an acknowledgement that if you're operating up there, it's no longer the Wild West. We have to have some, you know, some sort of guidance, like some rules on this. Yeah, I think that's one of the more important things. I think from my perspective, you know, from adoption and it's kind of the same thing that happened. I think a splunk from what I've heard where they went into security, you're going to tell you everything going out of your system with observability. But at the end of the day, it was the more can I make an optimized my network operations. Can I understand what's going on so I could troubleshoot better. And I think that going forward, at least from our perspective at Rubble Space is that, you know, let me help you understand your system better. Let me give you all the data, you know, on these, you know, non IT, non IP kind of networks. Let me let me give you that deep physical analysis and and you know, ability to detect anomalies. So now if we get when we get to that point where, you know, we have a lot more cyber attacks going on that we know are happening, I can immediately resolve until the difference and I can mitigate that risk. Yeah, not just throwing data at people and logs at people and go go find it. It's it's we found it for you. We felt we're letting you know we're not making you figure it out. Yeah. So really it's just about you pop right if I can help you optimize your operations and go faster and do better, understand more what's going on in your analysis and in your system itself. You know, then that naturally can feed better into you know, a cyber solution. And I think we see that in mobile network deployment. You know, it's, you know, less worried about maybe people immediately trying to hack a mobile network, but we are really concerned with optimizing the use of spectrum and, you know, is what's quality of service and these aspects of it which, again, lead into better security posture. Carrie, this has been a fascinating conversation for me personally. Thank you so much. I wanted to make sure I gave you like the last word. I always like to make sure my guests have the last word if I missed anything. So this is sort of the open opportunity if there's something I missed or something you wanted to mention. Please go right ahead. I think my takeaway is just, you know, having been in both industries, you know, my key point I know said this several times is, is it's just, you know, we need better tools. Just me need better software tools. And I know it's hard in the space industry right now because we don't have the same sort of commonality of software that is used, you know, in other applications, right? Like everybody's not just going to their OS and it's not Linux or, you know, whatever. And it's not Cisco. We're not just off the shelf things. You know, everything's a little bit artisanal, little boutique still. A lot of homegrown. Yes, exactly. Yep. A lot of, you know, older hardware solutions because they're flight proven. And so, you know, I think it's really important that if that is going to be the world we live in for quite a while, then we need to at least invest in kind of a common understanding of, you know, what is going on with our systems, what is going on with our software, just so that we can even begin to, you know, be prepared for a future where, you know, there are legitimate and major attacks going on. [Music] That's it for T-Minus Deep Space, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. You can email us at space@n2k.com or submit the survey in the show notes. Your feedback ensures that we deliver the information that keeps you a step ahead in the rapidly changing space industry. T-Minus Deep Space is produced by Alice Carruth. Our associate producer is Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester, with original music by Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilpie is our publisher. And I'm your host, Maria Varmazes. Thanks for listening. We'll see you next time. [Music] (gentle music)
