When it comes to space, cyber security, tell me if you've had some variant of this conversation before. It was a bit like this. Objects in space are safe from terrestrial vulnerabilities, right? I mean, there's an obvious air gap. It's certainly more difficult to connect and hack an object miles above us traveling of speeds of 17,500 miles an hour. Surely there's fewer vulnerabilities in space, right? Right? Welcome to T-Minus Deep Space from N2K Networks. I'm Maria Varmazis. The perception of space not needing much if any cybersecurity seems to be, finally, a thing of the past. Of course, it's more difficult, but with thousands of objects in space connected to each other and to the ground, those vulnerabilities are still there and they are very real. I spoke with Jim Myers from the Aerospace Corporation about the shift in cybersecurity threats and the need for better cyber hygiene in the space industry. I'm the lead for what we call our Civil Systems Group, and that spans customers in the civil federal space as well as commercial as well as international. I ran a cybersecurity business before I came to aerospace. I've done satellite design all the way back to just good old-fashioned design to running businesses that say deliver solutions that are space-based, electronics businesses, and cyber businesses, among others. I've touched the aerospace defense world in a whole bunch of different domains and in different types of business models. About 15 years ago, I got pretty involved in cybersecurity for a period of time. I noticed then, which hopefully isn't as pronounced now, but I hope it's not a strategy, what I noticed then is we would go and interact with customers, prospective customers, and bring forward to them some areas that we thought they should look at in more detail. We thought they had vulnerabilities, and what we heard back is we're fine. Of course, they weren't. Some of those customers that we went and talked to ended up with problems. They had various impacts. Our traditional tech/terrestrial/arospace defense customers are much more savvy about cybersecurity now than they were, say, when I got into that about 15 years ago. In space, it's only in recent years that, seemingly, customers have started to pay attention. I remember, I think it was 2020, and aerospace has been right in the middle of something that I think it's called CyberSetGov. Yes. Yeah. It's been a really inspiring conference, a chance for senior folks and experts to interact on this topic. If you've ever met Kim Cridor, who is now a retired Air Force two star, who was right in the middle of standing up Space Force and was on the cutting edge of a bunch of things that Air Force and Space Force have done in recent years. I wrote it down at the time, the quote that I wrote down, "Space systems will be the next front of the cyber conflict." She knew it then, and here we are almost five years later. That attitude that you described of, "We're fine," is something that I've heard many people anecdotally saying that they had encountered that same mentality and that it's been not impossible, but surprising how hard it's been to move the needle a little bit. It does seem like things are finally moving in the right direction on that, but that we're fine mentality has been hard to shift. Having come from industry, one of the things that attracted me to aerospace was, we have, as an FFRDC, we have a position in the customer community where we're trusted because we're not, we don't do the work that the contractors do. We don't build systems. We'll develop prototypes and we have a bunch of pretty neat cyber security-oriented prototypes, but we don't build things because that's what the contractor base does. We're not competing. We're independent. We're objective. I could come to aerospace and have a more trusted relationship with customers than a contractor that's trying to win a job. That's not what we do. So to sit with customers and collaboratively talk about their cyber posture and their vulnerabilities, that partnership is much easier to realize as a member of the aerospace team than I was able to do previously in my career. Can you tell me a bit about that conversation when you're approaching the customer? I'm sure nobody's starting at ground zero. I would hope so. How do you kick off that conversation? Have you all done an assessment? Where do you even begin? Well, first of all, the government customers are pretty sophisticated. I would hope so. The anecdotes that I was sharing from earlier in my career where I was interacting with cyber customers, to think about those as more traditional companies, maybe not as sophisticated and surely not as sophisticated as the government. I loved the language that I was introduced to when I first got involved with cyber 15 years ago about hygiene. What are those basic things that you have to do? Back in those days, it wasn't even any more complicated than defense and depth. So you would just talk about, well, we'll come to the space context, but the space context is, oh, well, we're air gapped, so we're fine. Well, that's not defense at all. So defense and depth meant you had multiple levels of defense so that if the intruder got through the first one, you had the second and so forth. So sophisticated organizations, if you're having that conversation with them, they resonate with that you've got a good start. If they have a CISO, Chief Information Security Officer, you're feeling better about things because, again, they've made the investment in somebody who's steeped in this. Government agencies, maybe not 15 years ago, but today they all have. And then those CISOs bring their teams along, and now you're creating some infrastructure. So it becomes a conversation when it comes to the space domain about, because these customers are well aware of cyber at this point. Are they aware of potential vulnerabilities in the space domain? And so when you think about, as an engineer doing satellite design back in the '80s, little did we know, but it's been true for so long that whether we were building systems for commercial customers or systems for government customers, these systems go far beyond their design life. Typical engineers coming together, putting a lot of margin into their design, in effect over designing it, not what you see in an automobile, but what you see in a spacecraft. And so you get much more life. And so you've got these systems that have been out there for 20, 25 years. And imagine for a second how vulnerable those systems are. They're really vulnerable. So you're having that conversation about, you just don't have any protections built in because nobody was having that conversation with you 25 years ago. It wasn't anywhere in the requirements. If there just wasn't any language like that in the requirements back in the day. That threat metal didn't exist, right? Yeah. It's just not there. Exactly. So you start there and then you say, okay, so there's the space segment. If we're myopic, we're talking only about the space segment, but obviously there are, I mean, today it's not just space to ground links. Now they're going to be optical inter-satellite links. So there's a way in through the link. There's obviously the ground segment. There's the user terminals, right? So there's all these different points of vulnerability. And then it becomes even a more poignant conversation when you point to, say, for example, what happened with ViASAT just a couple of years ago with their ability to support Ukrainian operations and they got hacked. So it helps when you can point customers to real world examples. So the fact that we have a trusted physician with customers and we've got some tools and we've got some findings from basically putting those tools to work in space, we can have that conversation with customers to help them think about what are we going to do about our systems that are already deployed. We will be right back. Yeah. Could you tell me a bit about the tool set that you all use? I interviewed Brandon Bailey ages ago about the Sparta framework. Tell me a bit about that. Again, aerospace doesn't develop long term operational space products. However, we launch a lot of CubeSats. And back a couple of years ago, I think it was first called Star Shield and then it was changed to SpaceCop. We launched this intrusion detection system on a CubeSat and learned a lot about how to identify using algorithms, right? So kind of early AI application, how to identify what looks to be intruders as opposed to signals that are good signals. Okay. So we have Sparta, we have I think now it's called SpaceCop. When you think about DoD, right, it starts with equip and train. You can't go to the fight unless you equip and train. And so we've got another product called Dark Sky that's a training range to do cyber training, cyber security training, and then the DARS detection and reporting system, which is another prototype. So different tools that I wouldn't say it's a holistic toolkit because cyber is ever evolving. Different ways to help customers address cyber challenges, space specific. And we're continuing to develop tools like that and evolve them as we learn from our literally in space experience. And then of course, when something like Fiasat happens or something else happens that relates to an intrusion in space, then we can study that and bring that back to our customers. I'm very curious in the conversations that you've had about sort of the perception versus reality in terms of the threat landscape as it pertains to space cyber. Our organization is sort of on the mark for what they're seeing or is there a gap there? What are you seeing? Yeah. So I would have to caveat with I'm not close to what the Intel customers are seeing and doing and the defense customers. Because again, the part of aerospace that I spend almost all my time in terms of my customer interactions is with the federal customers. So I think in terms of Department of Commerce, Department of Energy, NASA, DHS, so the federal customers. And universally, without exception, they're very, very thoughtful about this. Yeah, they're very tuned in. Now, if we were to look at Department of Commerce, the satellites that Noah's flying today and the age of those satellites, some of them have been around pretty long time. Same thing with NASA. So two examples of customers that have some assets that are potentially vulnerable. So they're aware of that. Yeah. Yeah. I have no evidence of anything other than, okay, what are we doing to support defense in depth and other techniques to protect our assets? And we do that work today. I won't say for which customers, but we do that work for customers in the federal civil space today. I'm curious what the private industry maybe could adopt as a best practice from what you have been working on. Any sort of advice or takeaways for private industry? So one of the things that you want to be careful about is regulation. So before we got into this discussion, we were talking about, you know, soon it'd be critical infrastructure should not be. So putting that aside, let's stay away from a regulatory perspective. And instead, just be pragmatic about how are you going to give your system the best chance of survival. You're going to build cyber into your requirement set. That's the best advice I can give. Let's keep in mind that we've got constellations like Kuiper, like OneWeb, like Starlink that are either massive already or will be massive. And so you got to be careful about what that requirement says because these satellites need to be, they need to be light, they need to be cost effective, right? So light, so they're easy to launch, small volume, cost effective because you're turning out a bunch of them. And lifetimes are less of an issue because there is some infant mortality that's expected. So you got to be thoughtful about the requirement, but you still need the requirement because, again, right, if you think about any of these Leo constellations, they're interacting with each other too, let alone bringing data down to the ground. And so you could imagine a scenario where somebody injects something, you know, a virus of a sorts and that affects multiple satellites in your constellation. So you do want to maintain some level of hygiene. Even if you've got this kind of luxury of numbers, there's still vulnerabilities there. So I think my first piece of advice for commercial space players is build your cyber requirements in right there at the beginning. Absolutely. Especially as we're talking about these proliferated Leo constellations and a lot of them having off the shelf parts. And I'm just thinking of really traditional satellites where there are these extraordinary one offs, right? You know, custom built from soup to nuts as opposed to these massive constellations where I'm just imagining, you know, if there's one vulnerability in one, then the whole constellation potentially is vulnerable. Very different scenarios, but at the same time, potentially a threat multiplier for the P Leo situation. So that's something that I really hope people are taking note of on that. But yeah, it's a different, yeah, I can tell you about some thoughts. Yeah, yeah, yeah, I don't have access to those designs right there proprietary. Having said that, I feel pretty good about if we were just talking about those three organizations, right? Kuiper OneWeb and Starlink. My intuition is they know what to do there. They got, they had a lockdown. Yeah, yeah. But you know, we think about, we spend time thinking about that and supporting that because we have customers who are dependent on some of those systems all the way to, all right, we're headed to the moon and we're going to have assets supporting orbiting, you know, Artemis Gateway, which is going to be in a near recto linear halo orbit. And we're going to have people on the moon and we've got to have communications that we can depend on. We've got to have navigation that we can depend on, right? I mean, the things that people talk about the analog here is the GPS spoofing that happens sequesterly in the US. A bad scenario is where something happens to an aircraft, right, from a spoofing point of view. So same thing, we're thinking about that for deep space applications, literally CIS lunar. So there's this whole spectrum of applying the learning that we have to this range of missions. And I am staying very specific to civil federal. I'm staying away from defense and Intel just because I don't have the specific knowledge there in recent years. I understand that distinction. Yeah, absolutely. I appreciate that. I want to make sure I give you the wrap up the podium, as it were, for final thoughts, especially to leave our listeners who I know have heard me wax poetic a lot about space cyber, but it's much better hearing it from folks like yourself who are actual experts. Anything that you'd like to leave with folks, please, the floor is yours. Absolutely. Thank you, Maria, and thank you for the time today. I would go back to a couple of things we touched on. One being that whatever you would define as traditional cyber security for space-based assets, satellites, and other spacecraft, whether it's encryption, encrypting your link, some other form of kind of first boundary security, that won't get you there. It isn't defense in depth, and you need that. And so the way you get cyber right is at the system architecture level. And aerospace has a lot of experience in working with customers to help them design secure and resilient space systems, which, like I said, before it really starts with setting your requirements and getting those requirements right. And then you test and verify. And if you're doing a proliferated constellation, you do have the luxury of numbers. So if you can get it right with your early systems, then you'll just use that. You'll just replicate that design. And what you do see with these proliferated leos is they're continuously evolving their designs, so they're getting smarter and they're getting more secure as they go, which is also really encouraging in terms of the longevity of those systems. So we look forward to continuing to support our customers in this way and being available for interactions like this Maria and hopefully providing insights to your audience. That's it for Team I&S Deep Space, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. You can email us at space@n2k.com or submit the survey in the show notes. The feedback ensures we deliver the information that keeps you a step ahead in the rapidly changing space industry. N2K Senior Producer is Alice Carruth. Our producer is Liz Stokes. We are mixed by Elliot Peltzman and Tre Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpie is our publisher and I'm your host, Maria Varmazis. Thanks for listening. We'll see you next time. [Music] (gentle music)
