In space, no one can hear cyber security professionals scream "Space is an invaluable domain, but it is also increasingly crowded and particularly susceptible to a range of cyber vulnerabilities and threats." That's not an overblown sci-fi movie strapline, but rather the chilling words of Gina Galasso, managing director of The Aerospace Corporation UK, a member of the international …
"from the ground stations transferring the data to the telemetry stream, which is not currently encrypted,"
Reminds me of a tech lead when asked that one of the company databases is publicly accessible on the internet. He said "It's not on a standard port and there is nothing interesting in there."
Who is going to listen to satellite traffic? It's just boring numbers anyway...
Brexit has already done that. Losing the satellites will just be the final piece of the puzzle. It would be weird to have limited choice on supermarket shelves, everything shooting up in price, sterling low in the water, huge delays in NHS care, long haul travel only for the wealthy and powerful, delays in waste collection, a rise in hate crime, football fans standing again and everyone buying second hand motors, yet having 21stC satellite systems. It would wreck the retro feel. The government have worked hard for several years to get us this far. We can't stop now, just when 1976 is within reach (including the heat wave). Take down those satellites now.
-Persistent, over-the-horizon vision and continual, assured, high data-rate connectivity is fundamental in winning modern wars.
Well it didn't work in Afghanistan against the guys with donkeys. Maybe they put 'the donkey conundrum' in a footnote.
On the subject of guys with donkeys. An interesting argument is put forward in the excellent "A Distant Plain" by GMT Games is that "irregular warfare" is, if anything, the most common form of warfare. Not just today, but throughout the whole of history. Nation states slugging it out, while obviously not unknown, is relatively uncommon.
Vietnam taught planners all over the globe, that to defeat the US, one does not tackle them in a standup fight. The west is not loss tolerant; and even with a 40:1 casualty ratio (or significantly worse), the insurgency can come out on top if it's prepared to endure.
Donkeys don't need petrol or diesel; don't need mechanics, logistical support, are relatively inexpensive, and highly effective even on the roughest terrain. Contrast that to moody mechanical steeds being bound to mostly good terrain, heavy lifting requirements, logistical overheads etc. Sometimes, the latest and greatest gadget really isn't what's needed. See also, Germany, 1939-45, pursuing technological panacea. Amazing progress made, but the outcome certainly from 1943 onwards was never in doubt; mostly because the Russians were able to absorb losses in ways Germany couldn't.
Information can and does help with tactical problems. But winning firefights does nothing to win a hearts and minds campaign. And low and behold history more or less repeats itself where lessons are not learned.
You can easily communicate to/from a low earth orbit Amateur Radio satellite with a 30 quid handheld radio. Telemetry is piss-easy to download with modern SDR radio dongles. I've sent data packets up the ISS on 10W from the West Coast of Australia and had them re-transmitted down to the East Coast.
That's of course Amateur Stuff which is designed to be accessible.
Last year an Amateur operator found an old "Military" satellite that turned out to be alive. Reverse Engineering a signal/data stream is easier with modern computers and technology - the cost/effort to getting the raw signal is a lot lower than it was 20 years ago.
back in the early days of teh intarwebs only a relative handful of people, the vast majority of whom were NOT potential miscreants, could access other computers on teh intarwebs. So the *pressing* need for security was a *bit* less than it is now. (A *bit* being more like the comparison between dust and boulders, knowing that you really do not want dust to accumulate either).
Currently, only a relative handful of people have access to satellites via radio. Obvious comparison follows.
There are some many ways to be pwned that sometimes I wonder why there aren't more systems going down. I guess this is because surface attacks are so huge and devices so numerous that miscreants haven't the time to target them all. For now.
Instead, there are lots of lawyers and political science folks who work in cyber policy and approach the issues from a purely theoretical perspective, using the newest buzzwords to get their unimplementable policy through."
This description fits a lot of domains, not cybersecurity only!
The article infers that most policy wonks aren't informed at the technical level. One forgets that even if they are, the budget required to go back and fix things is not only astronomical, but ongoing.
The solutions to this lie in future build is in simplified systems, and the "box" responsible for deploying them to correctly configure on day one. You know, basic stuff like not having universal passwords on components. Op Systems that don't have attack surfaces the size of continents would also be a good place to start; as would eliminating OS and Software that has built in obsolescence by design/commercial framework.
Removing state-sponsored built-in backdoors while you're at it wouldn't go amiss.
And perhaps most of all, not using desktop, consumer OS' "because they are cheap", in places they really should not be used. Seen this in far too many industrial computers for comfort.
I see in many cases that large companies have their whole operation run with one big piece of software. The long supply chain that has thousands of vendors logging into it is a couple of permission levels away from the goodie store (source codes, salary information, HR, AP, AR, GL, meeting minutes). Is that done for the convenience of secretaries that are tasked with pulling up company-wide reports for the execs? Is it so the execs can tap into any information they want from anywhere in the local solar system (on the right side of the sun, obviously)?
Iran's nuclear lab got played by not having their computers air-gapped. This happens frequently with systems you would really thing should be off-line or on a non-internet private network. It's like a navy having everything in one system so a vulnerability with their recruitment website could lead to a listing of submarine deployments and the PII of the officers on those ships.
While gapping systems either physically or by removing cross access can be inconvenient for some, the cost to a hospital where a cleaner clicks a ransomware link leads to the locking of every system in the hospital is plain stupidity. When I had a manufacturing company, the computers set up for design, CAD and product development notes was not connected to the internet or the internal network. Some of the magic in what we made was down to details in the manufacture that wouldn't be obvious in the finished product. If somebody had a copy of the build procedures, they'd have the keys to the castle. Some of the materials were down to specific vendors. While they looked pretty generic, they most definitely weren't. I still got stomped by the Chinese on price, but they were never able to get anywhere near the quality.
If I'm not mistaken, Iran's centrifuge farms with Siemens PLCs were on air-gapped networks of their own. The network was infected with Stuxnet via USB.
Air gapping is effective at certain tasks, but not invulnerable. I have seen working implementations of an air-gapped, but infiltrated unit where the fan speed was modulated in malware to produce an audible signalling system. This was then read off by microphones on less secure networks (a mobile phone would be enough to do it - and not be noticed). Obviously the bit rate was atrocious but that isn't the point of such an example!
I will grant you that standards like IEC60870 for SCADA telecomms interchange have plenty of demonstrated weaknesses to man-in-the middle attacks amongst other things - air gapping at least stands as something of a barrier to this.
A/C because employer happens to also have examples of the same PLCs that were vulnerable to Stuxnet.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
