Instructor: Tim Fowler

This Anticast originally aired on March 12, 2025.
Space is no longer the final frontier—it’s the next battleground for cybersecurity. As our reliance on space-based technologies grows, so does the threat landscape, with adversaries targeting satellites, ground stations, and critical infrastructure.
Join us for a free one-hour training session with Antisyphon Instructor, Tim Fowler, to learn and explore the growing importance of space cybersecurity, the real-world threats facing national security, and the evolving challenges that will define the future.
In this Antisyphon Anticast, you’ll discover how cybersecurity professionals can play a pivotal role in protecting this vital domain and learn actionable pathways to break into this high-stakes, high-impact field.
Highlights
Full Video
Transcript
Tim Fowler
This is not going to be very technical, in nature. This is very much a, a foundational kind of knowledge primer of like this is again, this is a niche topic that not a lot of people are actively talking about. in fact, I had a conversation, with somebody, on Friday where there’s effectively like four of us in the United States that are, are talking about this from a public sector kind of standpoint and stuff.
It is relatively new, but it’s going to grow big time. So what we’re going to look through is like, what is space cybersecurity? Why does it matter? What are the challenges? Because there are some significant challenges.
What can you do? And then we’ll have some final takeaways from that perspective. So what is space cybersecurity, Daniel? What do you think space cybersecurity is?
Daniel Lowrie
So, I mean, we’ve got a bunch of technology floating around out in space, so I would assume that that would be a part of it. So satellites, man made satellites. I guess we communicate with those things. So the communication, as far as that goes, yeah, I’ve got to go.
Tim Fowler
So you really haven’t thought about it. Right?
Daniel Lowrie
And that’s something that hits me every day.
Tim Fowler
Exactly. It’s not. And so this is, again, this is why we’re having this conversation. Fundamentally. you’re right. It’s just the practice of securing space systems. This, will include everything from satellites, probes, space stations, to ground stations, communication links.
We’re protecting all of those against cyber threats. so at the, at the, the basic, lowest common denominator. Okay, it’s cybersecurity applied to the space industry. One of the things I kind of joked about, for a while is like, why, why is, why is space ballsy enough to get their own flavor cybersecurity?
Because we don’t talk about financial cybersecurity. We don’t talk about educational cybersecurity. We don’t talk about, we don’t talk about these various industries of having their own flavor of cybersecurity. So a kind of tongue in cheek joke.
It’s like, yeah, it’s like, I don’t understand what’s up that. But what we’re going to look about is like, there’s actually some reasons that you’re going to hear this term space cybersecurity and why it is. It is cybersecurity. Plus, it’s something on top of it that makes it really, really difficult, and challenging.
And this is why we’ve got to get people looking into this now. because we’re riding a wave. The wave is starting to build. We’re in what’s called, or what I call the Space Race 2.0. So if anything about space history, back in 1957, the former Soviet Union launched the first artificial satellite called Sputnik 1.
and then we’ve kind of been in the space race since then, which I ultimately culminated with us landing on the moon, planning our flag, USA wins kind of thing. And then we’ve continued to progress, through space and with technology and stuff like that.
But we’re really what I call Space Race 2.0. And this is with the democratization, the privatization and the commercialization of space. I call it the Asians of space. and, and technology has improved.
Cost has gone down. We have more and more players out there than ever before. And that is real quick.
Daniel Lowrie
Yeah, a lot of people talk about, when it comes to cybersecurity, it can be very difficult to get into things. And one of the best things you can do to kind of make yourself stand out is find a good niche. This seems like it’s not just a good niche.
This seems like this is an area where you can become a unicorn really quickly. You can, because of having such a specialized knowledge, set, a fun.
Tim Fowler
Absolutely. and I, again, I try to, to not have an ego, but I’m going to, I’m going to put myself on a slight pedestal. This is what I’ve done over the last two years. partly because of being empowered by Black Hills Information Security, John Strand, all this having the ability to go, like, hey, there’s this thread.
I want to pull it. I want to see if there’s something here. And it turns out there’s something. Like there is something here and stuff. And this is something that you can, absolutely do. If, I’m of the belief that if I can figure out how to do, you, can figure out how to do.
In fact, we’re going to do an exercise, at the end of this class, or this webcast, where I’m going to ask you to go learn something that you’re not familiar with. And I’m going to walk you through the kind of the processes that I took to get kind of up to speed with some of this stuff.
And we’re going to do that. So that’s absolutely fantastic. question. Thank you for setting that up. So some of the key areas that we want to look at. The first one is going to be the space segment. Now this is hopefully pretty obvious it’s the part of a system, a space system that’s in space.
Okay. Space, technically or officially starts at 100 kilometers or 662 miles above the Earth’s surface. This is what we call the Karman Line. and so anything above that we’re talking about, so you go, okay, 100 kilometers or 62 miles.
That’s not very far away. Like I can drive that depending on speed limits, like in an hour. keep that distance in your mind for, for, for a few moments. then we have the ground segment. This is everything that’s here on Earth.
This is the part where our ground stations, our mission control centers, all of our just general infrastructure. This is where our workers, our employees, our technicians, our operators, our project manager, everybody is here.
And because of that, this makes the ground segment a very interesting target. especially when we’re talking about cyber attacks and things. Then we have the communication links. predominantly it’s going to be RF communications or radio frequency, but we also have the optical, communications which introduces some enhanced security, kind of through design stuff.
But there’s also these various trade offs. another thing that we really have to take into consideration when we’re talking about space cybersecurity is supply chain security. There are only so many manufacturers of space widgets and doodads.
And making sure that those have not been compromised during the supply chain. an example, not space related, but if you want to go back to last year sometime with the Israelis, and the, the pager company that they basically acquired it.
And then again we’re not gonna get political but these are the types of things that we have to be concerned about. Especially when you’re talking about microchips and things. there’s a big up to do over the weekend about potential backdoors and ESP32s and stuff which turned out to be if you believe what Expressif is saying, that it’s just debug commands and there’s enough evidence to kind of support that.
But supply changes, but not just physical supply chain like hardware and stuff like that. We also have to be cognizant of our software supply chains. Things like using like software bill of materials, making sure that we can track all the dependencies, libraries and things like that that we’re having.
Because a vulnerability in one of those could actually have a significant impact across the board on of our stuff.
Daniel Lowrie
And Tim, really quickly, Michael Yin, I think this is a good Spot to ask this question he asked, basically, is space cybersecurity similar to cloud security in that sense that the space system is practically kind of like in the cloud kind of thing?
Tim Fowler
So that’s a great question. And the answer is yes and no. If you want to get a better summarization of what it is, it would be cloud meets ICS and ot.
Okay, you have the, the remoteness of the cloud. Yes. If you can’t go out and touch the cloud in most cases. but you have the criticality of operational conditions from the, the ICSOT world.
in the ICSOT world you can send a technician out, fly them out, drive them out to touch that sensor, touch that, whatever that do the, the valve or whatever. It’s very expensive to send somebody to space to reboot your satellite.
in most cases you just, it’s not going to happen, and stuff. So it’s, it’s not a per, there’s not a perfect analogy. You’re really going to have to pick and choose from the different aspects to kind of understand that it’s part of what makes space so just bloody interesting in my opinion is because we are pulling, different concepts, different things like that.
so it’s a fantastic question to again summarize it is. I would do think of it as semi cloud, semi ics, ot, where you have these very unique operating environments, with this distance factor, this remoteness that just makes it really difficult to do.
And it’s a great question because one of the things I talk about in my class is start when you’re trying to learn this concepts or these things, start with something, and always if you can have an analogy of like, even if it breaks down at a certain level, okay, understand, it’s like, is this similar to cloud?
And like, how could it be similar cloud? If, if you’re asking that question, it’s because that’s probably something you’re familiar with. And so being able to put it into your context helps you understand that. When we kind of talk about some of the learning stuff, some of the things you can do, you start with what And so those are.
That’s a fantastic question. For, for so many reasons. and the last thing here is that we, we need to understand the space cyber threats. in most cases they are, ubiquitous with what our normal space, our cyber threats are that we face day in, day out.
there’s just the additional factor, the additional layer on top of that, that we have to make sure that we’re accounting for. Because if we just do our normal stuff, normal cybersecurity, enterprise security, all that stuff, we’re going to be leaving things out, and we need to make sure, so talking about securing the space segment.
Okay, there’s again, this is an overview. We’re not going to get into a lot of details, but we’re going to look at some of the basic stuff. So the first thing we need to make sure to do is we need to prevent our onboard computers, and software from malware and unauthorized access.
To the best of my knowledge, there hasn’t been a confirmed instance of malware on a satellite. There’s been some speculation that stuxnet, may have actually been, introduced, by China into an m, into a ground, station and taken out an Indian television satellite.
It’s, it’s speculation. Is it possible? Is, yeah. there’s enough evidence there that says it could have happened. I don’t know.
Daniel Lowrie
But malware, Just water cooler talk at this point.
Tim Fowler
It’s just water cooler talk. It’s speculation. I, I want to believe that it, it did happen. but whether it did or didn’t happen is kind of irrelevant to me because, the, the, the, the chain is there.
as far as the possibility, the feasibility. There’s, there’s some technical hurdles and stuff, but it’s not hard to sit here and go, yeah, well, if this, this and this all happened, which we do know, is it possible and stuff. but really unauthorized access is the big one that we want to, to do.
We want to prevent, satellite hijacking, or spoofing of control signals. because the last thing we want, an adversary to do, and we’re, we’re predominantly concerned with more nation state adversarial stuff.
But that’s, that game is changing as well. If we look at, especially if you go through my class, you’re going to see where your everyday hackers with a hack RF have been able to decode signals and stuff like that in ways that you wouldn’t even expect to it.
So this isn’t just limited to nation states, which is one of the problems that we face in the space industry is that as technology is more available, as the cost goes down, this veil of secrecy that we’ve maintained for years is just gone.
it seems to be how.
Daniel Lowrie
Things go though, isn’t it? Right.
Tim Fowler
We create.
Daniel Lowrie
No one really knows about them, so we don’t worry about security We. We just get it to work, and, hey, now it’s working. But as soon as we start to really lean on it for critical systems, all of a sudden, people that are adversarial go, oh, so you got a weak spot there, do you?
Tim Fowler
Yeah, exactly. I mean, it’s kind of like it’s. Again, you can. You can go back and look at the history of ics, OT SCADA networks and stuff like that. Those things were never designed to be connected to the Internet. But what did we do?
We started connecting to the Internet, and then things started to happen. the Colonial pipeline is kind of the big wakeup call for that. to this point, space has not experienced a colonial pipeline.
we’ve come close with the ka, SAT network, hack that. We’ll probably talk here in a little bit. But even then, that still wasn’t. It was, in my opinion, wasn’t as impactful, as something that’s the Kona Pipeline.
I hope and pray it’s not coming, but the. The realist in me says it’s just a matter of time.
Daniel Lowrie
Yeah, I mean, you can’t have a target like that just sitting out there and people not putting time and effort into trying to get their hands on it.
Tim Fowler
Yeah, absolutely, absolutely. this. This is the thing, and we’re gonna. We’re gonna talk about some of the. The challenges here, in just a moment of, like, why this is potentially problematic. So, from the.
From the ground segment side here, we want to make sure that we are securing our command and telemetry systems to prevent unauthorized control, this encryption. But we also want to make sure that we’re using strong authentication of our data.
Because if, we rely just on encryption so we have an encrypted link from our ground station to our satellite, we could still be vulnerable to replay attacks. whereas if we later do defense in depth, we not only can have a confidentiality because we’re encrypted, we also maintain integrity through that authentication and authorization that also prevents replay attacks.
we need to make sure we harden our network, infrastruct against cyber intrusions. This is the. This is what you guys do all day, every day. If you’re on the blue team, if you’re on network engineering side of stuff, this is your wheelhouse.
Okay? Because it’s no different. Like, this is the part of space where it’s just, like, it’s, business as usual, cybersecurity. We have to make sure we do this. The problem is we have Very, sometimes remote ground station locations, we have very dispersed different things because we’re using these different protocols and stuff like that.
We sometimes can get lacks in our overall just hardening across the board. Perfect example, the Kasat network. February 22nd or 24th, 2022, on the eve of the Russian invasion of Ukraine, the GRU attacked, this portion of the viasat network called the Kasat, where they were able to come in over a Internet connected VPN appliance using compromised credentials.
Okay, this is also reads of how X Company got breached yesterday or how X Company will get breached tomorrow. This part of it is not unique. And this is one of the challenges is we have to do everything that we’re already doing, plus some stuff.
And this is, this is where the challenges come. And then the ground segment is the most accessible. It’s where your people, it’s where your hardware, it’s where your networks, your physical locations. All of that stuff is that it makes it much more challenging to defend this.
Whereas in your space asset stuff that’s a lot harder. you’re not going to do too many physical attacks on a space satellite or on a satellite or something short of like using something kind of called an ASAT and anti satellite, technology such as, it could be a missile, it could be another satellite, something like that.
For the most part it’s a lot easier to go after the ground station. there’s this old saying that it’s, you can get a lot of information with a sock full of nickels, whether it’s credentials or something like that.
Daniel Lowrie
The rubber hose attack.
Tim Fowler
The rubber hose attack. I mean if you look how many reports have we seen, person like citizens and stuff infiltrating companies through normal hiring processes.
Daniel Lowrie
It’s very common nowadays.
Tim Fowler
It’s very common. And this is, this is something that we have to be concerned with, from the communication side again, encrypting our telemetry, tracking and control signals. We need to make sure we have the ability to prevent jamming and spoofing, as well as eavesdropping on communications.
This is a problem, especially the ease dropping because. Well, let me ask you, let me ask you this and I’ve already set it up for you, but give. Do you think the majority of space signals are encrypted?
Daniel Lowrie
I would probably say no.
Tim Fowler
Why?
Daniel Lowrie
Because no one’s, no one cares. Well, a, and it’s funny you bring this up and I’m So glad you did because Raymond has a question about this. About Raymond Barnes is asking about the communication lag. Depending on the orbit and the size of the satellites it assumes that all those type of things come into play.
So starting to encrypt and work with that, it’s going to slow things down. You’ve got, you’ve got a moving target, you’ve got a geo synchronously or get things to work together. There’s a lot of moving parts both literally and figuratively.
Daniel Lowrie
So making small quick payloads is probably the best way to go.
Tim Fowler
So, so it is and then we’re going to talk about some of the challenges. And I love that you all are, are kind of thinking about this ahead of time. This is, I think it was Jeff Thier once said as an instructor speaker, if you’re, if your audience is starting to ask the questions that you’re going to answer shortly, you’re on, on the right track, and stuff.
And so, so we’re going to address those specific things. I will, I do see encryption requires a TCP three way handshake. That’s not true. You can do encryption without having a handshake. it’s just the case in point would be symmetric key cryptography where a shared key on either side they just do the encryption, send the data on and stuff.
Now if you were, if you were using tcp, that becomes actually a bigger issue. because of the different variables, such as latency, orbits, periods, different things like that that we have to talk about.
so the short answer is no, most signals are not encrypted and there’s a couple of reasons for it. One, you’re 100% right. because we didn’t have to. We have systems that have been on orbit for 30 plus years where nobody had the technology to do this.
so why, why do we have to do that? but there’s also some other reasons that you do it. there are some use cases where encrypting your data is not needed. For example downlinks from weather satellites that are for general purpose consumption for meteorological stuff.
We don’t need, we don’t need that to be encrypted. There’s no benefit to it. so, so your mission is going to depend it but there also environmental factors that even if you have an encrypted link, you’re going to have to have a mechanism at some point in time.
If you experience a high radiation event Bit flips, especially where your encryption key is in memory or something you may have to fail open.
Daniel Lowrie
Is bit flipping something a satellite has to worry about more than some sort of ground station because of.
Tim Fowler
Absolutely. So if you’re not familiar with the concept of bit flip it’s what’s happening is it’s a result of ionizing radiation. Literally a high energy particle hits a bit in your memory and will flip it from a 0 to 1 or a 1 to a 0.
this happens here on Earth a couple of times. There’s a great book and I did Matt something. He’s a number of file, I can’t, I can’t remember.
Daniel Lowrie
Don’t you love it when that happens?
Tim Fowler
Yeah.
Daniel Lowrie
Where.
Tim Fowler
But he talks about these different events. Matt Parker. Thank you Matt. Parker, right wrote this book and he’s in it, he’s telling these stories like where data goes wrong and he’s And there was a local election and I think the UK that flipped by 496 votes like instantaneously because of a bit flip and various things.
a bit flip in a medical device actually I believe killed someone because of in doses and stuff. So it had. In space it is much m more prevalent the higher you get in altitude, in low earth orbit there is still some atmosphere but not a lot.
But if you’re up in like specifically like geostationary or geocentric or geo, or GSO orbits you’re definitely gonna have to if you’re flying. If your orbit and inclination takes you through something called saa, the South Atlantic Anomaly.
This is a area of high radiation due to kind of inconsistencies within the Earth’s magnetic field. Most general guidance is turn your system off. I was actually looking at some math Yesterday for an STM32UH processor where they basically say you can expect in the SSA 1 bit flip per hour of exposure.
Daniel Lowrie
That seems like a lot.
Tim Fowler
It’s, it’s a very lot. And so these are things that we have to take into consideration. from the supply chain side again we need to make sure the components in the software in the space are free of back doors that they haven’t been tampered with, they, that they haven’t been altered in any kind of way.
that it’s reliable. And then we also have to make sure that we just secure the satellite through the entire manufacturing, launch and deployment processes. What you really don’t want is a picture of your president putting his hands on a spacecraft that says do not touch.
unfortunately we did have that a couple of years ago, but again, managing, managing all aspects of this. And because a lot of this is not developed in house. It’s, it’s third party. You’ve got, your, you’re the vendor that somebody goes like, hey, we want to build a satellite.
And then you go and subcontract all of this other stuff, making sure that we’re due diligence, that we have proper tracking and tamper, evidence seals and technologies to make sure that these things.
Daniel Lowrie
Does this kind of thing fall under like trusted foundry type systems? Do they use that for building satellites?
Tim Fowler
I’m not familiar with the concept of trusted foundries.
Daniel Lowrie
I think if I’m remembering correctly, trusted Founder is basically a, this is the proper channel to be a, authorized create like a manufacturer of certain parts for military, government systems and that kind of thing.
Tim Fowler
So. So in that case, yes, oftentimes. Now the problem is, because of, we’ve gotten into more privatization and commercialization where companies are doing it themselves and they’re not necessarily doing it for DOD purposes or anything like that.
Right.
Daniel Lowrie
because you said everything’s commercialized now.
Tim Fowler
It’s get, it’s getting greater the. And it’s really becomes a problem when you have what’s called dual use applications. Applications. So Starlink is a great example. raise your hand if you’re a Starlink customer. it’ll probably take you a minute to hear that because of the latency.
sorry, just kidding. but, the Starlink as a consumer, we can use this. But the government and the DoD also have the ability to ride the exact same rails, if you will, of Starlink.
And this is a dual use. So they’ve got isolation, they got segmentation and things like that. But again, because of the commercialization, the privatization, these are the things that we have to take into consideration.
And it is a very dynamic environment. So, understanding the space cyber threats. so we’ve kind of talked a little bit about, some of them at a high level. So jamming and spoofing, is a big one.
We see this a lot with gps. I, I’m gonna, I’m gonna actually, I’m gonna ask this in a second. But, but we, we’ve seen a lot of different things. We’ve also seen this with aviation, and, and airplane beacons.
I’m gonna, my mind’s gonna slip. a b ABDS or something. where We’ve seen those being spoofed and stuff. We’re seeing it a lot with drones, that are being spoofed and stuff. Also it’s like you pull up these things, it’s like wow, there’s 100 drones in the sky.
No there’s not. different types of things that, and with all of that ability. Yeah, ads being. Thank you. with all those things it causes us to have to make new decisions and reevaluate. Always accounting for this variable change that could change our necessary decision, making process.
Malware and ransomware. there was a great report by Dr. Gregory Falco out of John Hopkins University in conjunction with some other authors and I can never remember the names, I apologize, called want to ransom a satellite.
This is kind of based off of our, it’s actually wanna Fly. and it’s about ransomware on a satellite based off of WannaCry. and they go through some of the details of the challenges that would be and kind of the ideal scenarios of how you would do that.
It’s much easier to ransomware the ground segment where the people are at, where I can maybe either get physical access or I can come in over the Internet or things like that. But these are things that we need to take into consideration. Data exfiltration.
this would be sensitive telemetry or mission data. Imagine if you’ve got some kind of isr, intelligence surveillance or reconnaissance, platform and that data is being siphoned off by an adversary. So they know what Now it still comes down to the data processing, the analyzation stuff.
But just having access to the data can be problematic. Insider threats. We talked about this just a little bit with the, the North Korean, infiltration of hiring pipelines and stuff, employees, contractors, compromising security and then nation state attacks.
this is the big one that the space industry is truly concerned with. Not to say that you and I, Joe Schmo, don’t to them because we, we are wielding more and more power over time. But right now like it’s, it’s the, it’s the Russias, the, the, the China’s, the Iran, North Korea.
Those are the ones that are like on the front radar. But this doesn’t dismiss that. Hey, we also got to look by the flyback because so much of what is possible is purely opportunistic.
Daniel Lowrie
Tim, just really quick.
Tim Fowler
Yes sir.
Daniel Lowrie
In your, in your experience and your, and your estimation out of all these different types of threats which one would you. Or could you give it an order? Of operations like insider threats seems to be like one of the most probable.
Like that you pay somebody, it’s one of the easier ways to go. You just go for the good old greed factor, pay them a big wad of money and say, hey, just plug in this USB and so on for. But maybe that’s a different space and you’ve got a little, you’re a little closer to it than most of us.
Where would you say is the most likely threat coming from?
Tim Fowler
Oh man. So the. There. That’s a, that’s a fantastic question. I, I think the most likely threat is not on this list. Oh. and the.
In my, in history will show the most likely threat is. Starts with the ineffective design. We don’t have security at the beginning. We try to bolt it on as it becomes a requirement down the road.
And we have seen time and time again where it’s actually that design process, the lack of security being at the table up front that ultimately leads to everything that you’re talking about. Okay, as far as what’s on this list, definitely insider threat is a, is a huge, huge concern.
jamming, is interesting because it’s a, it’s what I call a no knowledge type of attack. I’m not, I don’t even have to be targeting you. I can literally just create enough noise in the airwaves that you and everybody else is operating that frequency can’t do.
So it’s the lowest common, that’s the lowest form of attack that you can do. Spoofing that requires a lot more knowledge. Oftentimes you’re going to have to have some kind of data exfiltration or something like that for you to learn about his or a lot of reverse engineering capabilities.
and so Cliff is asking really.
Daniel Lowrie
Quick on that, on that vein, is any one band more susceptible than another? Do
Tim Fowler
No. so the, the higher you get into the bands and so just to, to level set. So when we’re talking about rf, we’re talking about different frequencies and they’re broken up into various different bands. Or you could think of like allocations.
and so there are some inherent advantages and disadvantages to all of the bands. I will say anything above 6 gigahertz, which, 6 gigahertz is lies in the C band. Anything above that, is much more expensive to get technology that can communicate in those higher bands.
so that becomes a barrier of entry. not necessarily for a nation state. Stuff, but like a hobbyist, like, hey, I’m just gonna go and see what I can do. That gets a bit of a challenge below 6 gigahertz. It’s, it’s game on.
specifically because for a lot of this, you can do it completely passively. You can just listen and there’s no laws against that or anything. And then you take those data to record and you start going through analyzing it, reverse engineering, and eventually you’re able to decode these, ideally all these signals and stuff like that.
Then you can start actually doing, formulating possible attack vectors and stuff, finding weaknesses within their communication protocols. And you can do that with nobody ever knowing it because you’re just.
Daniel Lowrie
I used to do, I used to do free to air satellite tv, the FTA stuff. I had a whole system set up. It was a lot of fun. It’s very interesting technology. So, yeah, I’ve. But I’ve also heard of like people being able to pick up the signals that you’re talking about because they’re just kind of like pumped out into the ether and if you have the right equipment, you can pick them up.
Tim Fowler
Absolutely.
Daniel Lowrie
I mean, nothing wrong with that, that.
Tim Fowler
I’ve got, I’ve got a clone hack, RF here, the, the Mayhem or whatever like this. It’s like less than 200 on Alibaba. I’ve got a couple other ones. and stuff like this can receive signals up to 6 gigahertz.
So you go, all the way down, I think like somewhere 30 megahertz or whatever like that, up to 6 gigahertz. So you’re talking about your UHF, your L band, S band, part of the C band and stuff, which is where a lot of activity is.
for instance, I, there’s a YouTube channel called Save it for Parts. If you’re interested in this stuff. Go check out that part. Save it for Parts. He does a lot of software, defined radio satellite signals and stuff. I, he just did a video, I think yesterday where, I believe he identified the downlink for Sat Gus, which is Mark Robers CubeSat.
If you’re not familiar with that, Gus, go, go look it up and stuff. And it appears to be encrypted or whatever like that. But just passively using some different technologies, he was able to go pinpoint exactly where it is and identify that signal, and stuff.
And so this stuff is. As technology advances, it becomes much more, capable and much easier for us to do. This is the landscape that we have that, we have to deal with. This is the wizard of Oz moment.
We’re looking behind the curtain, and it is not as terrifying and robust as we thought it was. So now it’s up to us as an industry to actually get to that level and exceed it. So.
Daniel Lowrie
Yeah, why does that take us? Yeah, why does that.
Tim Fowler
We’ve talked about all this stuff, but why does it actually matter?
Daniel Lowrie
How do I care? Tim?
Tim Fowler
Yeah. So space, is no longer just science. It is classified here in the United States as a critical infrastructure piece. It matters in your life so much, Daniel, that you don’t even realize it.
Okay. Now, hopefully you didn’t have to drive to your location this morning, because I’m pretty sure you’re at your home.
Daniel Lowrie
Yes.
Tim Fowler
But assuming you’re somewhere else and you’re getting from point A to point B, you’ve never been there before, how are you going to get there?
Daniel Lowrie
Well, the most contemporary, method is by using the lovely little GPS M.
Tim Fowler
We’re so reliant on. Most people don’t even know how to read. Somebody said MapQuest. Is MapQuest still around?
Daniel Lowrie
That’s, a great question.
Tim Fowler
Yeah.
Daniel Lowrie
Thumbs up if MapQuest is still around.
Tim Fowler
Yeah, somebody let me know, can people even read paper maps anymore? Because, like, this is a skill that we fundamentally lost as a society. Yes. Gps. Okay, so that would look like Math.
Daniel Lowrie
Quest is still a thing.
Tim Fowler
Yeah. M. One of the most prevalent, kind of uses of space data. And this is specifically data that’s produced in space. If you have satellite television, you’re a consumer of space data. If you have Starlink or if, Project Amazon Kuiper, or you’re an Astronis, space customer, whatever.
Hughes Net XM satellite radio. All of these things, they impact our daily lives. But what if I told you your entire financial system is predicated on space?
Daniel Lowrie
Now, now you’re just making me want to hide underneath my bed. Because if that’s true, I’m gonna go high under my bed.
Tim Fowler
Okay, it’s not. It’s not 100. Okay. One. One of the things. well, so, 2007. I believe it’s 2007. It’s either 2007 or 2012. The London Stock Exchange shut down because of a GPS jamming attack.
It was a localized GPS jamming attack. But do you want to take a guess of why this London stock exchange had to shut down because of GPS?
Daniel Lowrie
I couldn’t even begin to fathom a reason why GPS would be affecting the London, stock exchange.
Tim Fowler
L2. Nate, you nailed it. Timing. One of the number one ways that the GPS system works is by having highly accurate synchronized time. And as a result of this localized attack, the timestamps for this, for the transactions became out of sequence or, out of synchronization and they had to shut down the entire process.
So now imagine you go to your gas station and you want to go get, let’s get, you said 11, it’s big gulp day or whatever. You’re gonna get that and a pack of pork rinds or whatever, and you go and you take your, emv, card and you tap it and you get declined.
Not because you don’t have invalid funds, but because the time sequence between the payment networks is out of sync just enough that it’s going to create an auto decision of default decline until we can figure out what’s going on.
The GPS timing is everything. When your power company generates power is determined by GPS timing. When they open up the flood the gates on a hydroelectric dam when they open up.
Because remember, we have a, we don’t have a power production issue here in the United States. We have a power storage issue. It’s all real time, just in time production. And if we get those things off sync now, we’re producing too much power and we have to dump it somewhere or we’re not producing enough power and we’re getting brownouts and rolling blackouts and stuff.
These are problems that we have to take into consideration the, the rise of, space commercialization. This just means we have more attack surface. Starlink’s wanting to put some 42,000 nodes in, in low Earth orbit.
Okay. We don’t have 42,000 satellites in space now. So we’re talking effectively doubling or tripling the total over a period of, 10 to 15 years. So we have just an expanded attack.
So surface, nation state military conflicts have expanded into space again. The, the KSAT network, on the Russian invasion of Ukraine. while they did not target the actual space assets, they, those were left.
They were command and control and all that stuff was not given. They were able to use the pipelines that that system facilitated to essentially create denial of service conditions by, wiping satellite terminals on the other side of the satellite.
But not only that, they had a part two, which is actually much more brilliant. And a lot of people don’t know from the user segment, so the user segment is just that it’s the consumer side of a space system or whatever.
They identified no less than four vulnerabilities in the AAA authentication and DHCP implementations for viasat, so that all of the terminals that didn’t get wiped through their, through their malware were deauthenticated.
And then they were basically, it was a deauthentication attack. A DDoS. Viasat would fix one, they’d revert within a couple hours to another method and they played this, whack a mole for over two hours. and stuff. This is the type of stuff that we have to.
And there was significant collateral damage for this tech. Again, this was, part of the Russian invasion of Ukraine, creating a, essentially a information blackout. But energy, company in Germany was affected. There was other, know, kind of companies that were also just inherently, collateral damage of this particular attack.
These are things that we have to, to do this. We have a lack of cybersecurity standards across the board. We have some standards, but most of them are highly recommended. But there’s not a lot of enforcement, going on.
we also have legacy systems out there. Again, we have, I mean, Voyager, which is sadly, quickly, quickly coming upon its end of life. it was launched in 72, I believe.
so it’s been up there for a long time. We have stuff that’s been up there for 30 years. and oftentimes we don’t have the ability to just do things, that we would like to be able to do in terms of updates and, and we have all these constraints that we have to deal with.
in fact, a lot of people that I’ve talked about, about active, or what I call active vulnerabilities or vulnerabilities that are in place, they’re like, is it flying? Yeah. Okay. Because the risk may outweigh the reward of actually going and patching it, if they even have the ability to patch it.
And oftentimes you don’t. and then just generally cybersecurity attacks within, within space just are generally easier than you think they are. because they’re much. Again, everything’s getting interconnected in ways.
There’s not as much isolation as you want to believe that there is. Like, oh, yeah, it’s, it’s up there and stuff like that. If you look in history, we’re seeing more and more and more of this stuff taking place. And some of it is very sophisticated, but some of it.
Daniel Lowrie
Is this prompting any of the manufacturers of these devices to try to forward think to like, hey, we need to be able to. Because obviously it’s not an easy thing to get up in space and go, hey, let’s apply a firmware upgrade.
We would have to have some mechanism, Mechanism, in place so that we can, can future proof these things. Is that happening?
Tim Fowler
Yes and no. again, it’s, it’s like it’s the default cybersecurity answer. Well, it depends. generally there is an app, there is an appetite for doing this. But what we have to understand, and this is across the board, but it’s more so within, in the space industry is what I’m going to focus.
Okay? We have a, we have a spectrum. On one side we have the mission. On the other side we have cybersecurity. Okay. Ideally we want to find a happy medium where both can exist.
But if it comes down to a decision between doing something securely and continuing the mission, see a security. It’s not happening. Now I can put my security hat on and go.
But wait, no. At the end of the day, operations wins out. It’s the same thing in business. I hate to admit it and stuff. Until you have that colonial pipeline or that major breach or whatever within every company.
Well, we take cybersecurity serious after the fact. The reality is the mission’s going to come first. There are some significant efforts being done by a lot of different companies, across the, across the globe, to helping better stuff.
And there’s some organizations I want to talk about. One, here probably next to the last slide or something that I’m a big fan of, big proud to actually be a member, of that organization and being able to contribute to helping, provide guidance and frameworks for making sure that we’re doing this.
the number one issue though is that we’re not doing it at the lowest levels. The way most people get into the space industry and kind of get into this stuff is through university programs and stuff, stuff building cubesats.
If you go and look, in a lot of the implementations of cubesats, security is just an afterthought. They’re just trying, like they’re just trying to get into space, which I get. I understand that. Like it makes sense. but this is, this is one of the big challenges.
I, am going to stop. the O posted a video, from C3 this past year, called, hacking yourself a satellite, recovering BSAT one. I would highly encourage you guys to go watch that.
It is one of the of the best talks, of just going through the whole rigmarole of actually recovering a satellite that’s been on orbit since 2009. fantastic research so thank you for sharing that.
but getting back to why it matters. Okay. the role of space systems in our daily lives. We talked about this. things from, from gps, from timing, just the fact Internet connectivity so much relies on this stuff. Our defense posture relies on this stuff.
Our weather depends on this stuff. we’re seeing an increased rise in cyber threats to our space assets, both here on the ground and, on orbit. we’re. There are entire warfare platforms that are on orbit right now.
This whole purpose is to be able to figure out ways to attack other satellites and just wait for that opportunistic time, the right time. That’s like, hey, if we can, just, disrupt your ability to communicate, say in an act of war or whatever, we win kind of thing.
the economic significance of the space industry, space is going to be, we’re going to see, trillion dollars, numbers going out into this industry, especially as we get more established, if we can get a consistent, presence, on the moon is going to just change everything.
We’re going to talk about, space, mining, whether it’s lunar mining or asteroid mining. There’s going to be entire economies built around just space in general. and then we just have initiatives to enhance, cybersecurity across the board, but specifically within space, itself.
Daniel Lowrie
So what are the sounds like? it’s. Man, it’s like, you got to stop reading my mind because while you’re sitting here talking about this new economy of space based, businesses that are coming, eventually they will be here.
There is no stopping it. It’s. Why haven’t we had that before? It’s because space is difficult to get to. It’s not hard, it’s not easy. It’s a tough thing to do. I start putting things out there.
Tim Fowler
I start my class with the timeline of the Japanese Hayabusa mission, from like a 2005 time, frame or 2003 to 2005. and it is, it is like, it is an amazing timeline and it just shows how hard just space is.
And then it’s like, oh, yeah, we need to, like, we need to secure it too. it’s, it’s kind of, it’s kind of funny, but it definitely sets the tone for it. so the, the thing that I want you to like, the number one thing I wanted you to take away is I, I remember at the beginning I said, why does cyber or space cybersecurity get their own version of space or cybersecurity.
This is the reason why, okay, this is that cybersecurity plus thing, because this is the thing that makes it difficult and the things that we have to solve, first we just have inaccessibility of space assets.
Once we ship it to the launch integrator, we don’t touch it. Okay. Assuming the rocket is successful in launching, we’re not going to fly up there and touch it. In most cases we have long mission lifespans with outdated technologies oftentimes, especially on larger missions.
Take the James Webb Space Telescope. The integrated science and instrumentation module is using something called a power or a rad750. This is a radiation hardened power PC 750 CPU in conjunction with PowerPC and BAE Systems.
It was devised in 2004. The decision to put it on the James Webb Space Telescope was somewhere around 2012. It launched in 2021. That’s a 17 year span.
Okay. And I’m not saying that there’s any speculative computing vulnerabilities like its counterparts intel and AMD that took place, Spectre meltdown, stuff like that, that, but more than likely it’s vulnerable to something like that.
These are things we have to say. We have very limited computing resources, okay. And because of that we have to devise new solutions. We can’t just rebrand or re, model like hey, we’ve got IDS for space.
We don’t have TCP ip. We’re using all serial protocols on our, on our space bus. Do you have the ability to do that? Do you understand that we have to run this at the lowest possible denominator because of these physical power.
So we use something called swap size, weight and power. And it’s always a trade off. Okay. If I want to increase the power, well it’s probably going to increase my mass. and if I increase my mass I may have to increase my volume. All of these things it’s like Software X kind of thing.
we have high latency and disrupted communications. RF is inherently lossy. And so we have to do things to take these into considerations. We have to design protocols that are resilient to the environments of space.
We also have to do things where, especially for deep space network stuff and where you have delay tolerant networks where it’s like I may send a command and it may not get to its destination for days. How do you like that?
Doesn’t work in our minds with TCP IP and stuff. And so we have to develop new solutions. Not just a matter of oh, we’re just going to test, hey, we can’t do the cloud model. We’re going to do your on prem stuff in the cloud lift and ship.
It’s not going to work. oftentimes we have no real time patching or updates. This is the, this is the hard one.
Daniel Lowrie
This is, makes me think of that, that scene from the Martian when he’s stuck up there and they’re having to communicate with him and there’s a delay and how, communications, it’s like it takes time for these things to get from point A to point B.
Tim Fowler
It, it does and then you have to make sure you’re doing all your error correction and things. Mars is interesting one because they use a lot of del. delay, tolerant protocols and stuff with higher correction whether, because you’ve got one transmission could anywhere between 4 and 24 minutes one way.
So like it’s not gonna be like ping. Well, let me go get a cup of coffee and see back if I can get a pong back. This is a problem. Real time patching and updates as I talked about this is also problematic. and it’s just the most hostile environment that you can imagine.
It is actively trying to destroy you, whether it’s through space debris, asteroids, meteorites, radiation, just the sun, everything like that. It’s just like temperature swings. All of this stuff we have to take into consideration.
But what can you do? This is what we’re all here for, right? What, what can you do? Well, the first things to realize is it is here. Space cybersecurity is, is here. I’m talking about it.
There are other people are talking about it. It’s still a niche topic but it is gaining traction. We’re getting there. And this is a growing industry. and so understanding like what this is like a timeshare. Don’t you want to get in at the ground level?
Just imagine if you now, yeah, agna. No, literally you do want to get in, in the ground level. because things are a lot easier on the ground than they are in air. in fact, where do you want to find your vulnerabilities? Well first you want to find them right after they were introduced.
Secondly, you want to find them before they’re launched because then somebody has to make the unfortunate risk assessment of if we can patch, do we patch? It’s a challenge, but we need to learn the fundamentals okay.
And there’s two things that you’re going to have to do when we’re talking about space cybersecurity. You’re going to need to know the space site, but you’re also going to need to know the cyber side. A lot of us know the cyber side better than the space side.
And so it’s about figuring out how to learn and equate to what we already know. and so you have to be willing to learn something new. It’s going to be uncomfortable. There’s going to be a lot of scenarios where, like, I don’t know what that means, I don’t know what this is.
I don’t know what the context means. That’s okay, because what I want to do now, we’ve got, we’ve got just enough time to do that. This is going to be awesome, is we’re going to take about three or four minutes and I’m going to go to the next slide and there’s going to be two sides to this slide.
One’s going to be a space side, one’s going to be a cybersecurity side. I don’t know that we have a lot of space professionals on here, so most of us are going to end up falling on the space side. But whatever your more expertise is, whether it’s space or whether it’s, it’s cybersecurity, pick the opposite.
I want you to pick an acronym and I want you to spend about three or four minutes googling, chat, GPT and clotting, whatever you want to learn, as much as you can about that one subject.
Okay. Doesn’t matter what it is, just try it, put it in the chat. Tell, tell us which one you pick and what you learned about it. Okay. We’re going to learn together. So here’s the slide. Okay. Again, most of us are probably going to be on the left side is that you’re not going to know necessarily what this stuff means.
And that’s the point on this. On the cybersecurity side, if you’re great in space and you’re wanting to learn the cybersecurity, do this, do this cybersecurity side, because it’s going to have the same result. and so, yeah, some people are putting in what they’re, they’re, they’re looking at here.
and yeah, I’m going to kind of talk over this for the next, just next couple of minutes. and then, and then we’ll wrap up here. But this is the process that I went through when I was learning. This is like, I Was like, hey, I knew about X.
So I started looking at cubesats. Okay, that was kind of my entry point because I knew that they were cheap, typically made of consumer off the shelf components. And I, I just, I had.
So I was like, I’m going to start there. And then I started learning about these other things such as like somebody has ADCs, okay, this is not active directory, certificate services for your red teamers, and stuff.
Well, what is that? Well I wrote it down and I’m like I’m going to come back to this. And every time I came to this subject that I didn’t know what it was, I just put it down in the comments like, go like I’m going to dedicate five minutes to this topic and then I’m going to dedicate five minutes to this topic, and this five minutes to this topic.
And what happened is it started to grow this web where things started to come into play where it’s like, oh, this makes sense now. And if I do, oh, if this has an impact on this and you start to figure out how are all of these things interconnected and this is how we start to learn.
Okay, this is something new, this is something foreign for a lot of people. And this is an approach to take it. Like if you can limit yourself to five minutes or say I’m going to take five minutes on this thing I’ve never heard of, you’re going to come up with 30 other things that you’ve never heard of probably.
But this can start you down that rabbit hole, that path. And this is, this is the approach that I took. Now mine was a little more bombastic and like probably insane, by, by most clinical standards. But this is what, this is what we can do.
and so this is, this is just an exercise that I want to share with you, encourage you guys to do it. because this is, this is what we want to, want to understand. And there are, there are. I not a big fan of Elon Musk and we’ll leave politics outside but his like hatred for acronyms I do support because it is like it is so hard, so hard to, to be able to identify what all this stuff means when it’s just acronym city and stuff.
Daniel Lowrie
But it does get difficult, man, I’ll tell you what, I still struggle with acronyms. So I’m in that.
Tim Fowler
I do too.
Daniel Lowrie
No doubt. I don’t know why. They just do not stick in my head. If you tell me the term I can, I can remember. But if you tell me it’s an acronym and then I start using it in my daily parlance, then the name for that term gets real fuzzy real quick.
I just started associating the term with what it does and how it works.
Tim Fowler
Mhm. Exactly.
Daniel Lowrie
So the act, that’s what I, that’s what ends up happening to me.
Tim Fowler
So yeah, I, I call it learning backward.
Daniel Lowrie
Yeah.
Tim Fowler
As I learned what the thing does and then I’m like, oh, okay, that, that makes sense and stuff. So looking at some possible, I, I’m calling this Career Transitions, but really it’s not, it’s more about ways of applying what now and what you may be doing and how it could apply into the space industry.
so network security industry, engineers and stuff, this was, you’re going to be responsible for securing ground station networks and all of the infrastructure. This is a hard, hard job. Okay. Cloud security experts, this is, we, we now have what we call ground, stations as a service that are connected into these cloud infrastructures.
So it’s not just your cloud, infrastructure, it’s now your ground station as well that you’re essentially renting, being able to do that. Penetration testers, testing, ground stations, satellite telemetry, mission control systems, everything that needs to be tested.
And most of the time the testing’s got to be done early. Be. It can’t be. Oh, we’re going to test in prod. No you’re not. One, you should never test in prod. But two, don’t test in prod. Incident, responders, soc, analysts and stuff would be a potential good transition, for being able to do this.
So some final takeaways. Space cybersecurity is here. There will be an influx of roles as this industry, matures. Pay attention if this is something that gets you excited. The time is kind of now. the challenges of operating space are never insignificant.
It will actively be working against you. And if you don’t take it into account, you will fail. The saying is if you fail to plan, you plan to fail. 100% applies here. You can get started now. You don’t have to wait.
There are books, there are trainings, there are research, that you can do. One, of the number one book that I recommend here is on the slide. This is, Space Cybersecurity for Space by Dr. Jacob Oakley. This is actually the second edition.
If you want the primer, this is where to jump in. This is the best resource that there is out there, and stuff. But if you jump in, start the conversation, start asking questions, keep it going.
And if you’re really interested in take my class coming up next week, March 20th and 21st, foundations of space Cybersecurity, where we’re going to go much deeper, much more hands on.
It’s going to be a lot more fun. It will culminate with you getting to hack a satellite. and so I encourage you to check this out. I also have a second course that’s going to be coming out later this year that you may be interested.
So stay tuned for that as well. If you’ve already taken, this class, you definitely want to pay attention for the second one. And with that. Thank you guys. This is my, contact information here, here. And yeah, we’re done.
so got any questions, comments, feedback? As long as they’re all positive, of course.
Daniel Lowrie
Yeah, of course. We, we take.
Tim Fowler
Except all negative feedback here. All negative comment, comments will be jettisoned out to a graveyard ornament.
Daniel Lowrie
I just forward them on to somebody I don’t like anyway.
Tim Fowler
Yeah, forward them on the outlook rule.
Daniel Lowrie
That just does that. Tim, this was such a cool talk though, bro. Like, it’s already like an interesting topic, right? So that is a plus. I think a lot of us just find this kind of thing fascinating by nature.
But then you come in and put some real wheels on it for us and show us that there is a path that we can take and we can follow to learn more about this stuff and start to become a part of that community and maybe even be some of the pioneers in the security space for that specific industry that is just burgeoning and waiting to have these people come in and help them secure that up.
So your passion for it is obvious. I now understand the entirety of why people are so excited about taking your classes because this stuff is just stinking cool and it’s going to be super important as the future continues to progress.
Tim Fowler
It absolutely is. And the thing that my goal is, I never set out to be kind, of the leader of the pack, if you will. and that’s still not my, my goals or anything. My goals is to help to be able to facilitate the inspiration and the motivation that someone else needs to actually, like, I can go and do this, because I, that’s, that’s how I did it.
I just took something that I was interested in. I got a little bit of a push from somebody in my inner circle. And this is where we’re at multiple years later. so, to, to try to be a force multiplier, because I can’t do it myself.
Dr. Oakley can’ it himself. other. Other people. We can’t do it. But if we can become force multipliers, we’re going to be effective, at actually doing this.
Daniel Lowrie
Well, you’ve definitely lit a fire up under a bunch of people here today, so thank you so much for your time. For those of you in Discord, thank you for joining us, but we are about to jump into the Zoom backstage area. We have an AMA time after these little events that we like to do.
Tim, of course, you’re more than welcome to join us there. There as well. We’re just going to take about 30 minutes to open the floor to questions and conversations in that Zoom backstage area. So if you’re joining us on Zoom, we’ll see you then.
And for your Discord members, thanks a lot. And until next time, have a great day.
Tim Fowler
Thanks, everyone.
Stay up to date on our upcoming live Anti-Casts and more at https://poweredbybhis.com
Don’t forget to check out our Course Catalog for our upcoming free and affordable cybersecurity training!
