Sat-hack

Sat-hack


In September this year Chatham House published a research paper by David Livingstone and Patricia Lewis, called Space, the Final Frontier for Cyber Security. It Is a fascinating read, and they make a number of points that we in the BC community should take note of.

The threat of cyber security and the risks it poses are high on everyone’s list of things to defend against, but the scale of the vulnerability is probably less understood.

Every year communications, air transport, maritime trade and financial services to name but a few become more reliant on the efficiency and cost saving benefits that the use of satellites can bring.

Space has gone from the preserve of the well-resourced into an area where market forces dominate. Capabilities that were the preserve of governments and security agencies are now In the commercial domain.” David Livingstone – Patricia Lewis.   

Not surprising then that this has naturally attracted the attention of hackers that vary from well-resourced criminals to state sponsored bad actors. They are attacking the older technology of early satellites that were not built with this type of security in mind, including jamming the signals from ground stations.

The eye watering potential for disruption in national security, defence, navigation, theft of sensitive information, time signal interruption, intellectual property and the applications market are huge. In June this year congressman Adam Schiff called for a coordinated response to cyber-attacks against American satellites and suggested that such an attack could be considered an act of war.

Also in June this year, NATO declared cyber-attack as an operational theatre in which it would take collective action, in the same way it would defend a member country against invasion. This means that a cyber-attack could trigger Article 5, the core NATO principle, that believes an attack on one country is an attack on all. As a consequence, NATO, working with the European Union intends to coordinate and organise its efforts to defend against such an attack.

This will of no doubt be good news for Estonia, who were virtually shut down in 2007 by what was widely believed to be a cyber-attack sponsored by Russia.

There are many strands of work that need to be carried out in order to defend against this type of disruption. It would seem, from the launch of a Quantum satellite in August by China, that uncrackable, ultra-secure quantum communications are one of them. This satellite has the potential to translate cutting edge technology into a strategic communications asset for China worldwide. As an aside over coffee, here is a supply chain question to discuss – Could China become a worldwide supplier of totally secure communications? – discuss the implications!! I am sure we will get one eventually.

Meanwhile back on Earth – The UK Computer Emergency Response Team (UKCERT) has been set up:

  “to provide concise practical information that will be of use to anyone who has a responsibility or interest in Information Security. UKCERTs™ mandate covers business, academic and government areas of practice with a focus on the geographic area of the United Kingdom. Visitors can expect to receive, free of charge, timely advice on current technical IT Security issues which takes into account local needs.” Extract UkCERT mission statement.

This is a basic website, but should be on your favourites list.

The National Cyber Security Centre (NCSC) is set to launch in 2016, and will operate from buildings near to Victoria station in London. They don’t have a website to link to at the time of writing, so watch this space. When there is, it will also be one for the favourites list.

All of this potential for grief on a large scale can give one a sense of helplessness. As at first glance it’s hard to think of a strategy to deal with a disruption that has its origin quite literally out of this world. It all sounds as if any response at all from we small players on terra firma, would be ruled out because of huge costs, and as a consequence may prompt no action.

Given that an outage of large magnitude is likely to occur, what can we, as BC managers do to prepare for it? Well, I had no idea until I went to a popular optician to get my spectacles fitted.

During the fitting, the attendant used a computer eye device to measure the distance between my eyes, which was new. In the past they used a measuring card which they physically marked with a pen. When I enquired about this new gadget, the attendant told me that the device is all anyone in the shop is able to use now, but she liked the “old technology”, and always uses the card method as well.

Old technology, obvious really. Very often in generating a BC strategy for recovering a service to a pre-determined level, the way things used to be done can often be a good place to start. Now, that doesn’t mean to say that we rush back to pen and paper, because that’s how we did things before, it’s not always practical because of new volumes, but don’t discount the option out of hand. It may be for instance, that you could develop electronic forms that reflect the older hand written version, but completed using computer. Basic, but faster than writing, and a good stand in if your main command and control system fails.

Here are a few other simple low cost ideas that I think might mitigate against some satellite disruptions:

  • A UK map book in your car / fleet car
  • Basic no frills, standby mobile – will only do phone calls. My very old Nokia is hooked up to Tesco payg. Send a text every couple of months – number stays assigned.
  • Use of “meetme” conference calls – free to public sector
  • Enable Microsoft Lync connectivity for teams
  • If you store data in the cloud, also store it on an encrypted pen drive, a bit like a desktop store, but with portable apps attached. This allows use of stored documents via the portable apps from any computer. See www.portableapps.com
  • Simple electronic forms to be used when main system down. Will give a minimum level of service without the writing. Later can also be added to main database or included in data searches.
  • If you can, keep hold of old key IT equipment that may be of use
  • Have a human option to work equipment that has been taken over by the internet
  • Set real passwords on your collection of internet things. Don’t let your fridge become a botnet hacker.
  • Manual Credit Card machine – Asda could have done with a batch of these on the 30th of October.

I think that one way or another companies large and small will eventually face a disruption generated in space, either directly or as a result of someone else’s problem. Either way it’s worth revisiting existing strategies and examine how they hold up against this menace.