Reimagining Cyber - real world perspectives on cybersecurity
Explore the critical intersection of cybersecurity and business impact while gaining insights into CISO priorities with "Reimagining Cyber." Stay informed on the latest cybersecurity news, trends, and solutions tailored for today's CISOs and CIOs. Episodes cover a range of topics, including the role of AI in cyber security, technology, preventive measures to stop cyber attacks, response strategies for cyber attack victims, cybersecurity challenges in healthcare, the future landscape of cyber security, computer security essentials, managing cybersecurity budgets, and the implications of SEC rulings.
Engage with industry experts and CISOs who share their perspectives on what matters most in the cybersecurity landscape. Hosted by Rob Aragao a seasoned security strategist with CyberRes, this podcast is your go-to resource for staying updated on cybersecurity developments and addressing common challenges in the rapidly evolving digital landscape.
Reimagining Cyber - real world perspectives on cybersecurity
Cybersecurity in Space: Securing the Final Frontier - Ep. 91
“It’s only going to get worse if we don't pump the brakes and go, nope, we need to make sure we're doing this the right way.”
In this episode, Tim Fowler, an accomplished offensive security analyst and penetration tester from Black Hills Information Security, joins the podcast to discuss the intersection of cybersecurity and space systems.
Tim sheds light on:
- The unique challenges posed by the space environment,
- How the design of space systems differs from terrestrial systems
- The importance of threat modeling in shaping cybersecurity protocols for space systems.
- The biggest threats to cybersecurity in space both now and in the future.
Drawing from real-world examples like the ViaSat hack, Tim underscores the need for proactive cybersecurity measures, especially in the face of evolving threats and the increasing democratization of space technology.
The conversation also touches upon international collaboration and regulatory efforts in space cybersecurity, with Tim mentioning standards set by bodies like the Consultative Committee for Space Data Systems (CCSDS). However, challenges persist, including the cultural shift required to prioritize cybersecurity early in the space system lifecycle and address emerging threats effectively.
For details on Tim's Introduction to Cybersecurity and Space Systems class go to:
https://www.antisyphontraining.com/
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com
[00:00:00] Rob Aragao: Welcome everyone to another episode of reimagining cyber Rob here with my co host as usual Stan And Stan, you know what? Today is going to be a very, very exciting day for you, talking about a couple of your most favorite topics. It will be absolutely out of this universe is all
[00:00:16] Stan: I have to say. Indeed, Rob, it's going to be out of this universe and it's converging two of my favorite topics, cybersecurity and space.
[00:00:24] We have the privilege of welcoming Tim Fowler. And Tim is an accomplished offensive. Security analyst and penetration tester. He works for Black Hills Information Security, but he doesn't only do that. He also is taking advantage of his research capability and interest in space to see how cybersecurity can be applied in space systems and has written and teaches a course on the introduction of cybersecurity.
[00:00:52] In space systems. So I think it's, it's a great topic for us to cover in the podcast. And Tim, thanks for being with [00:01:00] us today.
[00:01:01] Tim Fowler: Thanks for having me. And thanks for the invitation. I'm really
[00:01:03] Stan: excited. Yeah. So let's dive into the world of space systems and cybersecurity. And it, I think would help if, if we establish a foundation, if you explained, you know, what really encompasses a space system and, you Key segments or subsystems and how they interact in a broader architecture of some kind of space operation.
[00:01:28] Tim Fowler: Yeah, absolutely. So space systems are typically comprised of three primary segments. There'd be the ground segment and that's going to be all of your terrestrial based operations, your network control center. Just, you know, all of everything that we do here on the ground, as far as managing the mission from design all the way to operation in space.
[00:01:47] And then we have the space segment. Which is the most obvious to understand. It's the part in space and this is typically going to be one or more satellites, maybe a constellation of satellites or something like [00:02:00] that. But it's just literally the elements that are in space. The third segment is the user segment.
[00:02:05] This is one that we're. We're very familiar with, but we don't really think about it for a whole lot. But that would be just the end users of whatever the service or the, the mission of that space system is really provided. So like you could be GPS on your phone is a great example of that is you operating in the user segment of that space system.
[00:02:27] And in between those, we, we do have the link segments which are just the RF communications that allow us to. Typically RF communications that allow us to be able to send commands to, to the spacecraft, be able to control it as well as receive the telemetry back from it so that we know what the kind of status of, of the spacecraft is.
[00:02:46] But then also in the user segment for us, just to be able to interact with the data that's being provided to us, such as GPS. And
[00:02:53] Stan: in my background, Tim, I supported, as a security engineer, a ground station for an Air [00:03:00] Force platform and, and to your point, I mean, you really had this world separated in these different pieces and parts, right?
[00:03:07] We were focused on the security of the ground station and the communications. But there was a whole nother team that was dealing with that, the, you know, the actual platform side of
[00:03:15] Tim Fowler: the house. Yeah. And that's, and that's historically the way it's been. We've had a lot of I don't want to necessitate security to obscurity, but there's been this hyper isolation in, in these segments and stuff where you know, you're, you're only conf, Concerned with your objective and everything else is somebody else's responsibility.
[00:03:34] And we, we oftentimes see that kind of interoperability. That's where some, some things can get interesting, especially from a security perspective. And so yeah, your, your experience is exactly what I would, I would imagine. Right. Well, good, good. And
[00:03:48] Rob Aragao: thank you for that breakdown as well. It's very helpful, I think, for the audience.
[00:03:52] Now let's go into that a little bit further. Tim, so, so you consider the uniqueness of the environment for space in [00:04:00] general, right? How does the design of the space systems themselves differ from the terrestrial systems you were just discussing as an example relative to cyber security, right? And, but, but also, but also extend that a little bit, right?
[00:04:12] Let's, let's kind of try to connect the dots for the audience. Are you seeing similarities of that kind of thinking and processes from a cyber perspective with space systems somewhat? Tied into how we deal with kind of the, the OT or the operational technology environments today and similarities you see there as well.
[00:04:27] Tim Fowler: Yeah. Yeah. So we'll, we'll first kind of compare it to, to what we, what we know. And, and that's what I always tell people is like, start with what, you know, and work from there and, and try to apply, see if you can apply this knowledge laterally to see if it, and it does fundamentally when it comes down to an architecture I would say it's about 95 percent analogous to what we see in our terrestrial environments and stuff like that.
[00:04:51] That last 5 percent though is very, very complicated. And it is very unique because it, it, it, it's due to the constraints in the environment that you [00:05:00] have to operate within space. You know, you can't just. Hey, let's call a technician, go turn them, tell them, turn it off and on again. It doesn't really work in the, in the context of space and stuff, but from a fundamental architecture standpoint, they're very, very much the same.
[00:05:14] And I, I would think they're even getting more and more in line with each other, especially as we see migrations to, to cloud based infrastructure for, especially for, for ground control, mission control systems and stuff like that. The things that we're doing over here for your fortune, 100 fortune, 500.
[00:05:31] company in terms of securing that infrastructure in the, in architecting it, it's really going to be the same that we're going to see on the space side, as far as you're, you know, comparing it to like operational technology and the application of cyber security there. I, Oh, OT and like ICS and stuff like that.
[00:05:50] It's really gone through a kind of a renaissance in terms of a security perspective over the last 20 years or so it used to be the thing that's like we just don't talk about it We all know that [00:06:00] there's like some skeletons in the closet, but we're isolated We don't really have to worry about it that you know, but as we got more interconnected systems And networks and requirements and it's like some, you know, developers like, Oh, we have this doodad that can do this new thing.
[00:06:15] Let's just plug it up into the Internet. And it'll be great. We've people have started to acknowledge like, Hey, we got to do a better job of making sure that we're assessing this from a cybersecurity perspective. That is starting to happen in space. It's not to the, to the level or to the point that, that like OT and ICS is we're probably 15 years behind or so.
[00:06:37] If I'm being completely honest, but that's one of the reasons why I think this, this kind of topic is so important is we can take the lessons that we've learned from things like the OT and ICS space and, and apply them. To, to the to the space segment or into space systems because it's, it is very much the same technologies, kind of the same control paradigms and things that we have to [00:07:00] take in consideration, especially when it comes to like critical infrastructure, but some,
[00:07:04] Stan: you know, some practical.
[00:07:06] Challenges I would imagine with applying some of the typical cyber security controls we do, and threshold systems might be challenging when you're trying to apply to space systems. What, an example that comes to mind is encryption. Can you speak to that? As to why that sometimes is a challenge for communications?
[00:07:22] Tim Fowler: Absolutely. So one of the, one of the first like biggest assumptions that I had when I started researching in space systems is I was like, well, I'm like, it's, it's, You know, 2020 something everything's encrypted or the majority of things are encrypted in space. And the answer to that is just unequivocally no.
[00:07:39] And it was a little surprising because I put on my cyber security hat and going like, okay, let's think about why this might not be the case. And it's like the first thing I kind of thought about going back to some old, you know my olden days of being a pen tester and working with clients and stuff is like just the computational overhead of encrypting is like, it's just too resource constraint.
[00:07:58] We really can't afford the [00:08:00] blossom bandwidth and stuff like that. And that is a factor, but it gets way more primal than even that. And it's you know, operating in space. We don't have the advantage of the atmosphere or much atmosphere to protect against ionizing radiation. And that's a real massive threat to a space.
[00:08:15] So you just dump a bit.
[00:08:16] Stan: And you
[00:08:16] Tim Fowler: just pull up your whole communications, right? Yep. Yep. One, you know, one you know, solar storm or, you know frontal mass ejection or something like that, that can create havoc within your, within the electronics of your spacecraft. if you happen to flip a bit in your encryption system where your key is stored, how do you handle that?
[00:08:35] Hopefully you've accounted for that scenario and there are radiation resistance or components that you're going to use in space systems and stuff like that, but even they're, they're only fault tolerant to a certain degree. And so we have to engineer our systems and develop our systems a way that they can be fault tolerant, be able to, to Exist in these harsh environments and going, hey, it's not a matter of if a bit flips going to happen.
[00:08:55] It's a matter of when a bit flip will happen. How are we going to be resilient and stuff, but that's why one [00:09:00] of the reasons we don't see encryption used across the board. You know, you'll, you'll see it hopefully on super sensitive systems, military systems, you know and you, and you'll see a good example of where you know, you're not necessarily going to see encryption.
[00:09:14] And because there's no point, it would be like the NOAA weather satellites for the, for the weather imagery and stuff. It, the mission doesn't dictate it. It's, it would be unnecessary and it would actually go against its particular use case and its mission objective. And so you wouldn't, but the the command and control Try uplink to those satellites and stuff.
[00:09:33] You better believe that those need to be encrypted because the last thing you want is for one of your systems to be compromised and, and, you know, lose control of it.
[00:09:41] Stan: Yeah.
[00:09:43] Rob Aragao: Well, let's, let's double click a little bit more on that. Tim. So, so I mean, it's the diverse systems involved, right. Within the, the, the, the cyber kind of aspects that you have to take into account when you think about these things from kind of the, the, the strategies you want to implement.
[00:09:57] With cyber security at the core behind it. [00:10:00] You know, what are some of those kind of defense measures, control mechanisms that you're putting in place, but how are you also going about selecting them? You know, maybe an example would be around like threat modeling and what role is that playing in, you know, the shaping of protocols, right?
[00:10:13] Within that
[00:10:13] Tim Fowler: spaces. Yeah. So, so the answer really, it, you, it starts fundamentally at the, the design stage. And. When one of the challenges that we have in space is the people that are working in space and, and they are some of the absolute brightest people on the face of the planet. They are intelligent.
[00:10:36] They think in ways that just will absolutely blow your mind, but they are hyper, hyper focused in their one area of expertise, their knowledge and experience. And. That with that comes that hyper focus really does create tunnel vision and where it opens it leaves some gaps that vulnerabilities and stuff could exist and stuff.
[00:10:56] They're functional. They're
[00:10:57] Stan: functional requirements, right? They're functional [00:11:00] requirements. I am building a I am building a telescope and I am looking at the Optics and I'm not thinking about somebody trying to misuse or abuse My wonderful telescope.
[00:11:09] Tim Fowler: It, yeah, I just need it to work the way it's supposed to.
[00:11:12] And that like the functional requirements for space are, are, those are a challenge in and of itself. So the first thing is we have to do with cybersecurity prisoners. We have to understand the mission because if we don't understand the mission, if we don't understand what the, what the, the inputs and the outputs are of this space system, we will fail at helping these organizations secure.
[00:11:33] That mission and those assets and stuff, because what we're going to say is, Oh, you, you, you have to use encryption. Cool. But we don't understand what the constraint is. We don't understand that. Hey, maybe our mission actually doesn't require encryption in our user segment and stuff, but obviously we want to in our control.
[00:11:48] Mechanisms and stuff like we need to understand that we need to understand what the, the, the fault tolerances of things are before we just start going, Hey, you have to do this. And this, a lot of it is going to come down to, as you [00:12:00] mentioned, like your threat modeling and stuff, the threat modeling for spaces is definitely unique compared to like terrestrial environments and stuff, because we have the space factor, we have all of those environmental things that we have to, we thermal cycling.
[00:12:13] You know, if you're talking about a satellite in low earth orbit orbiting, you know, approximately once every 93 minutes. You're it's going to experience upwards of 200 degrees Celsius in temperature Delta every 46 and a half minutes. You have to design around your electrical components to be able to withstand those temperature variations and stuff.
[00:12:33] And so, you know we can't just be like, oh, you've got to do this. Arbitrary cybersecurity thing on the microcontroller that's due to managing your thermal control system as well, without fundamentally understanding what is it doing, how is it doing and where the actual potential issues lie. And so for applying cybersecurity and spaces, we have to start at the very beginning.
[00:12:54] It is very difficult, near impossible to bolt this on after the fact. [00:13:00] Because all of those resources that were available, they've been accounted for. Every, every megahertz of processor, every you know, bit and byte of RAM. You know, we, it's not just, Oh, let's go patch the system. If we didn't design it to be patched, it will not be
[00:13:15] Stan: patched.
[00:13:16] So Tim, here's, here's a challenge. I, I see, I mean, the lead time between that design phase, actually the conception phase, all the way through to actual. Implementation of getting the platform, you know, launched and the ground station operational could be years and years. And the threat landscape, as you well know, as a pen tester, as an offensive kind of on your day job, you know how quickly things change as far as how tax can evolve, anticipating what kind of attacks.
[00:13:51] Could be, you know, your, your platform, your deployment could be subject to is I imagine quite a challenge to be able to early on, figure that out. And then be able to [00:14:00] realize that, okay, what I'm deploying now is going to be safe against some of these attacks. Have you seen real world examples of
[00:14:06] Tim Fowler: this?
[00:14:07] You know, we've seen it. We've definitely seen cyber attacks in space systems. Not necessarily clearly in the, you know, taking advantage of the, the timeframes. I mean, James Webb Space Telescope is a great example. It took us, what, 10 years to build that. And, and so just the amount of technology and capability that, that Transpired during that window when a design, design decision was made in 2012, but it wasn't deployed until 2022 like there's a, there's a big, a big gap in that.
[00:14:38] And so, you know, a lot of it comes down to just nailing the fundamentals is because we're never going to future proof ourselves. Entirely from the unknown. It's, you know, I could turn this back around and go, it's like, well, how are you going to defend against the tomorrow's attack that you've never seen?
[00:14:56] Oh, we don't know. Like it's, you, we have to put things in places [00:15:00] that it's not so much against being able to defend against the attack. It's about being able to respond accordingly.
[00:15:06] Stan: Can you give me some examples though? Just, you mentioned that there have been some successful attacks against space based systems.
[00:15:13] Can you. Can you share with our listeners
[00:15:15] Tim Fowler: some of those that have occurred kind of the most the most recent and kind of it's the the case study That's going to be moving forward was the via sat or ka sat, network hack that took place in february of 2022 on the eve of the Utranian invasion this was a a very unique attack in that it came in from two different, it involved two different segments that you use involved the ground segment being compromised, as well as the user segment and, and user terminals being able to.
[00:15:44] To effectively interact with systems on the ground side to be able to manipulate the traffic. And effectively what happened was approximately 45,000 or so mo satellite modem terminals went dark on the e of this Ukrainian [00:16:00] invasion. And the result of this, it wasn't an actual compromise of the satellite itself, but it was, like I said, it was a two prong attack.
[00:16:06] They, on the ground station side, they came in through the internet, through a VPN portal where credentials had been accessed. They were valid credentials would allow them to authenticate. And then from there, they were able to kind of move around within the environment until they found a TFTP server that was the modems were we're reaching out to to be able to upload firmware and stuff.
[00:16:28] They put a modified firmware that essentially was a wiper. And it wiped the firmware on, on the, all of these modems and things like that. The user segment was a lot more, a little more complex. They were taking advantage of some things of the way the DHCP configuration and environment was set up within the environment to essentially kind of deny terminals from being able to connect to the, to the network.
[00:16:52] And so we had a little bit of a user segment denial of service as well as the, you know, the ground segment compromise over the internet. Got
[00:16:59] Stan: it. [00:17:00] Interesting.
[00:17:01] Rob Aragao: So, so Tim, I want to try to kind of transition to a different aspect as I was thinking about. The conversation we're having here. And are you seeing anything relative to kind of regulation coming into play?
[00:17:13] Right? There's a lot of international, I'm sure, crossover and collaboration that takes place, but just kind of what's happening out there through the collaborations, but also tied into, are you seeing any sort of kind of, you know, standards being applied from at least maybe domestically or other contributing
[00:17:28] Tim Fowler: countries as well?
[00:17:29] So generally to operate in space, it does require some, some level of international cooperation and things because you've got, you know, there, you can't own space like, you know, it's not like, all right, we're setting up pitching our tent, although the United States did plant a flag, you know, on the moon, you know, but we don't own the, we don't own the moon.
[00:17:46] But so, Like even things like Dan to, to specific orbits and what your satellite like those there, there it's cooperative efforts to make sure that, Hey, we're not in an orbit. That's going to cause issues with another spacecraft. You know, the last thing we want is to have a [00:18:00] collision or anything like that.
[00:18:01] But there are also, kind of regulatory and standard bodies. One of them, the, kind of the most common one is, is a a group called C-C-S-D-S, which is the Consultative Committee for Space Data Systems. And they have put out you can kind of think of it like, if you remember back in the day, the DOD The the The Rainbow Books.
[00:18:18] Yeah. The Rainbow Series. Yeah. Yeah. Rainbow Series. They basically have their own Rainbow series. They've green, blue, magenta, yellow. And stuff like that, but these are standards and recommendations as well as some things that are coming, you know not pre recommendations, but kind of future technology stuff for a helping standardize how space systems are designed and communicate from a data perspective things and utilizing those standards are definitely helpful.
[00:18:42] One of the things that it helps us do like with most standards is it's, it, it keeps it like if I, if I'm working for company, a, well, you know And I go work for company B that's also space. Like, I'm not having to relearn how things are being done and stuff. If it helps from that standpoint, but then there's also [00:19:00] they, you know, they're, they're addressing security.
[00:19:02] There's there's a lot of publications even from nest about, you know, how to, to, to better secure the individual segments and things like that. So we are seeing, there is a, there's a ton of international collaboration that's going on. The problem that we really have is that. There are just different tiers of operating in space because of it's gotten so cheap, it's gotten so cost effective with the democratization of space, the fact that for, you know, 150, 000 or whatever, which is, you know, cheap relative space, I can go launch my own satellite.
[00:19:33] Well, I don't really have to adhere to like all these international standards other than, you know, making sure I'm in compliance with my frequencies and I buy the licensings and stuff like that. But it's like, I can kind of just do what I want to do as long as I'm not disrupting anybody else's stuff like that.
[00:19:49] Whereas when you look at the larger kind of ecosystems like constellations, like SpaceX would be a good example. You know, they're, you know, they're wanting to put 40 some 42, 000 Starlink satellites. [00:20:00] Yeah, it's outrageous
[00:20:01] Stan: how many, how many platforms are
[00:20:02] Tim Fowler: putting it up, yeah. Yeah, they, you need to have that, that kind of cooperation and making sure that you're, you know, interoperability.
[00:20:09] And just, you know, building that, maintaining that you're not going to disrupt services or anything like that from other people. So yeah, there are regulatory stuff. I think it's ultimately I maintain that GRC Governance Risk and Compliance Is going to is the only levers that are really going to move the ball forward.
[00:20:27] Until things become requirements that we do it the right way. It's probably not going to be done because it is a challenge and it's like, well, you know, space is already hard enough. Let's. Just bolt on something even more difficult in some cases. And so we, we are seeing that, but it is, it's a slow kind of process like anything else.
[00:20:47] It's going to be very organic.
[00:20:49] Stan: Tim, when we, when we talk about like DevSecOps and a successful transition to DevSecOps, we talk about the culture and the fact that you have a, [00:21:00] a culture that has security awareness and the developers are And have that awareness about how security can impact ultimately the posture of their application, right?
[00:21:13] You've talked about the challenge of again, the engineers are very focused. On the functional requirements, you have the different segments and the focus on on each area. And, you know, and you also shared, though, that there's a lot of awareness documentation out there that help with cyber security. How how is this, you know, as far as building that awareness and the culture of of that that cyber security is Is something that has to be considered early on in the life cycle again, design phase optimally how is that progressing and, and, and your interactions with folks and you're, you're, you're trying to change that by teaching a class on this topic.
[00:21:55] Right? I mean, to some degree you're trying, even though you're not necessarily a, an [00:22:00] expert in speech, Base engineering, you, you're taking your expertise of cyber security and trying to inject that into your interest in space to be able to try and to move that
[00:22:10] Tim Fowler: needle. Right? Yeah, absolutely. You know, so I, it's not going as well as I would like it, but that's always going to be the case.
[00:22:18] Like we always want it to be better and better and better, but it is more and more people are starting to to, To understand that this is not optional anymore. We're, we're getting out of the, out of the phase and the generation of the security through obscurity. Nobody can, nobody has the, the, the resources.
[00:22:36] Nobody has the technology to be able to, to, to mess with our stuff. Sans, you know, nation state threat, you know, stuff like that. But like, you know, the Joe Schmoe they're not going to be able to do this stuff. Well, we've seen technology revolution. With things like software defined radios and stuff where it's like, that's not the case anymore.
[00:22:54] So more and more companies are taking notice that it's like, Hey, we actually do need to be a little, we need to be more [00:23:00] proactive. We need to, to, to really you know, make our software developers specifically more aware of what these things are, because at the end of the day, the vulnerabilities that are going to be existing in a space system are, Predominantly going to be software.
[00:23:16] If you look at the historical issues, my favorite, one of my favorite examples is the Phobos 1 mission from the USSR. It was a Mars probe that through a series of unfortunate events, if you will, they were forced to launch with a test procedure still active on the onboard computer. The only way they could remove that is to actually physically swap the computer out prior to launch, and they got a no go on that.
[00:23:45] So they launched this, this probe with this test sequence in it. But nobody would ever issue the command sequence to enact it. So they're like, it's safe. Well, turns out August 28th, 1988, I believe a [00:24:00] satellite operator issued a command that had a, a, a trailing hyphen in it. Well, that hyphen would have been detected by their kind of sanitization system that would, that checked all of their commands and things, but it wasn't working that day.
[00:24:15] So the operator bypassed it, sent the command anyway. And through the processing of the single hyphen it ultimately triggered the test function, what's shut down the attitude determination control system and effectively ended the mission. And so like this is like this, and this was, you know, in the late eighties and we still see.
[00:24:38] Issues like that and stuff, but it's looking at understand, you know, I, I had the, the misfortune of writing a vulnerable piece of virtual satellite last year. And it was humbling because my code did exactly what I wanted it to do. Like it, it, it solved its purpose, functionally perfect, if we will, met the requirements, met the [00:25:00] requirements, it was efficient, but it wasn't secure.
[00:25:03] And I was about two 30 in the morning. I woke up, realized, Oh, there's a remote code execution vulnerability in that. And sure enough, I got up and I got up the next morning, tested it out. You know, nice little you know, encoded, who, who am I command and the satellite returns route. Oh, that's a rough, rough day, but these things happen.
[00:25:22] Like I work in cybersecurity and I made that mistake, but why? Because I was hyper focused. I was trying to accomplish this one little thing. And so as we move into a more DevSecOps and our, you know, kind of mentality, especially with cloud and things like that, we have to make sure that we're taking into account cybersecurity at every single step of the way, whether it's through, you know, static and dynamic source code analysis those type of tools, but regression testing, you know, all of your standard methodologies become even much more important especially as we try to speed up the timeline to get to space with anything it used to be years and, you know, a decade, and now it's sometimes [00:26:00] as short as, you know and that's a, that's a short amount of time to really be able to look at all the, all the potential issues.
[00:26:06] Rob Aragao: Yeah, it's truly a race to your point. And, you know, you gave a great example just now, just think it through from this perspective, what do you see as the most concerning emerging threats? And what are the areas of challenge that, you know, the field really needs to be getting best prepared for
[00:26:24] Tim Fowler: to take into account?
[00:26:25] So as far as the, the biggest emerging threats, there's, there's a couple the, the biggest one for me, it's just the fact that we still have our reliance on aging space systems. Some things have been up there for 30 plus years and they're still serving their phone system. The technical debt and the fact like we're, we're stuck.
[00:26:43] Like we can't, you know, the only option is to replace it because there is nothing else that we can do with that. But also just the technology. Capability that we have in non space systems for being able to emulate or interact with space systems. You know, we see it with GPS jamming and spoofing [00:27:00] and you're even seeing it in like with the flight.
[00:27:02] So what is the, the ADBS or whatever. You know, that's definitely, definitely a concern, but the, the biggest kind of threat in my opinion is just our reliance. On satellite infrastructure in ways that we don't think about it in our daily lives, but we are so dependent on that, that if we don't get a grasp of it, if we don't do a better job of making sure that we're doing any kind of a, as much as possible, a security first design, and I'm not, I'm not going to be naive.
[00:27:30] Security first in space just fundamentally doesn't work because it's, it's, it's going to be about trade offs and compromises and stuff. But if we try to have a security first mindset when battling the constraints of space and stuff, we're going to do better. But if we don't especially with anybody and everybody being able to go and just, you know, launch something up into orbit And, and, you know, do what, what, what they want to and stuff like that.
[00:27:57] Where it's going to, it's only going to get [00:28:00] worse if we don't kind of pump the brakes and go, nope, we need to make sure we're doing this the right way. And there's a lot of technologies that are, you know, there's one of the coolest things is software defined satellites. We, we all know about like software defined networking and software defined radio.
[00:28:14] But now imagine just a, a A commercial off the shelf bus that you can buy that you literally just load up your satellite software and stuff. Now that brings in an interesting supply chain attack vector and things like that, if you've got this common hardware bus and stuff you know, and that's, that's another big concern as we get to more and more people.
[00:28:35] Entering into space, less and less people are actually developing their own platforms. They're just going to find a platform, a supply chain, that supply chain is definitely a legitimate concern. Probably more so as you get into the higher sophistications of the missions and stuff like that. But, but even down to, to, cubeSat platforms and Low Earth Orbit and stuff where you, where these platforms are commoditized and stuff of vulnerability and one is [00:29:00] a vulnerability and all. And that's definitely, definitely a problem.
[00:29:03] Stan: Hey Tim, one last question for you. The class that you're teaching is, can you talk a little bit about that as far as where it's available?
[00:29:10] Is it online that people can possibly take? We can actually include a link at the bottom of the show description if you'd
[00:29:15] Tim Fowler: like. So the class is called Introduction to Cybersecurity and Space Systems. It's, I've produced it in partnership with Anti Syphon Training. You can find it on the, the course information on antisyphontraining.
[00:29:27] com. And it will be hopefully sometime late Q3, 2024, where it will be available on demand as well. So the current iteration is Live but virtually live and then I do have a special edition That's going to be taught at Wild West Hacking Fest in South Dakota in October It's the same content, but instead of utilizing virtual hardware.
[00:29:50] We're actually going to use physical hardware and simulated CubeSats To actually be able to teach the class which I think is just gonna be absolutely amazing. Well [00:30:00] Tim, I mean
[00:30:01] Rob Aragao: With this show, Reimagining Cyber, we always try to focus on coming in with different approaches and different thought processes.
[00:30:08] Relative to cyber security, you, you've truly taken us into a new frontier in covering this topic. No
[00:30:14] Tim Fowler: pun intended. Maybe the final.
[00:30:18] Rob Aragao: Let's be careful,
[00:30:19] Stan: right? That's
[00:30:20] Tim Fowler: copyright. That's copyright. Careful. I just said my, maybe the final. The final what? I don't know. That's right. You didn't finish that. What you, what you, what you perceived, hey, you know, that's on yourself.
[00:30:30] That's right. But
[00:30:32] Rob Aragao: truly appreciate you coming on. And I think, you know, the audience is really going to enjoy this episode, especially because it truly is something that we've not discussed in the past. I think you've shined a light on things people weren't. Even considering, you know, your examples of something like just that we take for granted with GPS systems and what potential impacts could be there, right?
[00:30:51] So, a lot of great information. Truly appreciate you coming and joining us today.
[00:30:54] Tim Fowler: Oh, my pleasure. It's been a blast.[00:31:00]
[00:31:00] Thanks, Sam.