Satellite Services and Satellite Cybersecurity: A GVF Update For Satellite Customers

 

The satellite industry is committed to providing secure, trustworthy connectivity to customers around the world. The Global VSAT Forum has spearheaded an industry-wide collaboration with VSAT equipment vendors and service providers to establish security specifications that are designed for today’s cybersecurity threats, and laying a foundation for meeting the threats of tomorrow.

What Has Been Done?

In 2014, the GVF commissioned a Cyber Security Task Force that comprised security experts and representatives from across the satellite industry. The goal of the Task Force was to create a set of vendor-neutral specifications for the industry that would enhance security without reducing the utility and performance of VSAT solutions.

Two sets of complimentary specifications have been created:

The GVF Product Security Baseline (GVF PSB): Designed for organizations that develop and produce VSAT hardware and software, such as VSAT modems and hub equipment.

The GVF Satellite Service Provider Security Specification (GVF SSPSec): Designed for the service providers that sell satellite-based connectivity to businesses, governments and consumers.

The two specifications were designed to be complimentary. That is, hardware and software that is compliant with the PSB will facilitate and allow a satellite network service provider to meet the requirements of the SSPSec..

As of July 2015, both specifications have been finalized and released to the satellite industry by the GVF.

What do the specifications do?

Both specifications take best current practices from the Internet security community and apply them to the VSAT industry.

The PSB is intended to guide how products (both hardware and software) are developed by the VSAT industry. This includes designing the hardware or software product with security as a priority from the outset, providing for secure management and configuration, and establishing transparent methods to facilitate the reporting and response to potential security vulnerabilities in products.

The SSPSec then builds on the PSB by establishing how satellite service providers should protect networks and critical components of their infrastructure. This includes ensuring personnel have sufficient training on security, that networks are instrumented to detect and enable an effective response to any potential attack, and to establish incident response procedures within the organization.

The GVF & Satellite Industry Association (SIA) Collaborate on Joint Cyber Security Initiative:

The joint statement and core principles are a product of the important lessons for effective cyber security learned by SIA & GVF members.  The associations stress that security and risk management should be part of an organization's overall corporate culture.  Organizations should, implement and maintain best practices to protect against evolving threats, including by leveraging industry-driven resources to inform their own development of voluntary, proactive, risk-based approaches to mitigate risks.  Collaboration, not regulation, is the best way for organizations to manage cyber risks, the associations argue.  Finally, voluntary information-sharing among the private sector, between the private sector and government, and between the private sector and end users is vital.  

Full text of the core-principles document can be viewed here.

Do I still have to protect my own networks if I am a VSAT customer?

Yes. The PSB and SSPSec specifications only pertain to the satellite-specific elements of the overall network. End customers are still responsible for their own security practices beyond the VSAT infrastructure. Nothing in these documents relieves any satellite customer from managing their own security. However, what the specifications do is reduce the risk that the satellite infrastructure itself will be a successful target of an attacker.

How do I know whether my satellite service has deployed enhanced security?

Ask! Satellite service providers that adopt the GVF SSPSec are permitted to state that “this service provider has adopted the Global VSAT Forum Satellite Service Provider Security specification” or other similar compliance language. VSAT hardware and software manufacturers that adopt with the GVF PSB are permitted to say that “this product meets the GVF Product Security Baseline (PSB)” or other similar language.

What’s Next for VSAT Security?

The satellite industry is in the process of implementation of the PSB and SSPSec. This process will take time and engineering effort on the part of individual member companies. VSAT customers should continue to engage their vendors in a frank discussions “beyond the checkbox” about security to ensure that customer security concerns are adequately reflected in their satellite solutions.

Participation in this productive working group is open to any GVF Member.  The group meets regularly, and as needed, to fulfill the Task Force's Mission.  

For more information about GVF Cyber Security Task Force's activities, joining the Task Force or access to documents, please contact, Angie Mar

GVF Full Members

  • Arabsat - Arab Satellite Communications Organisation
  • Eutelsat Communications
  • Gilat Satellite Networks, Ltd.
  • Hughes Network Systems LLC
  • General Dynamics Mission Systems
  • ViaSat, Inc.
  • SpeedCast
  • SES
  • Yahsat
  • Talia Group
  • iDirect
  • Harris CapRock
  • Inmarsat
  • Intelsat
  • O3b Networks Ltd
  • OneWeb
  • MEASAT
  • Telesat
  • KBZ Gateway Company, Ltd.