Over the past couple of years, there has been an increased attention paid to the security and trustworthiness of the products and services from the Satellite Communications (SATCOM) industry. This focus has been driven by customer needs, increased scrutiny from security researchers, and concerns raised by regulatory bodies.
In response to these concerns, the Global VSAT Forum (GVF) created a Cyber-Security Task Force in 2014 to bring together experts from across the industry to tackle the security challenge across the sector. The task force continues to drive enhanced security for Very Small Aperture Terminal (VSAT) systems through a series of specifications that are being adopted by numerous organizations.
VSAT’s rapid evolution in recent years means that previously isolated VSAT networks are now largely based on TCP/IP (Transmission Control Protocol/Internet Protocol), and are therefore now exposed to the types of threats that exist on the Internet, even when those networks are not directly connected to the Internet.
At the same time, customers also have increased needs for security and compliance – PCI, ISO 27001 − and other standards − have forced customers to revisit security at every business level.
The threat actors have also evolved, including criminal syndicates or state-level actors with considerable resources. News of large, substantial breaches against businesses and governments alike make the headlines with disturbing regularity. Many of these organizations, of course, rely upon satellite connectivity.
The GVF Cybersecurity Task Force, in response to increased scrutiny of satellite infrastructure by independent security researchers, called upon experts across the satellite industry, and created the VSAT Product Security Baseline (PSB) and the Satellite Service Provider Security (SSPSec) specifications. Both of these voluntary specifications apply the best practices of the Internet security community to the satellite industry.
The PSB recommends that hardware and software developers of the infrastructure components of the end-to-end VSAT solution create products that are secured by default. Further, those vendors are recommended to have established processes for handling reports of suspected security incidents and vulnerabilities. The goal here is to ensure that network operators are capable of creating secure solutions based on components that are secured and trustworthy.
Complementary to the PSB, the the SSPSec recommends what satellite network providers can do to secure their infrastructure, and increase their resiliency and capacity to deal with an attack. Addressing security at a policy, process, and technical level, the SSPSec defines minimum criteria for resiliency and availability to the benefit of every customer of the service provider.
Security specifications are nice, but true security arises from a holistic approach involving all network-security stakeholders. Effective security across the VSAT community is a key goal of the GVF, and to that end we are collaborating with the cyber-security stakeholder community to ensure the broadest industry consensus around security.
Customers ultimately vote with their budgets. By asking the tough questions, and choosing solutions that provide effective threat mitigation in today’s environment will ensure that the industry continues to champion leading-edge security today and into the future.