In this Help Net Security interview, Øystein Thorvaldsen, CISO at KSAT, discusses how adversaries view the ground segment as the practical way to reach space systems and why stations remain a focal point for security efforts. He notes that many risks stem from supply chain gaps and legacy infrastructure that supports critical missions. He also explains how KSAT works to keep latency low while maintaining security across global operations.
Adversaries are increasingly exploiting the “ground segment” as the soft entry point into space systems. From your vantage point, which attack vectors against EO services are most misunderstood or underestimated by the industry?
Unless an adversary has very extensive resources the ground segment is the only entry point into space systems. This can be on the customer’s side or with the ground station provider. Based on the incidents we see, supply chain issues are our biggest concern, I think the issue is well known but underestimated.
The number of vendors involved in everything from antenna systems, industry standard hardware and software is big, and the overall picture is often unclear, as vendors have their own set of vendors again and so on.
Lately, we have seen several extensively used popular open-source software packages and repositories being compromised and keeping control of all the instances where we or our vendors may be impacted is not easy.
We talk a lot about GNSS spoofing and jamming in academic circles. In practice, what types of signal-based interference attempts does KSAT see, and how do you distinguish malicious intent from environmental noise?
KSAT has ground stations all around the world, a lot of them in remote areas to minimize RF interference. Whenever we consider establishing a ground station, we do thorough RF measurements to ascertain the suitability of the location. As such there is normally very little noise where we operate, and the equipment is tuned to the local noise level. We thus have mostly two sources of interference, maliciously intended or operator mistake (with lots of antennas in one place we can create interference/jam ourselves).
Russia is aggressively interfering with GNSS along the border to Norway, this does not currently affect our operations but is something we follow closely in cooperation with Norwegian authorities.
Earth observation often runs on tight “seconds-to-minutes” data delivery windows. How do you balance strong security controls with the need for ultra-low-latency downlink, processing, and dissemination?
Processing and/or analysis (depending on the service provided) is the biggest time-consuming step in most EO services. Depending on the mission this is either done by KSAT, or “raw” data is sent to the customer who does processing themselves. The customer and KSAT select a number of ground stations in suitable locations to best serve a mission, this is typically based on minimizing the time from recording to downlinking.
For the most time sensitive missions we stream data directly to the customer from the ground stations doing the downlinking. This stream is end-to-end encrypted between the spacecraft and the end customer. The traffic flows over a pre-established WAN connection, where KSAT commonly provides the connectivity between the ground station and the customer’s premises or cloud presence. This WAN is realized as an overlay network, with authentication and encryption managed by KSAT, independent of the underlying carrier network. Some customers implement their own encryption using CFE in addition.
Customers only have access to predefined ground stations and services, and this access is also dependent on whether the customer currently has downlinks scheduled.
To decrease latency even more KSAT has recently launched Hyper, where customers can get downlinking to their preferred ground station(s) independent of where their satellites are at any moment, using KSAT operated relay satellites.
Space systems often blend decades-old hardware with modern cloud-native pipelines. What’s your strategy for securing aging RF and telemetry infrastructure?
This is indeed one of our main security challenges. Antennas are expensive and have far longer lifetime than the IT equipment or technology typically deployed as part of an antenna system. We have two main approaches to deal with this, and it is very comparable to what banks and financial institutions do. Replacing core systems is hard, and availability is the biggest concern to man of our customers, thus we need to keep the legacy systems running, but protect them adequately.
Security is implemented around these systems, using a combination of isolation/network segmentation, monitoring and wrapping the functionality in modern APIs that protect ingress/egress points. At the same time, we are transitioning to a more software defined architecture, where we are less dependent on specific hardware. Some of this software is developed in-house, keeping us in control.
What is your view on automating response actions in a mission-critical environment? Where is automation safe, and where would it introduce more risk?
We are very careful about automated response, preferring a conservative approach. We do use it in parts of our infrastructure, but not for the parts we consider mission-critical. In our experience even self-learning AI-based tools are not well suited to our highly specialized set-up. As an example, when we perform emergency support for a satellite owner, that can be about saving a multi-million-dollar spacecraft in the nick of time, and the actions would be highly unusual to such an automated system.
The last thing we want is for an automated system to erroneously interfere. For routine operations that are not time-critical, where a false positive would only lead to a slight delay the trade-off is more acceptable.
Read more: Rethinking AI security architectures beyond Earth