The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a cybersecurity alert warning of possible threats to U.S. and international satellite communication (SATCOM) networks.
According to the alert, “Successful intrusions into SATCOM networks could create risk in SATCOM network providers’ customer environments.” The CISA and FBI strongly encourage critical infrastructure organizations and other organizations that are either SATCOM network providers or customers to review and implement the mitigations to strengthen SATCOM network cybersecurity.
This comes on top of a warning from the White House about the heightened potential for Russian cyberattacks against the U.S. Biden urged companies to “harden your cyber defenses immediately.” Past U.S. intelligence warnings about the timing and manner of Russia’s invasion of Ukraine were largely accurate.
Mitigations for SATCOM Network Providers and Customers
- Use secure methods for authentication, including multifactor authentication where possible, for all accounts used to access, manage, and/or administer SATCOM networks.
- Use and enforce strong, complex passwords: Review password policies to ensure they align with the latest NIST guidelines.
- Do not use default credentials or weak passwords.
- Audit accounts and credentials: remove terminated or unnecessary accounts; change expired credentials.
- Enforce principle of least privilege through authorization policies. Minimize unnecessary privileges for identities. Consider privileges assigned to individual personnel accounts, as well as those assigned to non-personnel accounts (e.g., those assigned to software or systems). Account privileges should be clearly defined, narrowly scoped, and regularly audited against usage patterns.
- Review trust relationships. Review existing trust relationships with IT service providers. Threat actors are known to exploit trust relationships between providers and their customers to gain access to customer networks and data.
- Remove unnecessary trust relationships.
- Review contractual relationships with all service providers. Ensure contracts include appropriate provisions addressing security, such as those listed below, and that these provisions are appropriately leveraged:
- Security controls the customer deems appropriate.
- Provider should have in place appropriate monitoring and logging of provider-managed customer systems.
- Customer should have in place appropriate monitoring of the service provider’s presence, activities, and connections to the customer network.
- Notification of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks.
- Strengthen the security of operating systems, software, and firmware.
- Ensure robust vulnerability management and patching practices are in place.
- Implement rigorous configuration management programs. Ensure the programs can track and mitigate emerging threats. Regularly audit system configurations for misconfigurations and security weaknesses.
- Monitor network logs for suspicious activity and unauthorized or unusual login attempts.
- Integrate SATCOM traffic into existing network security monitoring tools.
- Review logs of systems behind SATCOM terminals for suspicious activity.
- Ingest system and network generated logs into your enterprise security information and event management (SIEM) tool.
- Implement endpoint detection and response (EDR) tools where possible on devices behind SATCOM terminals, and ingest into the SIEM.
- Expand and enhance monitoring of network segments and assets that use SATCOM.
- Expand monitoring to include ingress and egress traffic transiting SATCOM links and monitor for suspicious or anomalous network activity.
- Baseline SATCOM network traffic to determine what is normal and investigate deviations, such as large spikes in traffic.
- Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems—including SATCOM networks—are disrupted or need to be taken offline.
Regardless of whether you are a SATCOM provider or customer. The cybersecurity steps provided in this alert should be followed by all companies. “Security First” shouldn’t just be a mantra; it should define how you operate your business. Today’s organizations need a new security model that more effectively adapts to the complexity of the modern environment, embraces the mobile workforce, and protects people, devices, apps, and data wherever they’re located.
ACE IT Solutions offers a comprehensive suite of customizable cybersecurity services to meet your organization’s specific risk profile and compliance needs.
We continually invest in evolving our information protection program, developing our people, processes, technology and systems to create best-in-class risk management services. Protecting your information requires a strong defense on all fronts: from setting a dynamic cybersecurity strategy to developing and implementing comprehensive controls and information security services. Contact ACE IT Solutions at 646.558.5575 or firstname.lastname@example.org to discuss your cybersecurity preparedness.
View the full CSIA & FBI alert at https://www.cisa.gov/uscert/ncas/alerts/aa22-076a