You hear a lot about zero trust controls in government tech circles, especially here on Federal News Network. Could this approach to cybersecurity which requires constant verification before access to a system, be applied to protecting space assets? The U.S. Space Force certainly seems to think so. It recently granted a a $17 million contract to the company Xage Security to help the branch achieve zero-trust access control and data protection. To learn more, I spoke to Geoff Mattson, CEO of Xage Security.

Interview Transcript: 

Geoff Mattson You know, in the old days, people erected protection in the middle of the network so they would give up things like firewalls that would sit between, you know, interior network, the big internet and your internal system and things like VPN servers. It would allow you to do jump over the firewall and access your, your internal resources and things like that. The principle of zero trust, instead of having these incremental, you know, middle boxes sitting in the network we need to do is set up a secure session from one end to the other. Right. So that there is no way that an attack could occur, you know, in the middle or an attacker could, you know, penetrate, you know, for instance, get past your firewall and start roaming around internally in your in your company. So that’s the principle of zero trust. Establish a session that’s secure between the client and a server or a resource and the user of the resource for a specific amount of time and safeguard it properly as well. If it happens to be a privileged session, something that could do damage. And Xage security is, has taken this architecture and come up with a way to apply it to areas that are difficult to apply to such as industrial systems and space systems.

Eric White Specifically in space of how can zero trust be applied in space, what sort of applications are there, and what sort of tools are in need of having zero trust protections?

Geoff Mattson Yeah, well, space is really a great challenge for security in general and zero trust in particular. Because if you think about it, there is several layers, to protect the satellites themselves don’t actually work very well if they’re not connected to a functioning terrestrial network. So, we need to protect the terrestrial network. We’ve seen from recent events that attacking, you know, Viasat attack, that attacking the modems. So, attacking industrial equipment that is a modem could render, satellite communications inoperational for some period of time. And then we have the satellites themselves have to be protected as well. Our adversaries are looking at ways to try to compromise them both through supply chain attacks, you know, basically sort of putting, you know, malware or things like that into components in the supply chain or by using some sort of active attack, living off the land attack. So, there’s several components that have to be protected. And then on top of that, there’s actually the data itself. So that the data is streaming from a satellite is really what’s provides value to, you know, in our case, what we’re focused in on is the warfighters. And we need to make sure that the data is available to partners that need it. But not all of the data is available to all partners. So actually, sort of controlling access to those partners and individual basis. So, each of these, each of these layers, each of these segments, we can protect with a zero-trust strategy. And the data itself we can protect with a zero-trust strategy. It’s not without its challenges, but it’s you know, absolutely the right thing to do. As you mentioned.

Eric White You know, on those challenges, you know, just coming from the Space Force, IT. And hearing that zero trust is going to be at the forefront of protecting US space assets. Can you highlight a few of those challenges in implementing it actually. And you know, is zero trust going to be a blanket approach to solving a lot of the cyber security concerns that we see?

Geoff Mattson Well, you know, I’m glad you used the term blanket approach because, you know, that’s what I think is the best strategy, especially in terms of considering the fact that the overall strategy for Space Force is, you know, rather than having just a few high altitude, military satellites, it can, you know, relatively easily be targeted by adversaries. The intention is to use commercial low orbit satellites as well. So have thousands of commercial low orbit satellites, you know, much, much harder to attack. But in doing so, you need to be able to apply the same type of security, operations to these broad third-party commercial systems that you do to the, to the military ones. So, our approach to zero trust is we use an overlay approach. So basically, we sit in a network, but we’re completely invisible, to, to the user. On both ends of the network, and we can sit between, you know, any type of legacy device or something like, for instance, you know, a satellite which might currently not be able to be, you know, reprogrammed to have a lot of zero trust logic on its own. We can sit in between, in between the user and that system and enforce principles of zero trust. So, the idea is to do this as an overlay to it to be dropped in place. You know, we can actually come be brought up in a day in any of these third party commercial providers, and extend the coverage that Space Force has, you know, to these other commercial operators, without them noticing any change in their operations, without them having to make any configuration changes. So, you’re exactly right. You know, it needs to be a blanket approach, and a blanket need to be a blanket that covers, you know, the entire footprint, including third parties.

Eric White Speaking of the footprint, we’re not talking about the things just in the air, but what about down on the ground and the architecture there that is relied upon to actually operate these, space vehicles? I imagine that there are some cyber vulnerabilities there. Could this technology, be put into use in protecting those assets?

Geoff Mattson Yeah, absolutely. As you mentioned, that’s probably the easiest area to attack from a cyber perspective right now is the terrestrial network or the modems. And so, the principle of zero trust that we employ. What it does is it not only allows this end-to-end protection, which can encrypt and make sure there’s integrity and secure a connection between, say, you know, a satellite and a consumer of the information a satellite is, is transmitting. But we can actually protect the network itself from attacks. And one of the reasons this is very important too is you’re seeing you might have seen in the news if you follow the cyber world, the greatest growing threat vector right now is network equipment and security equipment. That’s legacy. Right. So, there are a lot of a lot of products on the market that have been developed over, you know, even decades that have accumulated a lot of technical debt and are near peer, you know, adversaries and even criminal groups have found ways to compromise that. An example of this is, you know, the Avanti VPN server, Avanti, formerly Pulse Secure. It’s one of the most popular, you know, VPNs among, you know, large companies and used by the federal government as well. And, you know, CISA last month put out a warning instructing all federal agencies to pull out their Avantis immediately. And then there was a follow on warning from Five Eye countries as well as the FBI, you know, saying that the situation was even worse and that the, VPN services were being actively compromised and there was no way to actually, you know, verify whether or not, they were under attack and there’s no way to actually fix them if they are attacked. So, it’s legacy systems like that that have coded, you know, accumulated over a 20-year period that may be easy to, to attack. Those are the types of network security protections that don’t really work in this realm. And so, in principle of zero trust, using a product that’s developed with, you know, with the military called Secure by Design, so built in security principles, heavy use of, pen testing. And then, you know, official certification to a set of security standards is really what’s necessary to protect them.

Eric White Yeah. How would you grade the current cyber security landscape when it comes to, U.S. space assets? You know, I guess we can just stick to federal side of things for the moment because, you know, they are probably the highest, have the higher value for, any adversaries or malicious hackers. What would you say about the current situation?

Geoff Mattson Well, I’d say it’s a great question. And I would say that, you know, things are rapidly changing because as I mentioned, you know, the strategy now is to leverage, the whole commercial, satellite ecosystem as well. And so, if you look at that, there is a hodgepodge of different security solutions, that those providers have in place. What we offer as a company is, a, you know, this blanket protection that can be dropped in place with those commercial partners, with any commercial partner as well as Space Force, and provide that type of end to end protection and even protect against, you know, some commercial providers may not have the most stringent security in place. You know, cyber security is an area of growing awareness in this space. You probably know. But having said that, any drop in a solution like ours in place can significantly mitigate the effects of a compromise in another area of the networks say if one of these legacy devices were used and significantly, slow down, an attack from a near peer competitor, or hacktivist or any other type of, of attacker.

Eric White If any of our listeners were playing a drinking game, the keyword would be zero trust to take a sip. Getting past zero trust technology. Are there any other tools that might be in the holster for protecting these very, you know, new and, as you said, ever changing networks.

Geoff Mattson Well, I think a layered approach is what’s needed. And so, you know at Xage we have, sort of built in, you know, it’s called defense in depth. So, in addition to sort of setting up the encrypted and carefully monitored, authenticated end to end communication, which is the ZT buzzword that I won’t mention again, I’m going to start the drinking game off. Yeah. Give me a break.

Eric White Yeah. Give him a break.

Geoff Mattson Yeah, I yeah. So, what we need to do is also embed in that past, you know, various checks for things like files that may be infected with malware for behaviors that seem to be unusual. You know, we need to enforce normal network patterns, but then we also need to notice if something is trying to deviate from those patterns. So, you know, behind the scenes behind this, ZT end to end protection, you know, in the middle, there’s also a lot of attempts to detect, contain and mitigate any type of attack. Right. So, it’s just like a duck that looks, looks like it’s, gliding along the lake, but, you know, underneath the surface, it’s, paddling very hard. You know, what is required, for our broader national security is, you know, being able to find any of the weak links in these networks and in these, chains that serve that, provide, defense, and provide critical services. And it’s the area that is not protected is the one that the bad guys will find very quickly and be able to exploit and then, you know, move laterally. So, you know, having an approach where we can drop in place protection, and it can go anywhere, it can be deployed. And, you know, satellite can be deployed in harsh conditions on that on the ground. It can be deployed, in areas that might have intermittent or no, network access and being able to cover every spot and cover it very quickly with an overlay solution is, you know, what we think is really necessary for us to have resilience built into our national infrastructure. You know, both civilian and critical infrastructure and defenses as well.

Eric White Geoff Mattson is CEO of Xage security.

The post A zero-trust approach to space cybersecurity could be the answer first appeared on Federal News Network.