New Zealand space tech start-ups are often buying components from overseas – for example, start-ups manufacturing satellites and nanosatellites are often turning to non-sovereign countries for parts. This needs to be managed carefully with comprehensive oversight, as overseas components are a significant supply chain risk for start-ups, and it is critical to ensure that parts are not compromised. It is important to ensure your suppliers have robust security processes in place, and that you are actively keeping them accountable, including doing regular audits, reviews, and security testing.
While New Zealand doesn’t have sovereign capability to manufacture parts locally, Space Tech companies should consider partnering with a cybersecurity firm that has the capability, established processes, and capacity to manage that supply chain risk. These firms can conduct independent risk assessments and set up vendor security frameworks.
You can then engage with your security partner to run adversary and attack simulations to challenge your organisation as an attacker would, penetration testing of software, and running vulnerability reviews and analyses on parts to ensure they are clean before they are deployed.
Securing your supply chain is a big cyber challenge to tackle and takes time to get right, but will elevate the reputation and standing of your organisation, increasing investor and government confidence and trust.
Securing and assuring your payloads
Space Tech is an incredibly exciting and fast-growing industry. Its potential is immense and that is why it’s attracting a lot of interest from investors. But often start-ups secure funding and then find themselves under immense pressure to ramp up and show a return on that investment. In order to rapidly deliver, they can let things they don’t see as important – such as cybersecurity – go by the wayside.
However, when start-ups consider security in designing and building their technology – hardware or software – in a more secure way, it sets them up exponentially better for the future. One way for a start-up to do this is to get to the stage where they have a working prototype – a satellite, for example – and then get a security firm to do a penetration test, and a threat and risk assessment. A security firm will assess the device holistically to see if it can be compromised.
With software, usually the vulnerabilities come from the way it’s been implemented, such as misconfiguration, lack of access control, or inability to update and maintain software. For example, if you are deploying Microsoft software, you know it has been security tested and that they are selling you that assurance, but problems can arise with how it is implemented. That is the point where you need to be sure that what you have put into the device has also been subjected to security testing – things such as access control, endpoint detection and response software, and intrusion detection and prevention. Further, you can implement these things to make it more secure, but it also needs strong assessment to assure it is secure. This is the key point in time to resist pressure to deliver a product faster, keeping in mind the potentially disastrous consequences of weak cyber protections before you release.
Losing touch with ground control
While our ambition is turning skywards as we develop Space Tech, it is also crucial to prioritise physical security on the ground. Vulnerable ground stations are a major risk, and Space Tech companies should be applying the same level of sophistication in a physical security strategy as any other company protecting critical assets or operating infrastructure.
Because so much is now stored in the cloud, organisations are relying on Microsoft Azure, Amazon AWS, and other cloud-based services, and risk neglecting building physical security into their requirements as they once did. But as satellites are of course controlled from ground stations, with data connecting to them from orbit, it is vital to plan for security risks on the ground by implementing appropriate physical security controls, such as monitoring, alerting, incident response, and appropriate access control.
Additionally, if there are Internet of Things (IoT) devices in your Space Tech system – perhaps a smart metre or other data-collecting tools – keeping their security top of mind is key too. IoT devices are especially vulnerable to cyber attacks and should be closely monitored. This goes back to the supply-chain risk too.
Launch a strong cyber culture
As technology advances faster and gets smarter, cyber criminals are in lockstep. Due to various Government requirements and frameworks, most organisations have adopted some form of cyber security practice, and taken care of the obvious vulnerabilities in their environments. Your own people are now one of your biggest risks, if inadvertently. If you are a cyber criminal trying to get into a Space Tech start-up, one of the best places to start would be to embed yourself in that company’s supply chain, for example, pretending to be a vendor and sending fake invoices with a link to pay, or impersonating a legitimate vendor.
If your people have not had the appropriate user-awareness training to understand cyber risk, and they click the fake vendor’s link, there can be devastating consequences. These can include loss of IP, ransomware that takes over a system, financial losses, and reputational risk. That is why it is essential to have rigorous cyber governance and processes in place.
Strong cyber culture has to start at the top – with founders and decision-makers leading by example. Developing a strong cyber culture is an investment in your people and systems that could save you significant sums.
Plant a flag in Security by Design
Cybersecurity had to be bolted onto pretty much every other industry to secure operations that were decades old and pre-dated the risk. Emerging Space Tech is an opportunity to embed Security by Design. It is a huge advantage and missing out on seizing this opportunity should be seen as a risk.
At the very beginning when you are designing your product – before you even order any components, much less build it – you can put security at the centre. You are thinking about security from the very first moment you have the idea for your product, and asking yourself, ‘How will we secure it?’. That will shape how you engage with suppliers, how you build the product, and all the measures you put into place to protect it.
We have captured so many lessons learned from other industries and technologies, and we know the weaknesses that attackers have exploited in other systems. Now it is about using our experience to predict how they will attack Space Tech systems, and proactively implementing tested measures to defend and protect them before attackers have the chance.
Security by Design is an approach that you embed in the whole process as you develop, design, and implement new technologies, and it is a game-changer for managing cyber risk in the Space Tech industry.
