Subscribe
Share
Share
Embed
Steven Bjornaas and Ben Fonner from TriSept Corporation join Dave to discuss Satellite security. What is perceived security vs actual security? The people at Trisept are doing their best to provide an affordable option for startup companies to be able to embrace security easier in the satellite space. What companies are currently doing and how these solutions will help make sure data remains secure.
Cybersecurity in space! Join us as we talk about protecting assets in space, hardening existing assets, and models for the new space ecosystem. Hosted by Dave Pearah, CEO of SpiderOak and SpiderOak Mission Systems.
Dave Pearah (00:00):
Hello everyone, and welcome to another episode of Zero Trust 4 Zero Gravity. My name's Dave Pearah, CEO of SpiderOak, and I'm really excited to welcome our two guests today, Steve Bjornaas and Ben Fonner from TriSept. This is a company that we just recently started working with. We're fellow members of the SmallSat Alliance and did a webinar together around space cyber, and it's always nice to find other fellow travelers on that journey. And so I'd like to welcome Steve and Ben. Tell us a little bit about yourselves.
Steven Bjornaas (00:35):
Yes. Thank you for having me on the show. I'm Steven Bjornaas, director of software development here at TriSept. I've been at the company for a few years now, and I was brought on board to help TriSept develop security solutions, for their customers and beyond, that were more affordable, and for startup companies to be able to embrace security easier in the satellite space.
Ben Fonner (01:01):
Yeah. And I'm Ben Fonner. I've been with TriSept for a little while now, serving more of a QA and security consulting aspect to the products that we're developing.
Dave Pearah (01:12):
So, it's your fault. [crosstalk 00:01:15]
Ben Fonner (01:15):
No, I make sure that people can't say it's my fault.
Dave Pearah (01:20):
Ah, I see. Yeah. We just hired, actually, a new QA person on the team, and after one week, it's like, "How dare you?" No. So quality, very important. I like to start these with a little bit of a open-ended question, but one where I always find interesting around the answer. What is zero trust? Supposedly we're all about zero trust in space. What is zero trust and what's unique about that in space in terms of your perspective and TriSept's?
Steven Bjornaas (01:47):
At a fundamental level, right, the goal of zero trust is to remove that implicit trust you typically find, usually within a lot of organizations. So, simply trying to create that barrier to the outside world has been proven pretty much time and time again to not be good enough to protect your network by itself. Now it's done for obvious reasons, right? Because the easier it is for people to communicate and share and interact, the easier it is to get work done. But the easier it is for the them to do that, the easier it is for a potential intruder to do that. So, anyone who has any familiarity with zero trust has almost certainly heard the phrase, "Never trust, always verify."
Steven Bjornaas (02:29):
It's probably the first thing you read when you're starting to research zero trust. And this really is the root of what zero trust is for us and what we strive for and what I think the industry should strive for. That is, provide the smallest amount of access necessary to get the work done while continuously validating those interactions. And from TriSept's perspective, we're careful not to advertise that we're solving the zero trust problem, but we contribute to helping solve that problem by taking a TNO approach or a Trust No One approach.
Dave Pearah (03:08):
Before we dive in to a shameless promotion of your own solutions, which we clearly frown upon at this kind of academic discussion of space cybersecurity, describe for me, what is space cybersecurity to date? Imagine our two companies and others trying to bring zero trusted space exist. For the last 10, 20 years, what is space cybersecurity and how is it practiced? Because that sets the context for, well, what are we all up to?
Ben Fonner (03:39):
Well, I think one thing that we can definitely say for a lot of people we've talked to is security has been the, "Yeah, we'll get to that on the next version." It's a tag on at the end, second class citizen in the development process. And the bill's coming due on kicking that can down the road, definitely trying to really bring it up to a lot of the lessons that we've learned in ground security, take that up into space with us. But a lot of it has been security through obscurity. Nobody can make this kind of a radio to talk to us so we can just have free communications, maybe some basic level transit encryption.
Dave Pearah (04:21):
Something I've observed is, if there's any concern around security and to your point, Ben, a lot of it has been, "I'm just going to write that check. Someone else is going to have to cash it, not my problem," or it's, "I secured the next hop, so I'm good." All right. Well, how many hops do we got here between source and sync? This confidence of, "I'm secure," is I find akin to, "My Brink's truck is absolutely secure and I bring the money to a bank vault, which is secure." But for a period of time, they have literal sacks of cash in the streets that is completely unprotected. So, I think this hubris is really coming to light, particularly as we do crazy things like having multiple satellite systems or ground systems that are not vertically integrated talk to each other. I feel like that's one of the big drivers for trust now because you can't just own and operate everything. Has that been your experience as to why this is now more important than it used to be?
Steven Bjornaas (05:25):
Yeah, for sure. Well, once the data leaves your system, it's impossible to say with 100% certainty that it's not going to be intercepted or what's going to happen to it. It's a similar argument for, you don't know necessarily where all of your hardware comes from. If it's coming from China, for example, you don't know if there's anything nefarious on there before you even put it in your satellite. It's very similar to just, once you're up there and you're passing data along, you don't really know, which was just where the whole trust equation comes in. And without having any easy physical access to those devices, they need to be extremely cautious about what they allow in, what they allow out of those devices. So, yeah. Definitely agree.
Dave Pearah (06:25):
So, where does TriSept's sit in this ecosystem? Before we jump into what particular solutions you have, what is the history of TriSept in space, and why space cyber? Of all the crazy things that a company could... I mean, it's more interesting to work on rockets and blowing things up and grabbing debris and space. Why space cyber of all the things you could be doing?
Steven Bjornaas (06:52):
Well, TriSept tries to have as much fun as it can in those other places too. TriSept started off as a launch and integration company and quickly started incorporating ride-share services. And for a long time that was TriSept's bread and butter. And they've since expanded into other spaces, even non-space related spaces. But recently, one thing that the CEO of our company, Rob Spicer, has noticed with our existing customers is a lot of them see the bill coming due for having to incorporate security into their satellites. And especially after SPD-5 dropped, that sweat drop got even bigger, and they're realizing how expensive security is. And whether it's hiring those engineers or finding solutions that already exist and trying to incorporate them, and they were running into a lot of issues in regard to that, which is what motivated the company as a whole, most notably the CEO, to want to dive into that space, to see being able to help out existing customers. That was the real motivation.
Dave Pearah (08:14):
So, is this a pivot or new business from services trying to make a repeatable product?
Steven Bjornaas (08:22):
Yes, it is. This would be the first. The software development side of the house is TriSept's first foray into developing products for not just for federal customers, but commercially as well.
Dave Pearah (08:38):
And what is this product, then? What is it that you are making that either doesn't exist or a better version of something that already exists?
Steven Bjornaas (08:52):
So, one of the first things we did as a team was talk to the existing customers that TriSept has to get an idea of where they were at with regard to security or what their approach might be and what their existing systems were like. And there was a big question mark. They didn't know. They were just like, "We're not sure what we're going to do or how we're going to approach this." So-
Dave Pearah (09:19):
It's like Henry Ford asking people with horses what they wanted in a car.
Steven Bjornaas (09:23):
Yes.
Dave Pearah (09:23):
Or Steve Jobs asking people, "I want a Walkman meets a cell phone," and then come up with some... People just don't know what they don't know, right?
Ben Fonner (09:33):
Yeah. That's a very apt analogy. A lot of the people we were talking to just said, "I know it's something that I need. I have no idea what the context around it is beyond I hear stories of hacking and exploitation and that kind of stuff, and I don't want to be the next headline."
Steven Bjornaas (09:49):
Yeah. So, internally when we're looking at how we could help them, the realization was coming in after the fact and trying to hack together security for them wasn't going to make it any cheaper for them. So, leveraging what they already know and trying to make something that would help, we ended up falling on making a custom Linux distribution that was geared towards satellites. So, the product that we are nearing the end of development on and about to release, it's called TriSept Secure Embedded Linux. And as the name might imply, it's designed for embedded systems. And the idea is what you receive will be secure out of the gate and locked down out of the gate, and we would work with the companies to peel it back only as much as necessary for them to be able to achieve the goals that they need, as opposed to coming in later and trying to secure what they have and forcing them to redesign or forcing them to open up more holes than they need. It's a much cheaper approach to, from the get-go, have them be locked down and then just dial it back.
Ben Fonner (11:05):
And it also helps take the onus off the customer for making sure that they have the best practices put in place. One example that jumps to my mind, is the Heartbleed vulnerability from a few years back dealing with the OpenSSL libraries. Part of the reason that that became an issue was people would just grab OpenSSL to provide whatever function they needed. But OpenSSL was so big and was a playground for emerging concepts that it brought along with it a lot of additional problems that led to that outbreak. So, one of the things that we do in that mindset is we help set them up that if they need SSH services and that kind of stuff, we bring in OpenSSH and strip it down to just the pieces we need rather than the whole package to help minimize that footprint, that attack surface.
Dave Pearah (11:54):
Well, allow me to play devil's advocate. I think the world needs another Linux distro like my daughter needs more Pokemon cards. They keep making more of them. And I'm wondering, "Why another one? Why doesn't an existing distro solve the problem? " So, what is it that you're doing that's different than the thousands of other distros that people can pick up?
Steven Bjornaas (12:20):
I feel you there. The main thing that, if you're a small satellite builder and you're looking for something that you can work on and incorporate security out of the gate, if you're not familiar with developing embedded Linux, trying to develop those board support packages on your own can be quite difficult. And again, incorporating that Linux, or excuse me, incorporating the security out of the gate, combining those two things into a more affordable service out of the gate, compared to a lot of the embedded Linux distros out there, it can get quite expensive to have that combo, where you have the board support package is available to you and security be available to you. And it's quite the limiting factor for a lot of people.
Dave Pearah (13:09):
Let's talk about that intersection. So, when you say embedded systems, are there two or three big ones that you target? Because I've noticed, trying to figure out the space ecosystem is like, "What's your IOT platform?" And it's like, "Well, here's a thousand things." So, how do you get the meaty part of the histogram on the left side that gets the most bang for your buck? What systems are you targeting?
Steven Bjornaas (13:34):
Yeah. So, right now the initial platforms that we're targeting are Xilinx platforms. But we plan on growing our library over time, right? And we're going to prioritize based on what our customers come to us with. So, when you purchase TriSept Secure Embedded Linux, a part of that is going to be us developing the board support package for your platform. And that will not only allow it to run in your platform for us, we also benefit in that our library will grow on what platforms we can target. But yeah, you are right. There's tons of platforms out there, and we're not claiming to cover them all right now out of the gate. That is something that will grow over time.
Dave Pearah (14:23):
So, we talked about the target platform. Now, let's talk about the security side. And let's bring in Log4J. Because what else are we going to talk about? So, how would you have prevented this problem for your clients? Because it's one thing to say, "Well, we're going to manage the supply chain and the components and have the latest patches," but make it real for a client. It's like, "Is Log4J going to threaten my satellite because I'm your client?" What's your answer to that prospective or current question?
Ben Fonner (14:52):
Yeah. One of the things that we provide when we give you updates with the tCell and all that is a list of all the modules that we pulled in, the components we're using. We regularly monitor the CBE channels to find those changes and make sure they get integrated into updates that we can pass down to our customers. We stay on top of that hearing both from the security, different communities, as well as, if the customers come back down to us that we have a agile enough platform that we can take in these changes on a regular basis, turn out a new copy of tCell that works on their platforms that they can then do in place upgrades or be their next build platform.
Dave Pearah (15:32):
How scary is it to do it in place upgrade on a satellite? A lot of folks who listen to this podcast are like, "Can you just do a upgrade like that on a satellite that's flying around for something so core?" Like, "I'll just take the brain out of this person, put a new one in." I mean, this seems like a pretty core component.
Steven Bjornaas (15:52):
Yeah. There's obviously going to be inherent risk in that. So, for us updating it, it's important that interruptions can happen and that the actual main processing unit, while the updates are happening, it's still operable. And if an update fails, it was important that we could revert back. So, there's a way. We take a lot of precautions into understanding that sensitivity and trying to prepare for any potential failures that might happen. But yeah, it is risky. And from the interactions we've had with the industry, they're very, very nervous about that, and understandably. As we move forward, as the space moves forward, I think the ability to update them will become more and more important. But it's a scary thing to do, and I can understand that people are very nervous about it.
Ben Fonner (16:48):
And I would even add on top of that, with the popularity push of things like Starlink and the other, OneWeb, and other different people were putting up constellations, you're going to have more and more individual customers directly on the line talking to the satellite. And you're going to need to be able to keep up with the newest updates, because you're just going to have more and more eyes on you and more and more people trying to reach out and play with the different technologies in the whitest of hat ways, or trying to take control with the black hat.
Dave Pearah (17:18):
Where do you think the appetite for space cyber is coming mostly, commercial or federal? And of course you can just say, "Well, it's both Dave." But I'm just curious. How do you see this playing out, like chicken versus the egg, over the next few years? Is federal the pointy edge of the stick, and then it's going to be commercial to follow, or you see some fast leaders in the commercial side? I mean, look into the crystal ball and tell me how the next few years are going to play out.
Steven Bjornaas (17:48):
So, yeah, I think it's pretty clear that on the commercial side there's a lot of dragging of feet, either because they don't feel it's necessary, as Ben pointed out before, because the people who are throwing the money around just don't care enough, or just the requirement for it isn't explicitly there. So, why spend the resources on it? So, until A. they start experiencing the pain of having their satellites being infiltrated or otherwise damaged, I think until that happens or until they're pushed from a federal standpoint, which can be annoying to have to deal with the government trying to tell you that you need to do this, but sometimes it seems to be what's necessary in order for the commercial side to commit to that.
Steven Bjornaas (18:48):
So, I think SPD-5 is already a great example of that. You're seeing more people trying to get there now, and that's just a recommendation. It's not even a hard requirement. So, I think as more and more of that happens, you'll see the commercial side catching up more and more. Because it's quite expensive, as I said before. And people are just trying to not flip that bill if they don't have to.
Ben Fonner (19:13):
And I'd also put forward that, with the colonial pipeline attack, I'm sure their security budget for their software systems increased quite a bit earlier this year. And as that becomes more and more common, more and more people are going to say, "I don't want my name in the headlines that way. Let's go ahead and try to take more preemptive." But it is going to take time and pressure.
Dave Pearah (19:32):
Talk a little bit more about SPD-5.
Steven Bjornaas (19:36):
Yeah. So, when that dropped last year... Yeah, I believe it was last year. Or was it two years ago now? I don't remember. But there was a lot of attention put on it, seeing the requirements coming down for an industry-wide standard put on security, right? There's going to be an expectation that you have a basic level of security on any of your space assets going up. Now again, SPD-5 itself isn't necessarily a hard requirement, but I think it was writing on the wall, right? That's the way a lot of companies were treating it for, "We need to now actually start catching up and start following a lot of these standards that we see coming from that side of the fence."
Dave Pearah (20:32):
As part of just these standards and pronouncements, I was initially excited about zero trust executive orders coming out of the White House, and then the agencies picking that up. And I kept doing a control F search on the word space, and I kept coming up short. It's just not even explicitly mentioned as critical infrastructure. I don't know if you are participating and trying to advance that discussion, but it always seems like space is like, "Oh yeah, we do that too," kind of an afterthought. Any thoughts on the importance of labeling space as critical infrastructure, or what, if anything, we need to do to help educate the market?
Ben Fonner (21:12):
I was just going to say that making sure people are just remembering that space is a leg in this chain that needs to be addressed with just the base stuff that happens for all computer systems is a really good starting point. A lot of people just think that satellites are just special, magical things in the sky that don't actually have operating systems, processors and that kind of stuff. That's a definite starting point. But for a lot of the real uniqueness of security in space, that's something that's just started to research and look into. There's a lot more to learn beyond what a general computer system would be. So, there's a lot of room to grow there.
Dave Pearah (21:52):
Well, we're coming up on the end of our time. I think it would be interesting to know, what was the first computer that you had growing up? To make it a little personal anecdote. And there are correct and incorrect answers to this question. So, choose carefully.
Ben Fonner (22:10):
I'll go first on that one. So, my school system, when I was in kindergarten, started a program where they wanted to have every student in front of a computer at least once a week. And we were using old IBM Josten work stations. And [crosstalk 00:22:26] the classroom-
Dave Pearah (22:26):
Josten's? What's a Josten's work station?
Ben Fonner (22:28):
Basically there was a large mainframe at the county office that you had a dumb terminal that remoted in to, and it was rudimentary interface. It was Dewey, so it was [post-text 00:22:39] and all. But the first computer I had at home was an old Apple IIe my mom brought back from her classroom, with a five and a quarter floppy, playing Lemonade Stand and Number Munchers and all that kind of stuff.
Dave Pearah (22:53):
Was it green text on a black background kind of a deal? Oh. And Steve, what computer did you have growing up?
Steven Bjornaas (23:04):
So, yeah, for me, I can't even say a specific computer because my dad was the one that got me into computers. I went to a computer fair with him back when those were still around when I was nine, I guess, somewhere around there. And we walked around and he picked out components for me, and then he and I built the computer together. Obviously it was more him telling me what to do and I just plugged things in because I had no idea what I was doing. So, yeah. I don't remember exactly what components were in that thing, but yeah, my first computer was a custom build type thing that I did with my dad when I was eight or nine years old.
Dave Pearah (23:45):
Well, I can tell you there was a card for everything. Oh, you want a printer on that computer? That's a card. A mouse? That's a card. You want sound? Oh, that's a card. There was a card for everything.
Ben Fonner (23:57):
Yeah. The second computer that I had was a Mac OS 5 and the only thing it had internal to it was the hard drive. And if you wanted a CD-ROM or a zip drive or the 28.8 modem, there was just a big scuzzy stack of devices off to the side of the computer for me.
Dave Pearah (24:13):
Well, not to date myself, mine was a Timex Sinclair with a whopping fast 300 bot acoustic coupler for our home telephone. Because you have to choose, "Do you want to talk on the phone or do you want to connect to a bulletin board system to download [inaudible 00:24:27]?" You have to make difficult decisions.
Steven Bjornaas (24:29):
Very tough. Very tough.
Dave Pearah (24:31):
And [crosstalk 00:24:32].
Ben Fonner (24:31):
I don't know if [crosstalk 00:24:32].
Dave Pearah (24:35):
My parents were not fans of that at all. And you have to remember, it dialed a special code to disable call waiting, or it breaks your connection and then you have to start over. Yeah, those are good times. So-
Ben Fonner (24:45):
Oh, I convinced my parents to get a second phone line just so that wouldn't be an issue.
Dave Pearah (24:50):
You're so fancy. Did you have AOL? One billion minutes. It started with 25 free minutes to millions of minutes. Just put the CD in.
Steven Bjornaas (24:59):
You can build a fort with all those discs.
Ben Fonner (25:01):
Yep.
Dave Pearah (25:01):
Exactly. There's some country somewhere that has probably collected all those disks somewhere and recycling them into something. The future is built on AOL discs somewhere. Well, Ben and Steve, it's been an absolute pleasure. Thanks for taking the time to jump on this Zero Trust 4 Zero Gravity podcast, and look forward to all the great stuff coming out of TriSept.
Steven Bjornaas (25:25):
Yeah. Thank you very much.
Ben Fonner (25:26):
Thank you.
Steven Bjornaas (25:27):
Pleasure to be here.