BOOK AN APPOINTMENT WITH AN IT SPECIALIST TODAY

17 Mar 2022

AA22-076A: Strengthening Cybersecurity of SATCOM Network Providers and Customers

Original release date: March 17, 2022

Summary

Actions to Take Today:
• Use secure methods for authentication.
• Enforce principle of least privilege.
• Review trust relationships.
• Implement encryption.
• Ensure robust patching and system configuration audits.
• Monitor logs for suspicious activity.
• Ensure incident response, resilience, and continuity of operations plans are in place.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of possible threats to U.S. and international satellite communication (SATCOM) networks. Successful intrusions into SATCOM networks could create risk in SATCOM network providers’ customer environments.

Given the current geopolitical situation, CISA’s Shields Up initiative requests that all organizations significantly lower their threshold for reporting and sharing indications of malicious cyber activity. To that end, CISA and FBI will update this joint Cybersecurity Advisory (CSA) as new information becomes available so that SATCOM providers and their customers can take additional mitigation steps pertinent to their environments.

CISA and FBI strongly encourages critical infrastructure organizations and other organizations that are either SATCOM network providers or customers to review and implement the mitigations outlined in this CSA to strengthen SATCOM network cybersecurity.

Click here for a PDF version of this report.

Mitigations

CISA and FBI strongly encourages critical infrastructure organizations and other organizations that are either SATCOM network providers or customers to review and implement the following mitigations:

Mitigations for SATCOM Network Providers

  • Put in place additional monitoring at ingress and egress points to SATCOM equipment to look for anomalous traffic, such as:
    • The presence of insecure remote access tools—such as Teletype Network Protocol (Telnet), File Transfer Protocol (FTP), Secure Shell Protocol (SSH), Secure Copy Protocol (SCP), and Virtual Network Computing (VNC)—facilitating communications to and from SATCOM terminals.
    • Network traffic from SATCOM networks to other unexpected network segments.
    • Unauthorized use of local or backup accounts within SATCOM networks.
    • Unexpected SATCOM terminal to SATCOM terminal traffic.
    • Network traffic from the internet to closed group SATCOM networks.
    • Brute force login attempts over SATCOM network segments.
  • See the Office of the Director of National Intelligence (ODNI) Annual Threat Assessment of the U.S. Intelligence Community, February 2022 for specific state-sponsored cyber threat activity relating to SATCOM networks.

Mitigations for SATCOM Network Providers and Customers

  • Use secure methods for authentication, including multifactor authentication where possible, for all accounts used to access, manage, and/or administer SATCOM networks. 
    • Use and enforce strong, complex passwords: Review password policies to ensure they align with the latest NIST guidelines
    • Do not use default credentials or weak passwords.
    • Audit accounts and credentials: remove terminated or unnecessary accounts; change expired credentials.
  • Enforce principle of least privilege through authorization policies. Minimize unnecessary privileges for identities. Consider privileges assigned to individual personnel accounts, as well as those assigned to non-personnel accounts (e.g., those assigned to software or systems). Account privileges should be clearly defined, narrowly scoped, and regularly audited against usage patterns.
  • Review trust relationships. Review existing trust relationships with IT service providers. Threat actors are known to exploit trust relationships between providers and their customers to gain access to customer networks and data.  
    • Remove unnecessary trust relationships. 
    • Review contractual relationships with all service providers. Ensure contracts include appropriate provisions addressing security, such as those listed below, and that these provisions are appropriately leveraged: 
      • Security controls the customer deems appropriate. 
      • Provider should have in place appropriate monitoring and logging of provider-managed customer systems.
      • Customer should have in place appropriate monitoring of the service provider’s presence, activities, and connections to the customer network.
      • Notification of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks.
  • Implement independent encryption across all communications links leased from, or provided by, your SATCOM provider. See National Security Agency (NSA) Cybersecurity Advisory: Protecting VSAT Communications for guidance.
  • Strengthen the security of operating systems, software, and firmware.
    • Ensure robust vulnerability management and patching practices are in place and, after testing, immediately patch known exploited vulnerabilities included in CISA’s living catalog of known exploited vulnerabilities. These vulnerabilities carry significant risk to federal agencies as well as public and private sectors entities. 
    • Implement rigorous configuration management programs. Ensure the programs can track and mitigate emerging threats. Regularly audit system configurations for misconfigurations and security weaknesses.
  • Monitor network logs for suspicious activity and unauthorized or unusual login attempts.
    • Integrate SATCOM traffic into existing network security monitoring tools.
    • Review logs of systems behind SATCOM terminals for suspicious activity.
    • Ingest system and network generated logs into your enterprise security information and event management (SIEM) tool. 
    • Implement endpoint detection and response (EDR) tools where possible on devices behind SATCOM terminals, and ingest into the SIEM.
    • Expand and enhance monitoring of network segments and assets that use SATCOM.
    • Expand monitoring to include ingress and egress traffic transiting SATCOM links and monitor for suspicious or anomalous network activity. 
    • Baseline SATCOM network traffic to determine what is normal and investigate deviations, such as large spikes in traffic.
  • Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems—including SATCOM networks—are disrupted or need to be taken offline.

Contact Information

All organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at [email protected] or (888) 282-0870 and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected].

Resources

Revisions

  • March 17, 2022: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

More Like This

AA22-138B: Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control

Original release date: May 18, 2022 Summary The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) to warn organizations that malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager …

AA22-138B: Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control Read More »

Read More

AA22-138A: Threat Actors Exploiting F5 BIG-IP CVE-2022-1388

Original release date: May 18, 2022 Summary Actions for administrators to take today: • Do not expose management interfaces to the internet. • Enforce multi-factor authentication. • Consider using CISA’s Cyber Hygiene Services. The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory …

AA22-138A: Threat Actors Exploiting F5 BIG-IP CVE-2022-1388 Read More »

Read More

AA22-137A: Weak Security Controls and Practices Routinely Exploited for Initial Access

Original release date: May 17, 2022 Summary Best Practices to Protect Your Systems: • Control access. • Harden Credentials. • Establish centralized log management. • Use antivirus solutions. • Employ detection tools. • Operate services exposed on internet-accessible hosts with secure configurations. • Keep software updated. Cyber actors routinely exploit poor security configurations (either misconfigured …

AA22-137A: Weak Security Controls and Practices Routinely Exploited for Initial Access Read More »

Read More

157-Year-Old Lincoln College Succumbed To A Ransomware Attack

157-Year-Old Lincoln College Succumbed To A Ransomware Attack On May 13th, 2022, a college that has remained open through two world wars, the 1918 Spanish flu epidemic, and the Great Depression will close its doors. The college has been struggling to stay afloat in recent years, and the coronavirus pandemic and a recent ransomware attack …

157-Year-Old Lincoln College Succumbed To A Ransomware Attack Read More »

Read More

AA22-131A: Protecting Against Cyber Threats to Managed Service Providers and their Customers

Original release date: May 11, 2022 Summary Tactical actions for MSPs and their customers to take today: • Identify and disable accounts that are no longer in use. • Enforce MFA on MSP accounts that access the customer environment and monitor for unexplained failed authentication. • Ensure MSP-customer contracts transparently identify ownership of ICT security …

AA22-131A: Protecting Against Cyber Threats to Managed Service Providers and their Customers Read More »

Read More

Zero Trust Networks: What Are They?

Zero Trust Networks: What Are They? The internet has brought a world of opportunity for businesses. It is easy for companies to reach out to consumers and offer them products or services without a physical storefront. However, this also opens businesses up to the risk of data breaches and cyber attacks. Cyber attacks can be …

Zero Trust Networks: What Are They? Read More »

Read More