Guardians of the Galaxy: Protecting Space Systems from Cyber Threats

The European Space Agency (ESA) is responsible for the peaceful exploitation of space on behalf of its member states. It is active in all major domains of space, from launchers, human spaceflight, earth observation, and GNSS, to science and communication. Many of the systems developed by ESA, either directly on behalf of its member states, or on behalf of the European Commission (e.g., Galileo, Copernicus, IRIS2), represent critical infrastructure upon which society depends on a daily basis.

Cybersecurity has thus grown to be a major challenge in the development of ESA programs and assets, in particular in today’s changing geopolitical landscape. In response to these challenges, ESA has made cybersecurity one of its three main technology priorities in addition to quantum and AI.

The quick development and maturation of space security technologies, together with the European space industry and academia, is fundamental. For this purpose, ESA seeks to connect closer with these entities and exploit synergies. ESA seeks to supply the academic ecosystem with relevant space use cases while benefitting from the resulting research to speed up technology spin-in. Likewise, industry is a valuable partner in picking up the higher technology readiness level (TRL) developments in cybersecurity and creating a diverse ecosystem for operational cybersecure space system assets and components.

The talk presented an overview of current challenges and potential future research topics. Topics included :

• $\mathrm{■}$

  Digital security engineering, alignment with Model-based System Engineering and formal reference architectures

• $\mathrm{■}$

  Zero trust architectures for space systems

• $\mathrm{■}$

  Post-Quantum Cryptography, its impact on space communications and need for cryptographic agility

• $\mathrm{■}$

  Tailored space system security monitoring and testing solutions including fuzzing of space communication protocols

• $\mathrm{■}$

  Securing legacy systems

• $\mathrm{■}$

  Anomaly detection and responsive resilient self-healing architectures

• $\mathrm{■}$

  Securing the supply chain

• $\mathrm{■}$

  Evolution of avionics security architectures and their secure operation, including on-board IDS/IPS, TEE, remote attestation

• $\mathrm{■}$

  Leveraging AI for security and ensuring secure use of AI

• $\mathrm{■}$

  Applied confidential computing and homomorphic encryption for secure distributed dataset processing

• $\mathrm{■}$

  Proliferation of standards, regulations and certification scheme

The talk aimed at initiating fruitful discussions between academics and practitioners by positing which aspects of space systems security engineering are the most challenging or the most interesting from an academic Research and Development perspective. It started by noting that spacecraft, compared to other mobile network nodes, have neither the least powerful CPUs, nor the smallest amounts of memory, nor the least predictable communication network topologies, nor the longest periods of communication outages. What is special about spacecraft is that their wireless links are highly asymmetric in nature and are absolutely essential, in absence of any wired links that can be established in drones or aircraft during maintenance phases. Also, spacecraft are fairly unique in their focus of safety and availability over long periods of time without “return to base” i.e. any security mechanism design has to satisfy very stringent safety requirements.

Following the NIST Cyber Security Framework (CSF), the talk summarized ESA’s approach to PROTECT, DETECT, and RESPOND at a conceptual level and in order to protect ESA’s Operations, Investments, and Brand Value. The talk created awareness of sector-specific cyber security challenges with the aim of stimulating the ideation for seminar topics.

The talk illustrated the nature and diversity of the assets (infrastructure, services, information) that require protection.

Furthermore, the talk highlighted a series of key challenges in the context of cyber-physical systems as opposed to traditional IT.

The widespread use of shared ground infrastructures, due to cost benefits, exposes a wide attack surface, making it harder to protect from cyber threats. Complex and highly specialized supply chains present unique challenges when it comes to effective identification and management of weaknesses and vulnerabilities, as well as when it comes to the identification of threats and countermeasures. Similarly, the presence of dual-use technologies may limit information sharing among the parties involved. In general, system complexity and interoperability constraints often slow the adoption of new technologies, including improved security controls and protection practices.

In general, the resulting inertia and obstacles affect the evolution of PROTECT, DETECT, and RESPOND. There is a general call for research, developmentand innovation to take these factors into aaccount.

The SSI is built upon new protocols, technologies, and mechanisms, particularly the concept of ‘store-carry-and-forward’ (SCF) for Delay-Tolerant Networking (DTN). While this approach addresses the fluctuating connectivity and high delays inherent in interplanetary communication, it also creates the need for novel security solutions and prevents the use of existing security measures. Several key areas present major challenges:

• $\mathrm{■}$

  Delay-tolerant key management

• $\mathrm{■}$

  SSI Threat Modelling

• $\mathrm{■}$

  Delay-tolerant networking (DTN) Anomaly Detection

• $\mathrm{■}$

  Security of inter-planetary multicast

• $\mathrm{■}$

  Scalable network testbeds for SSI

This talk provides an overview of NASA STD-1006A (NASA’s space protection requirements), then gives an overview of the NASA protection planning process (which includes Candidate Protection Strategies related to space mission cybersecurity), and will conclude with a snapshot of where we think development is needed to find protection solutions for civil space missions.

This talk presents the current challenges of developing security units for satellite communication. This is based on industrial experience within a satellite manufacturing company, namely OHB.

This talk presents an overview of the Tactic Technique, & Procedure (TTP) framework called SPARTA. We describe how it can be used to document attacks on spacecraft along with countermeasures to mitigate or prevent the attacks. The goal was education and awareness of the tool & present future capabilities. SPARTA was the first of its kind repository of knowledge on how to attack or defend spacecraft.

This talk presents current threats and vulnerabilities to satellite ground stations. The talk was focused on the need to move to cloud-based ground stations and reduce risk by using DevSecOps, loosely coupled systems, Zero trust architectures, policy as code, infrastructure as code, and compliance as code. Compared to the physical industry, computer science, and IT – the space industry is still in a “Steam Power” state and moving towards assembly line and automation.

The space industry is changing with the “New Space” activities, new technologies and new business models challenge traditional risk models and security measures. As part of the expert group on space security by BSI (Germany’s Federal Office for Information Security), we look into this evolving landscape. Further, governmental missions on new topics such as QKD, space debris, and AI-driven security analysis require us to change existing solutions and insights. What would a world in which anyone can launch a satellite a rent a ground station look like security-wise?

Lastly, we need to bring more bright minds into the intersection of space and cybersecurity. Hacking contests and CTFs can bridge the path into the field and reduce the barrier of entry.

Cybersecurity needs to be an integrated part of every space mission, and security aspects should be considered throughout all phases of a project. However, there was a lack of regulation and security standards that address cyber threats in space. To overcome this issue, the German Federal Office for Information Security founded an expert group for cybersecurity in space that invites experts from governmental institutions, industry, and academia to work together on standardization and regulation. In this joint effort, the expert group developed multiple documents that aim to mitigate cyber threats on space and ground segments. Furthermore, the expert group aims to identify emerging new technologies and regulations that may impact cybersecurity in space. These efforts also take international developments into account. This talk will give an overview of the activities of the group and its security documents.

Merge/Space (M/S) is a testbed designed to simulate multiple-agent security scenarios in satellite networks. By combining orbital data generated by a simulator such as STK with a synchronized set of images, M/S can accurately simulate bandwidth and connectivity constraints between ground stations and vehicles, enabling analyses of DoS attacks, scanning, malware infiltration, and other analyses. We discuss the development of the testbed, and the sample datasets included for release, and demonstrate the impact of various simulations.

Satellites are the backbone of several mission-critical services such as GPS that enable our modern society to function. For many years, satellites were assumed to be secure because of their indecipherable architectures and the reliance on security by obscurity. However, technological advancements have made these assumptions obsolete, paving the way for potential attacks, and sparking a renewed interest in satellite security. Unfortunately, to this day, there is no efficient way to collect data on adversarial techniques for satellites, which severely hurts the generation of security intelligence. In this paper, we present HoneySat, the first high-interaction satellite honeypot framework, which is fully capable of convincingly simulating a real-world CubeSat, a type of Small Satellite (SmallSat) widely used in practice. To provide evidence of the effectiveness of HoneySat, we surveyed experienced SmallSat operators currently in charge of active in-orbit satellite missions. Results revealed that the majority of satellite operators (71.4%) agreed that HoneySat provides realistic and engaging simulations of CubeSat missions. Further experimental evaluations also showed that HoneySat provides adversaries with extensive interaction opportunities by supporting the majority of adversarial techniques (86.8%) and tactics (100%) that target satellites. Additionally, we also obtained a series of real interactions from actual adversaries by deploying HoneySat on the internet over the span of several months, confirming that HoneySat can operate covertly and efficiently while collecting highly valuable interaction data.

Satellites and the services enabled by them play an increasingly important in our modern life. To support these services, satellite software is becoming increasingly complex and connected. As a result, concerns about its security are becoming prevalent. While the focus of security has historically been encrypting communication links, we argue that further consideration of the security of satellites is necessary. This talk characterizes the cyber threats to satellites, surveys the unique challenges for satellite software, and presents a vision for future research in this area.

To expand and extend the growing area of satellite cybersecurity to larger and more diverse cohorts of cross-disciplinary researchers internationally, we need appropriate datasets and test beds where developed protection solutions can be studied. The emerging challenge is to standardize such research infrastructure to begin to answer wicked space cyber research questions so as to protect humans and their space missions.

In the afternoon of the first day of the seminar, the participants decided to divide the working groups into four teams: Prepare/Attack, Protect, Detect, and Respond. Each group started by identifying the top three pressing issues within its respective group based on the identified open problems in Table 1.

The Attack/Prepare group opened by enumerating blockers to credible attack research against space systems. Three roots emerged. First, an evidence deficit: there are no trustworthy, shareable attack datasets aligned with mission context. Second, legal and contractual barriers: export controls, proprietary interfaces, and vendor NDAs limit sharing, instrumentation, and reproducibility. Third, a fidelity gap: the coupling of ground–link–space timing, radios, and mission logic means generic IT labs and pure simulation fail to capture the observables that matter for adversary study.

On that basis, the group specified what a study environment must produce: (i) precondition metadata (architecture, communications characteristics, software/firmware, and access-control surfaces), (ii) nominal mission traces for the same surfaces, and (iii) aligned attack traces. Existing technique catalogues do not provide worked implementations with synchronized metadata and traces; only an integrated environment can generate all three coherently across the chain.

The resulting outcome was a testbed/digital-twin workflow rather than a stand-alone simulator. Fidelity is chosen by the question under test; hardware-in-the-loop is used where it changes observables (e.g., C&DH, EPS, ADCS, radio/SDR paths); environmental context (eclipses, radiation belts, Doppler) is modeled to shape timing and errors; and minimal instrumentation is standardized so different teams can build threat-driven twins yet still yield comparable datasets. Short-term actions recorded by the group include surveying existing flatsats and ranges, defining the instrumentation and data schemas up front, and packaging adversary scenarios mapped to space-relevant TTP catalogues for reproducible execution.

The Detect group treated spacecraft and ground detection as a coupled problem under sparse observability and DTN. It catalogued the data required for practical methods, provenance-rich command/telemetry (counters, origin, timing, mode), process and file events, memory-integrity evidence, and internal bus/link signals, and drafted machine-actionable examples to enable sharing (e.g., command-origin deviations during specific modes; star-tracker reference-hash mismatches; mode–file/process inconsistencies). The group documented why conventional IDS tooling underperforms on mission traffic: freshness and ordering are probabilistic, error bursts and Doppler shifts mimic adversarial behaviour, and semantics are mission-specific.

Outcomes included evaluation expectations and forensic-readiness requirements. Detectors should condition scoring on physics (SAA passages, eclipses, space-weather episodes), separate environmental from adversarial false alarms, and be compared on corpora created in the Attack/Prepare testbed. Resilience must not erase evidence: corrections and scrubbing events are to be provenance-preserving; anomaly journals must survive safe-mode resets; and downlink strategies must support trickle transmission over multiple passes.

Finally, the group recorded a range design specifically for detection research: start from clear objectives (onboard vs. ground focus), derive fidelity from those objectives, instrument at the points that expose adversary behaviour, and include 0-constellation and deep-space cases so identity, routing, and delay artefacts are exercised in a controlled way.

The Protect group concentrated on architectural measures that hold over long missions and constrained update paths. Recurrent sources of risk were distilled from rideshare/hosted-payload arrangements, evolving network topologies (DSN/DTN, cislunar), standards and legacy components, and “X-as-a-service” ground operations. The baseline recorded by the group comprises strict internal segmentation with message-level authentication/authorization, measured boot with dependable key management and crypto agility (including PQC transition planning and re-key under DTN), and updateability as a security requirement (A/B images, shadow execution with telemetry-backed equivalence before commit).

Legacy integration was treated directly: risk cannot be eliminated by isolation alone. The working group specified service wrappers that enforce modern controls around older radios/payloads, dependency-longevity planning and spares, and explicit end-of-life options in contracts. A closing thread addressed composability: safety and security controls must be engineered so interactions across EPS, ADCS, TT&C, and payloads are predictable, with configuration governance to prevent harmful emergent behaviour. The seminar distinction was kept explicit: resilience restores function; protection must also preserve the truth about causes.

The Respond group produced an operational playbook aligned with mission assurance. Preparation and monitoring come first (simulations, validated backups, rehearsed safing procedures). Identification focuses on locating adversary activity across the ground–link–space chain, understanding mechanisms and privileges (including misuse of legitimate tooling), and protecting time-critical services. Isolation is defined as containment that keeps observability and commandability intact.

Immediate recovery proceeds by ranked options, revocation and re-keying, surgical subsystem shutdowns, and only then broader isolation while assessment continues. Longer-horizon recovery restores reachable systems and stands up replacements when assets are unreachable. The cycle closes with learning and evaluation: timelines, costs, and decisions are documented, and specific hardening actions feed back into Protect and Detect. Throughout, actions are chosen to remain safe if symptoms are environmental and to reduce manipulability if they are adversarial, and all steps maintain an audit trail robust to resets and fragmented downlinks.

Taken together, these challenges show that space cybersecurity is fundamentally unlike any other cyber-physical security problem. Other domains may share fragments of these issues, but only in space do they converge inseparably and persist for the entire mission lifetime. Harsh physical environments, absolute isolation, extreme communication delays, and pervasive exposure do not just complicate defense; they redefine it. The result is an attack surface that is broader, more persistent, and less observable than in any terrestrial system, forcing defenders to treat incomplete information, degraded sensing, intermittent trust, and adversarial uncertainty as normal operating conditions.

This conclusion reflects the consensus of the Dagstuhl Seminar, where more than forty experts from the space and cybersecurity domains, including specialists in cyber-physical systems, concluded that space constitutes a qualitatively different security environment. Meeting these challenges requires more than adapting terrestrial techniques: it demands fundamentally new approaches that embed physics-informed reasoning, resilience without servicing, and autonomy designed to operate securely under uncertainty for decades at a time.

The looming threat of fault-tolerant quantum computers capable of breaking current public-key cryptography (e.g., RSA, ECC) using algorithms like Shor’s necessitates a fundamental overhaul of cryptographic systems for space. This is not a distant, theoretical concern but an urgent operational reality. Given the long lifecycles of spacecraft, which can operate for 15–20 years, and the general impossibility of post-launch hardware upgrades, a proactive transition to quantum-resistant security is not merely advisable but mission-critical. Systems launched today with vulnerable cryptography could have their communications intercepted and stored, ready to be decrypted by a future quantum computer, a “harvest now, decrypt later” attack that poses an unacceptable risk to long-term national security and commercial intellectual property. This challenge bifurcates into two primary, and often complementary, research avenues: the near-term deployment of Post-Quantum Cryptography (PQC) and the long-term, ambitious development of Quantum Key Distribution (QKD) for space applications.

As space missions venture further from Earth into deep space and constellations grow to encompass thousands of interconnected nodes, the operational paradigm is fundamentally changing. The signal propagation delays, which can range from minutes to hours for deep space missions, combined with the sheer scale and complexity of mega-constellations, make direct human-in-the-loop control for cybersecurity functions untenable. In this new era, autonomy is not an option but a necessity. The central challenge for the research community is to develop Artificial Intelligence (AI)-driven systems that can autonomously detect, reason about, and respond to cyber threats in real-time. The ultimate goal is to create self-defending space assets capable of ensuring their own survival and mission success without constant human intervention.

For decades, the prevailing security model for space systems focused on protecting the communication link, treating the satellite itself as a trusted “black box” operating within a secure perimeter. This assumption is now dangerously obsolete. The advent of software-defined satellites, the increasing complexity of global supply chains, and the demonstrated potential for on-orbit malware necessitate a fundamental shift in philosophy. The principles of “secure-by-design” and “secure-by-default,” championed by bodies like the U.S. Cybersecurity and Infrastructure Security Agency (CISA), must be adopted. Security can no longer be an afterthought or a feature to be added on; it must be a foundational requirement, embedded into every layer of the system’s hardware and software from the initial design phase.

Cyberattacks against space systems are not merely data breaches; they are attacks on physical assets with tangible, real-world consequences. A successful cyberattack could be used to manipulate a satellite’s propulsion system to alter its orbit, disable a critical Earth observation sensor during a natural disaster, or even command a satellite to perform a maneuver that causes a collision, generating a cloud of orbital debris that threatens all space activities. Therefore, future cybersecurity research must focus on the concept of cyber-physical resilience, ensuring mission continuity even when under attack, and deeply integrating cyber defense with our physical understanding of the space environment.

Technological solutions, no matter how advanced, are insufficient to secure the space domain in isolation. They must be developed and deployed within a robust and coherent framework of international policy, clear governance structures, and universally adopted standards. The global, interconnected, and interdependent nature of space operations means that a vulnerability in one nation’s system can pose a direct threat to all others. Establishing this framework is a critical prerequisite for a stable and secure future in space.

A fundamental challenge is that existing international space law, most notably the Outer Space Treaty of 1967, was drafted decades before the digital age and therefore does not explicitly address cybersecurity. This has created a significant legal and policy vacuum regarding critical issues like attribution for cyberattacks, liability for damages, and acceptable norms of behavior for cyber activities in space. Future work must focus on fostering international dialogue, for example through the United Nations Committee on the Peaceful Uses of Outer Space (COPUOS), to establish clear norms of responsible state behavior. This includes defining what constitutes a hostile act in the cyber domain and establishing clear channels and protocols for communication and de-escalation to prevent miscalculation.

Addressing the ambiguity of liability for cyberattacks is another paramount task. This will require a concerted effort to adapt principles from existing treaties, such as the state responsibility and absolute liability concepts from the Outer Space Treaty and the Liability Convention, to the unique context of the cyber domain. While legally and technically complex, establishing clear accountability is essential to deter malicious activity.

Alongside policy development, the promotion of universal technical standards is crucial for interoperability and baseline security. Bodies like the Consultative Committee for Space Data Systems (CCSDS), also known as ISO Technical Committee 20 Subcommittee 13, play a vital role in this process and should be supported in their efforts to develop and promulgate standards for secure command and control, authenticated data formats, and secure inter-satellite communication protocols. This work must be complemented by the harmonization of national-level regulations, such as the EU’s proposed space cybersecurity laws and the principles outlined in U.S. Space Policy Directive-5, to create a consistent global security baseline and avoid a fragmented and inefficient patchwork of differing compliance requirements.

Finally, governance must extend to the entire lifecycle of a space system, with a particular focus on the supply chain. Policies must be implemented that mandate robust Cybersecurity Supply Chain Risk Management (C-SCRM) practices for all hardware and software components intended for space systems. Leveraging established frameworks like the NIST Cybersecurity Framework can provide a structured approach to identifying, assessing, and mitigating these risks from a system’s inception, ensuring that security is built in, not bolted on.

Recent anomalies from ground-side credential theft to on-orbit bus resets show that security faults in space missions seldom respect organisational or subsystem boundaries. Currently, the space security community lacks a realistic, easily accessible testbed. A scientifically sound testbed must therefore function as more than an engineering sandbox: it must be a research instrument that allows hypotheses about security, safety, and resilience to be stated precisely, evaluated systematically, and reproduced independently. The following six design dimensions structure this instrument and crucially explain why each is indispensable for scholarly work.

• $\mathrm{■}$

  Segment-complete, abstraction-aware modelling. Attack chains traverse the ground, link, and space segments, and omitting any segment hides entire classes of causality. Therefore, we demand explicit coverage of all three segments even when the RF link is abstracted precisely to keep cross-segment effects observable. Formally recording each segment and its interfaces means that researchers can vary fidelity locally (e.g., replace a hardware ground station with a stochastic delay channel) without invalidating global semantics.

• $\mathrm{■}$

  Graduated fidelity architecture. Simulation is fast and cheap, yet certain timing or radiation effects only surface when real avionics boards are in the loop. We suggest a sliding scale of fidelity that formalises this continuum depending on the research use case, e.g., incident response vs. attack forensics. By binding every experiment to a declarative manifest, a result obtained in a low-fidelity simulation can later be replayed.

• $\mathrm{■}$

  Executable realism with unmodified binaries. Many spacecraft exploits hinge on low-level behaviour (e.g., bus arbitration, watchdog timeouts) that disappears when flight software is re-linked for a laboratory harness. Therefore, it is essential that low-level access (binary) runs within the testbed. Embedding cycle-accurate processor models, flatsats, or physical boards creates an executable ground-truth layer against which analytical models can be calibrated.

• $\mathrm{■}$

  Formal scripting language for faults and threats. The testbed should use one clear language that can describe both random hardware faults and deliberate cyberattacks. By automating techniques from frameworks such as SPARTA, ESA SHIELD, and MITRE ATT&CK, and mixing them with classic fault injections, we can measure exactly how much of the threat and fault space we have tested. Each scripted event is tagged and traced to its effect, letting us run solid statistics on how well proposed defences perform.

• $\mathrm{■}$

  Data-first instrumentation and stewardship. Empirical progress depends on transparent, multi-layer telemetry. We insist on capturing three data classes metadata, nominal, and attack traces for every experiment. At the same time, we suggest granular traffic-flow visibility for forensics and recovery research. Embedding synchronised probes at computation, communication, and energy layers satisfies these requirements and produces curated corpora for future machine-learning studies that currently lack representative data.

• $\mathrm{■}$

  Openness, sustainability, and community extensibility. Proprietary solutions fragment evidence and impede replication. Therefore, for the testbed, we advocate for open standards (CCSDS, ECSS) and a shared registry of benchmark scenarios. A plug-in architecture allows new sensor models, cryptographic stacks, or threat patterns to be added with negligible re-engineering effort, thus ensuring that the testbed evolves alongside mission technology.