Thought Leader

What Cybersecurity Gets Wrong About the New Space Race

Jay Allen

Jay Allen

10 min read
What Cybersecurity Gets Wrong About the New Space Race
Photo by SpaceX / Unsplash

The sky has changed, but our security playbooks have not. Satellites now underpin navigation, finance, logistics, media, and military operations. They are no longer rare, government-only assets. They are cloud-connected, software-defined, and commercially operated at scale. Yet much of cybersecurity still treats space as exotic and separate, a future problem for a niche team. That mental model is wrong, and it is already costing us.

This is an argument for bringing space into the mainstream of cyber strategy. Not tomorrow. Now.

The new space race is a ground problem first

When people hear “space cyber”, they imagine Hollywood: a lone hacker taking over a satellite with a laptop pointed at the stars. In reality, the easiest path to impact often runs through ordinary IT systems on Earth. The 2022 attack on a European satellite broadband network made this plain. A misconfigured VPN appliance on the ground was exploited. Malicious code then bricked tens of thousands of terminals, and remote monitoring of 5,800 wind turbines in central Europe went dark. The outage rippled across sectors that never thought of themselves as “space companies”. .1,2,3,4

Treating space as “someone else’s infrastructure” misses the point. Space systems are systems-of-systems. They include spacecraft, ground control stations, user equipment, launch and supply chains, and the radio links that connect them. A weakness in any one segment can compromise the whole. Frameworks, such as NIST’s guidance for commercial satellite operations, explicitly map these segments and their dependencies. If you only look at the spacecraft, you will miss 80 percent of the risk.5

The attack surface is scaling faster than our defences

Constellations are multiplying. Hardware refresh cycles are tightening. Satellites are increasingly software-defined, with over-the-air updates and cloud-based mission control. Analysts now project a dramatic surge in orbiting assets by 2030, which means an equally dramatic expansion of the attack surface. We learned this lesson on Earth. We built an internet of everything before we built an internet of trust. We should not repeat that mistake above the atmosphere.6

Two realities follow. First, your threat model must account for space assets you do not own. Your payment provider’s timing relies on GNSS (Global Navigation Satellite Systems). Your fleet tracking relies on satellite comms. Your climate exposure models rely on commercial imagery. Second, the adversary does not need to reach the satellite. They can reach the cloud tenancy, the ground console, the terminal in a substation, or the firmware update server.

Space hacking” is not science fiction

The barrier to entry has collapsed. Over the past few years, high-profile research has demonstrated that user terminals, downlink receivers, and developer kits can be compromised or modified using low-cost hardware. At Black Hat USA, a researcher demonstrated root access on a consumer satellite terminal with a budget modchip. Around the same time, the US Space Force launched a purpose-built CubeSat into orbit, allowing teams at DEF CON to conduct a controlled competition and attempt to subvert an on-orbit target in a legal setting. These are responsible demonstrations, but they also show that practical exploitation routes do not require nation-state budgets.7,8

There is a broader lesson. The most vulnerable part of a space system may be the least glamorous: a fielded modem with long-lived credentials, a third-party API with weak auth, a neglected ground station asset joined to a flat network, or a cloud function with permissive roles. Those sound familiar because they are. Space security inherits the same dull, deadly failure modes as enterprise IT.

Terrestrial controls, orbital constraint

A common mistake is to assume we can slap our standard stack on a satellite. Encrypt, segment, monitor, patch. Easy. Except that patching a spacecraft is hard. Uplinks are bandwidth-constrained. Power is scarce. CPUs are radiation-hardened and underpowered. Anything you deploy may need to run for a decade without a visit. The result is that “security by design” is not a slogan in space. It is survival. The United States’ Space Policy Directive-5 captured this years ago: apply risk-based, cybersecurity-informed engineering across the lifecycle of space systems and their supporting infrastructure. You build it right before launch, or you may not be able to fix it later.9

On the ground, the story is different. You can and should apply familiar disciplines aggressively: zero trust for mission control and TT&C (Telemetry, Tracking, and Command) networks, strong federation and MFA for operations staff, strict change control for payload tasking, code signing with hardware roots of trust, and continuous monitoring with well-tuned anomaly detection. Guidance now exists specifically for space systems, including zero-trust adaptations for the space environment and practical mappings from enterprise frameworks to satellite ground segments. The work is not abstract. It is deployable.10,11,12

Dual use is the rule, not the exception

Another blind spot is the continued assumption that space is a state monopoly. Most operational capability now lives in the commercial sector. Civil satellites carry military traffic. Commercial imagery informs defence planning. Private constellations provide redundancy when terrestrial networks are degraded. This is not an accident. It is a strategic design choice by governments to exploit commercial agility and scale.

Regulation is catching up. The European Union’s proposed Space Act outlines standard rules for safety, resilience, sustainability, and, crucially, tailored cybersecurity requirements for any operator providing services within the Union. It also applies to non-EU companies. That is a signal to boards and CISOs: if you sell space-enabled services in Europe, your security bar is rising whether or not you think you are a “space company”.13,14

It is not just cyber. It is radio. It is physics.

GNSS jamming and spoofing have evolved from a theoretical hazard to a routine threat in the last three years. Aviation authorities across Europe and the UK have issued repeated bulletins warning of navigation outages, false alerts, diversions, and operational risk in regions near conflict zones and beyond. This is not a spreadsheet exercise. It serves as a reminder that our digital systems rely on fragile signals traversing contested airspace. Cybersecurity leaders should be sitting with safety and operations teams to plan for degraded positioning, navigation, and timing services, loss of satcom redundancy, and reduced confidence in data integrity. 15,16,17

What cybersecurity gets wrong

Let’s name the habits that no longer serve us.

1.        Treating space as a niche environment. If your threat model does not include space-enabled dependencies, it is incomplete. Payment timestamps, synchronisation, asset tracking, remote operations, and remote sensing are now space-backed in many sectors.

2.        Thinking “satellite” instead of “system”. Spacecraft, ground, link, user segment, launch and supply chain form a single target system. Attackers choose the weakest path. So must you.

3.        Assuming only nation-states matter. Low-cost hardware and public tooling have lowered barriers. Capability still clusters, but the pool of competent adversaries is wider than many assume.

4.        Terrestrial controls do not translate directly to orbit. Patching is slow, agents are costly, and bandwidth and power are tight. Implement security at design time, lock down configurations, and treat changes and as exceptional. Use enterprise controls where they belong: ground stations and mission cloud.

5.        Underestimating commercial criticality. Governments now depend on commercial constellations. Regulators are responding. Procurement, assurance, and contractual obligations will follow. Your compliance surface will grow, not shrink.

6.        Forgetting radio realities. GNSS and satellite communications (satcom) interference are operational realities. Cyber, safety, and RF disciplines must plan together for outages and deception, including procedural fallbacks and technical mitigations.

7.        Assuming spillover is contained. The 2022 satcom incident began as a targeted action and spilt across borders and sectors. Space incidents do not respect national networks or neat industry boundaries.

A practical agenda for CISOs, CTOs, and security leaders

You do not need a space badge to start. You need to treat space like the cloud once was: a fast-moving dependency that changes your risk calculus. Here is a concrete, usable plan.

1.        Map your dependencies. Catalogue where your business relies on space-enabled services: navigation, timing, connectivity, imagery, tracking, and weather. Identify providers, contracts, SLAs, and points of contact.

2.        Model the five segments. Build a simple attack-surface map for each dependency and any in-house space activity, spanning spacecraft, ground, link, user, and supply chain. Mark clearly where you have visibility and control, and where you rely on others. Use frameworks like NIST IR 8270 to structure the breakdown and highlight gaps.5

3.        Contract for security, not just service. Bake in cyber obligations for suppliers and partners: strong identity and access controls for ground operators, code signing and secure boot for terminals, incident reporting, independent testing, and evidence of secure development lifecycle.

4.        Adopt zero trust on the ground side. Treat TT&C networks, mission control, ground stations, and cloud mission environments as high-value assets. Enforce authentication, authorisation, and least privilege. Isolate workloads. Monitor aggressively. Apply the emerging zero-trust guidance tailored for the space environment.10,11,12

5.        Kill shared secrets in terminals. Push vendors to rotate device credentials, adopt hardware-backed keys, and support remote revocation. Require signed updates and tamper-evident designs. Assume terminals will be probed physically.

6.        Protect update pipelines end-to-end. The most efficient way to brick fielded terminals is to hijack their update channel. Demand strong supply-chain controls, hardware security modules for signing, dual-control release, and auditable CI/CD for both ground and user segments.

7.        Tabletop the plausible. Run joint exercises that blend space, IT, and OT failures: GNSS spoofing during a high-risk operation, a terminal fleet wipe, loss of satellite redundancy during a storm, and corrupted imagery in a time-critical workflow. Write down who decides what, on what data, at what thresholds.

8.        Instrument for anomaly, not just signature. For ground and cloud, you can still do rich telemetry. For space, use what is feasible: power draw, attitude control anomalies, and unexpected uplink patterns. Correlate and automate safe-mode actions. Practise recovery paths.

9.        Plan for degraded PNT. Assume there will be times when GNSS is unreliable or unavailable. Build procedures for those moments. Cross-check satellite signals with terrestrial navigation aids or inertial systems whenever possible. Train your operators to work through outages and deception. Do not assume that another sector’s regulators or procedures will protect you. If your business depends on PNT, take ownership of its resilience.

10.    Harden data provenance. If you ingest space-derived data to drive business or safety decisions, track provenance and integrity. Use signing, watermarking, and cross-cueing to detect manipulation or spoofed tasking.

11.    Engage policy early. The EU Space Act will impact due diligence, assurance, and procurement even if you never launch anything. Track how cybersecurity, resilience, and sustainability requirements will flow into your contracts and audits.13,14

12.    Invest in people. Build a small, cross-functional nucleus of engineers who speak both dialects: radio and routing, orbital mechanics and threat hunting. They do not need to be astronauts. They need to be translators.

Leadership, not latency

Space is no longer a prestige domain to admire at a distance. It is infrastructure. It is a competitive advantage. It is a target. The lesson from the last three years is that incidents in orbit often begin on Earth, and their effects on Earth often begin in orbit. The boundary is artificial. Treat it that way.

If there is one mindset shift to lead from the front, it is this: orbital security is part of your enterprise security. Put it in your risk register. Put it in your contracts. Put it in your exercises. Make it an ordinary question in architecture reviews: “What happens here if the space bit fails, lies, or is attacked?”

The new space race rewards those who assume it is already here. Because it is.

References

1.        Reuters, “Satellite outage knocks out thousands of Enercon’s wind turbines,” 28 Feb 2022. https://www.reuters.com/business/energy/satellite-outage-knocks-out-control-enercon-wind-turbines-2022-02-28/

2.        Viasat, “KA-SAT Network cyber attack overview,” 30 Mar 2022. https://www.viasat.com/perspectives/corporate/2022/ka-sat-network-cyber-attack-overview/

3.        SentinelOne Labs, “AcidRain: A Modem Wiper Rains Down on Europe,” 31 Mar 2022. https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/

4.        NATO CCDCOE, “Viasat KA-SAT attack (2022),” case summary. https://cyberlaw.ccdcoe.org/wiki/Viasat_KA-SAT_attack_(2022)

5.        NIST, Draft NISTIR 8270, Introduction to Cybersecurity for Commercial Satellite Operations, July 2023. https://nvlpubs.nist.gov/nistpubs/ir/2021/NIST.IR.8270-draft.pdf

6.        Deloitte, “Real-time cybersecurity in space,” 17 Feb 2025. https://www.deloitte.com/us/en/insights/industry/public-sector/critical-need-for-cybersecurity-in-space-systems.html

7.        WIRED, “The Hacking of Starlink Terminals Has Begun,” 10 Aug 2022. https://www.wired.com/story/starlink-internet-dish-hack/

8.        US Space Force, “Hack-A-Sat’s Moonlighter satellite deploys to low Earth orbit,” July 2023; DEF CON 31 finals announcement. https://www.spoc.spaceforce.mil/News/Article-Display/Article/3462016/hack-a-sats-moonlighter-satellite-deploys-to-low-earth-orbit-after-last-months

9.        Space Policy Directive-5, “Cybersecurity Principles for Space Systems,” 4 Sep 2020. https://csps.aerospace.org/sites/default/files/2021-08/Space%20Policy%20Directive%205%20-%20Cyber%20Security%204Sep20.pdf

10.    CISA, Space Systems Security and Resilience Landscape: Zero Trust in the Space Environment, April 2024. https://www.cisa.gov/sites/default/files/2024-06/Space%20Systems%20Security%20and%20Resilience%20Landscape%20-%20Zero%20Trust%20in%20the%20Space%20Environment%20%28508%29.pdf

11.    Industrial Cyber, “New CISA report addresses zero trust in space,” 13 Jun 2024. https://industrialcyber.co/critical-infrastructure/new-cisa-report-addresses-zero-trust-in-space-boosting-security-for-satellites-and-ground-infrastructure/

12.    Aerospace Corporation, “Leveraging the SPARTA Matrix,” 18 Oct 2022. https://aerospace.org/article/leveraging-sparta-matrix

13.    European Commission, “EU Space Act,” 25 Jun 2025. https://defence-industry-space.ec.europa.eu/eu-space-act_en

14.    Reuters, “EU revamps regulations for expanding space market,” 25 Jun 2025.

15.    EASA, Safety Information Bulletin 2022-02 and revisions, GNSS jamming and spoofing, 2022–2023. https://ad.easa.europa.eu/blob/EASA_SIB_2022_02R2.pdf/SIB_2022-02R2_1

16.    UK Civil Aviation Authority, Safety Notice SN-2025/006, GNSS RFI, 30 Apr 2025. https://www.caa.co.uk/our-work/publications/documents/content/sn-2025006/

17.    UK CAA, Annual Safety Review 2024 (CAP3146), 2025. https://www.caa.co.uk/publication/download/25631

18.    Council of the European Union, “Russian cyber operations against Ukraine,” 10 May 2022. https://www.consilium.europa.eu/en/press/press-releases/2022/05/10/russian-cyber-operations-against-ukraine-declaration-by-the-high-representative-on-behalf-of-the-european-union/

19.    UK Government, “Russia behind cyber-attack with Europe-wide impact,” 10 May 2022. https://www.gov.uk/government/news/russia-behind-cyber-attack-with-europe-wide-impact-an-hour-before-ukraine-invasion

Read more