Satellite Hijacked During Cybersecurity Exercise Demonstrates Need to Improve Domain

During CYSAT, which labeled as the “biggest European event entirely dedicated to Cybersecurity of the space industry” (https://cysat.eu/), a cybersecurity exercise was conducted where ethical hackers from Thales Group, a French multinational company specializing in aerospace and defense, took control of a satellite in a test bench to demonstrate the possible vulnerabilities and need for tightening security controls for satellites and space systems per a release from Thales (Thales Group 2023).  Hosted by the European Space Agency (ESA), the CYSAT hacking event’s purpose was to challenge cybersecurity experts in the space industry ecosystem to disrupt the operation of the agency’s OPS-SAT demonstration nanosatellite according to the press release. “Participants used a variety of ethical hacking techniques to take control of the system used to manage the payload’s global positioning system, attitude control system and onboard camera.” (Thales Group 2023)  This demonstration showed huge implications for cybersecurity and the safety of satellite systems.  Attacking GPS and attitude control on a satellite could cause irreparable harm to the satellite and its ability to maintain orbit safely.  This also poses issues for neighboring satellites as a hijacked satellite could then be used to steer into another satellites orbit.  With an optical payload hijacked too, this could turn an innocuous, optical-sensing satellite into a malicious spy satellite.

The cybersecurity event demonstrated that Thales hackers could target onboard flight software gaining standard access rights to control the application environment and then inject malicious code in the system.  Pierre-Yves Jolivet, Vice President of Cyber Solutions for Thales, released a statement after the demonstration stating:

 “With the growing number of military as well as civil applications that are reliant on satellite systems today, the space industry needs to take cybersecurity into account at every stage in the satellite’s life cycle, from initial design to systems development and maintenance. This unprecedented exercise was a chance to raise awareness of potential flaws and vulnerabilities so that they can be remediated more effectively, and to adapt current and future solutions to improve the cyber resilience of satellites and space programs in general, including both ground segments and orbital systems.”

Works Cited

Thales Group. 2023. “Thales Seizes Control of ESA Demonstration Satellite in First Cybersecurity Exercise of its Kind.” Thales Group Press Release. April 25. Accessed April 26, 2023. https://www.thalesgroup.com/en/worldwide/security/press_release/thales-seizes-control-esa-demonstration-satellite-first.