# Space Cybersecurity: Protecting Satellites and Ground Systems
Definition
Space cybersecurity encompasses the protection of satellite systems, ground control stations, user terminals, and the data links connecting them. Space-based infrastructure underpins a substantial portion of modern economic and military activity: GPS enables $2 trillion or more in annual U.S. economic activity across transportation, financial services, agriculture, and telecommunications. Satellite communications (SATCOM) provide connectivity to military forces, ships at sea, aircraft in flight, and remote regions without terrestrial network coverage. Space-based ISR (intelligence, surveillance, reconnaissance) capabilities provide persistent observation of activity on the Earth's surface.
The security of these systems was historically assumed to rest on physical inaccessibility: satellites orbit hundreds to tens of thousands of kilometers above Earth, and the expertise required to interact with a satellite was largely limited to the operators who built them. That assumption has eroded. Ground station infrastructure is conventional IT and OT, vulnerable to the same attacks as terrestrial systems. Software-defined radio technology has lowered the technical barrier to interacting with satellite signals. Nation-state cyber programs have demonstrated both the intent and capability to attack space infrastructure, as the Viasat KA-SAT attack conclusively established.
CISA formally recognized space systems as critical infrastructure in its 2023 guidance on space systems security considerations, reflecting the national security and economic importance of the sector and the inadequacy of existing security practice in much of the commercial space industry.
How It Works
A satellite system has three functional segments: the space segment (the satellite itself, on orbit), the ground segment (ground stations, network operations centers, and the terrestrial communications infrastructure connecting them), and the user segment (the terminals and receiving devices used by end users). Each segment has a distinct attack surface.
The space segment represents the hardest target for direct attack, but not an impossible one. On-orbit satellites cannot be physically accessed for maintenance or patching after launch. Software updates can be delivered over the command uplink, but this process is operationally sensitive and risky: a corrupted or malicious command sequence could damage or destroy a satellite that cost hundreds of millions of dollars to build and launch. Mission-critical satellite software typically has an operational lifetime of 15 or more years, meaning vulnerabilities that exist at launch may persist for decades.
The ground segment is operationally the most critical and technically the most accessible attack path. Ground stations run on conventional server hardware and operating systems (Windows, Linux), often with commercial off-the-shelf software stacks. They are connected to external networks (for data distribution, operator access, and coordination with other ground stations), creating the same attack surface as any internet-connected enterprise system. If an attacker can compromise a ground station, they can potentially issue arbitrary commands to the satellite through the legitimate command uplink, without having to solve the physics of directly attacking a spacecraft.
The user segment consists of the modems, terminals, and receiving devices that end users operate. Commercial SATCOM terminals (VSAT modems, maritime and aviation satellite terminals) are network-connected devices running embedded software. Vulnerabilities in terminal firmware can be exploited without touching the satellite or ground station, and a compromised terminal is positioned to intercept, modify, or disrupt communications flowing through it.
The AcidRain/Viasat incident in February 2022 illustrates the ground and user segment attack paths. Russian GRU cyber operators launched an attack against Viasat's KA-SAT satellite network timed to coincide with the ground invasion of Ukraine. The attack vector was a misconfigured VPN appliance in Viasat's ground network, which gave the attackers access to the management plane of the satellite modem provisioning system. From there, they deployed AcidRain (a wiper malware designed for embedded Linux systems) to modems across Ukraine and Europe, permanently overwriting the firmware of approximately 40,000 modems. The attack disrupted Ukrainian military communications, disabled wind farm remote monitoring in Germany, and interrupted satellite broadband service across multiple European countries. Critically, the satellite itself was unaffected. The entire attack was conducted through ground infrastructure.
Why It Matters
The dependencies created by space infrastructure mean that attacks against satellites and ground systems have effects that ripple across sectors that may not recognize their reliance on space. GPS timing is embedded in financial transaction systems, cellular network synchronization, power grid frequency management, and industrial control systems, not just navigation. A successful sustained disruption of GPS would affect hundreds of services and systems that were not designed with GPS dependence in mind.
Military dependence on space creates strategic vulnerability. The U.S. military relies on GPS for precision weapon guidance, ISR for battle space awareness, SATCOM for command and control across distributed forces, and missile warning satellites for detecting ballistic missile launches. An adversary who can credibly threaten to disrupt these capabilities changes the strategic calculus of military conflict without firing a conventional weapon.
Commercial space activity has grown dramatically with the proliferation of small satellite constellations (SpaceX Starlink, OneWeb, Amazon Project Kuiper). These new operators bring commercial IT security practices (and in many cases, commercial IT security gaps) into a domain that was previously dominated by aerospace primes with more rigorous (though often antiquated) security disciplines. The Viasat attack directly affected Starlink-adjacent infrastructure: Ukrainian forces that lost KA-SAT connectivity switched in part to Starlink, which became an operational dependency in the conflict.
The difficulty of patching on-orbit systems means that vulnerabilities in launched satellites can persist for the lifetime of the mission. The software supply chain for satellite components includes many vendors with widely varying security practices. Components with vulnerabilities that would be patched within days in a conventional IT environment may operate for years in orbit without remediation.
Technical Details
GPS spoofing affects the user segment and has broad implications because GPS is so pervasive. The GPS signal is extremely weak by the time it arrives at Earth's surface (approximately -130 dBm, roughly the power of a wristwatch battery at 20,000 km), and the civilian signal lacks authentication. An attacker with an appropriate SDR and amplifier can broadcast a stronger counterfeit GPS signal that overwhelms the authentic satellite signal at a receiver within range. This does not require any access to the GPS satellite system itself. Military GPS receivers use the M-code signal, which includes cryptographic authentication that makes spoofing significantly more difficult.
GPS signal authentication for civilian use is being addressed through Galileo's Open Service Navigation Message Authentication (OSNMA) and GPSGPS is exploring similar capabilities, but broad adoption in deployed receivers is years away.
Command uplink security for military satellites uses encryption and authentication to prevent unauthorized command injection. Commercial satellite operators have historically applied varying levels of rigor to uplink security. Ground station compromise bypasses uplink authentication entirely by giving the attacker access to the legitimate command system itself, which is why ground station security is the priority investment for satellite operators.
Downlink interception (eavesdropping on satellite communications) remains practical against unencrypted civilian communications. Commercial SATCOM traffic that is not encrypted end-to-end by the user can be intercepted by any party with a dish of appropriate size pointed at the satellite. This is not an esoteric capability: researchers and intelligence agencies have demonstrated interception of satellite communications traffic at minimal cost.
The CISA Space Systems Critical Infrastructure guidance (2023) organized security considerations into three areas: ground system security (conventional IT security controls applied to ground station infrastructure), link security (encryption and authentication for command uplinks, telemetry, and user links), and supply chain security (vetting of components and software used in space systems). The guidance references NIST SP 800-160 (Systems Security Engineering) as the primary technical framework for space system security engineering.
CDA Perspective
Within RGA, the Perpetual Compliance Assurance (PCA) methodology applies to the evolving regulatory and policy environment for space systems. CISA's 2023 guidance formalized space systems as critical infrastructure, and Space Policy Directive-5 (SPD-5, 2020) established baseline cybersecurity principles for space systems operated by or for the U.S. government. Commercial satellite operators increasingly face contractual security requirements from government customers and insurance requirements from underwriters. RGA engagements for space sector clients track these obligations and assess compliance posture.
Within TID, the Predictive Defense Intelligence (PDI) methodology covers threat actor activity specifically targeting space infrastructure. Nation-state actors with documented capabilities against space systems include Russian GRU (Viasat KA-SAT, Sandworm-related activity), Chinese PLA Strategic Support Force (documented targeting of satellite ground stations), and North Korean actors (with interest in commercial satellite communications). Understanding these actors' TTPs and monitoring for indicators of their activity is operationally relevant for commercial space operators and government clients with space dependencies.
Within VSD and SPH, CSR and APC methodologies apply to ground station infrastructure, which is functionally equivalent to any internet-connected operational technology environment. Ground stations should be subject to the same vulnerability management, configuration management, and posture monitoring as critical enterprise systems.
For CDA clients with space dependencies (government contractors, defense primes, critical infrastructure operators relying on GPS timing), the threat of GPS denial or spoofing is a business continuity and resilience planning concern that DPS addresses through data sovereignty and operational continuity controls.
Key Takeaways
- The Viasat KA-SAT attack (February 2022) is the most significant confirmed cyberattack against space infrastructure. It was executed entirely through a compromised ground network VPN appliance, never touching the satellite. This establishes ground systems as the highest-priority attack surface.
- On-orbit satellites cannot be easily patched after launch, creating long-lived vulnerability windows. Software deployed to space must be hardened at design time because post-launch remediation options are limited.
- GPS spoofing does not require access to satellites. Civilian GPS signals lack authentication and are susceptible to counterfeit signal injection from a low-cost attacker with SDR equipment. M-code GPS in military receivers provides authentication, but civilian infrastructure broadly relies on unauthenticated positioning.
- CISA recognized space systems as critical infrastructure in 2023. Commercial satellite operators increasingly face security requirements from government customers and insurers.
- TID threat coverage for space-targeting actors (Russian GRU, Chinese PLA SSF) is operationally relevant for any organization with significant space dependencies.
- The proliferation of small satellite constellations brings commercial IT security practices into a domain that requires discipline commensurate with the criticality of the infrastructure.
Sources
- CISA. (2023). Space Systems Critical Infrastructure: Security Considerations. cisa.gov.
- National Security Council. (2020). Space Policy Directive-5: Cybersecurity Principles for Space Systems. whitehouse.gov.
- SentinelOne. (2022). AcidRain: A Modem Wiper Rains Down on Europe. sentinelone.com.
- Viasat. (2022). KA-SAT Network Cyber Attack Overview. viasat.com.
- NIST. (2016). NIST SP 800-160 Vol. 1: Systems Security Engineering. National Institute of Standards and Technology.
- Bhatt, P., et al. (2017). "Satellite Cybersecurity: Current State and Future Challenges." IEEE Security and Privacy.
- Humphreys, T.E. (2016). "Statement on the Vulnerability of Civil Unmanned Aerial Vehicles and Other Systems to Civil GPS Spoofing." University of Texas Radionavigation Lab.
- Defense Intelligence Agency. (2022). Challenges to Security in Space. dia.mil.
- GPS.gov. (2023). GPS Accuracy and Vulnerability Overview. gps.gov.