Brandon Bailey, left, Aerospace Corp, with Ernest Wong, Technical Lead, PNT & Space Systems,
Department of Homeland Security (DHS). Photo: Access Intelligence

RESTON, Virginia — The Department of Homeland Security (DHS) and Aerospace Corp. want satellite operators to volunteer to test out new tools they’re building to detect cyberattacks on spacecraft, officials said at Monday’s CyberSat conference.

As part of its mission to protect critical infrastructure, DHS is working to develop cyber resilience tools for satellites that provide vital resources including position, navigation and timing (PNT) services like GPS, as well as communication channels like phone and internet, said Ernest Wong, the technical lead for PNT & Space Systems at DHS’s Science and Technology Division.

Over the past year, said Wong, DHS realized that there was a “detection gap, specifically an onboard detection gap, because a lot of detection right now is based on telemetry.” And that wasn’t enough, because there are too many cyber attacks that “cannot be detected through telemetry-based threat detection.”

Moreover, Wong pointed out, the more advanced forms of automated cyber defense will require on-board detection to power autonomous responses.

“Our primary goal here is to lower the cost of security so we can reduce the barriers to the adoption of cyber resilience based systems” on satellites, Wong said.

Working with Aerospace Corp., DHS started by developing a list of indicators that satellite operators could look for on their spacecraft to show they might be under cyber attack. “The idea here was to develop some of the foundational knowledge to identify what we should look for, when trying to detect threats,” he said.

Once their work developing prototypes is finished, Wong explained, the results will be open sourced, so as to make them freely available for the whole satellite industry. They will then start integrating the tools into NASA’s core flight system (CFS) — a widely used open source spacecraft operating system. “The idea is that if we can bake in security to CFS, that just makes it easier for everyone,” he said.

Brandon Bailey, a cybersecurity specialist with Aerospace Corp. who works with Wong on the project, said they developed the list of indicators by starting with the top 50 attacks from Aerospace’s SPARTA framework, which breaks down possible cyber intrusions against spacecraft into their component stages, providing a complete taxonomy of potential attacks.

“To help people build intrusion detection on space vehicles, we needed to document, generically, what [such an intrusion] would look like,” he said. So Aerospace engineers ran the top 50 attacks against simulated spacecraft — both real space hardware in a lab, called “flat sats” and “digital twins,” sophisticated computer representations of a satellite and its operating system. Then they watched and documented what happened.

Logs from the tests, Bailey said, revealed a list of almost 200 spacecraft behaviors which could be indicative of a cyber attack. These are called indicators of behavior, or IOBs, he explained, and they are different from the indicators of compromise, or IOCs, which are more familiar to cybersecurity practitioners. IOCs are deterministic, Bailey explained: If it’s correctly drawn up, an IOC is pretty much definitive evidence of an intrusion. IOBs, on the other hand, “are more probabilistic and behavior based,” he said, and their presence only suggests the possibility of an attack.

Using these IOBs, Aerospace built a prototype intrusion detection system (IDS) they call SpaceCOP. As a proof of concept, it was successful, Bailey said, demonstrating the ability to detect attacks that would be invisible to telemetry based systems.

But detection is only the first step, he cautioned. Satellite operators would have to learn how to react to alerts and warnings from IDSs like SpaceCOP, both to mitigate attacks on board the spacecraft, and to share the IOBs as a warning to other operators.

The next step, Bailey said, is to test out the concept and the technology on real spacecraft, putting out a call to attendees to be part of the experiment. He suggested that they can start by receiving the warnings downloaded from SpaceCOP. “Ingest it and see if you can update and make sense of it in your platform, and go from there,” he said.

Free government cybersecurity tools for the space sector may compete to some degree with private sector security vendors’ products, said Joseph Davis of BigBear.ai, which is working on a commercial on-board IDS. But they’ll also provide a baseline on which private sector companies can build more sophisticated platforms and tools. “They have years of research we can build on,” he told Via Satellite after the session.

More from CyberSat 2025: 

• Multi-Orbit Networks Expand the Attack Surface, But Basic Cyber Threats Remain, Experts Say
• NRO Establishes Space Cyber Program After Last Month’s Moonshine Guardian Exercise
• Pentagon’s Acting CIO Arrington Pushes Against Complacency in Space Cybersecurity