From left: Norm Laudermilch, Brandon Bailey, Vinit Duggal, Matt McClung, and Scott McCormick. Photo: Shaun Waterman for Via Satellite

RESTON, Virginia — Software-defined satellites and multi-orbit architecture open up an expanded attack surface for hackers, but those vulnerabilities remain largely theoretical for now, satellite cyber and engineering experts said Monday during CyberSat. The real and present dangers lie in more low hanging fruit, they said.

Five years ago, a presentation by James Pavur at the Black Hat cybersecurity conference sent shockwaves through the satellite industry, when he revealed how trivially easy it was to eavesdrop on unencrypted satellite downlinks.

This month, the University of California San Diego and the University of Maryland published a study recently covered by Wired, which found that “roughly half” of the traffic from Geostationary Orbit (GEO) satellites is still unencrypted.

“It just blew my mind,” said Norm Laudermilch, CISO of Vantor.

“Five years later, we’re doing the exact same thing, not encrypting the downlink,” added Brandon Bailey, a cybersecurity expert with the federally funded research organization Aerospace Corp. “I don’t even know how we’re at this stage in the game,” he said.

Scott McCormick, CSO of Planet, pointed out that the study looked exclusively at older GEO satellites. “There’s assets on that list [in the study] that were quite aged and it was a bit skewed.” Nonetheless, he added “encryption is a must.”

In a separate presentation, Jason McCollum, the vice president for Software & Security at Comtech said that “legacy thinking” is even more widespread than legacy technology.

Legacy thinking on the encryption and authentication issue, McCollum said, includes the idea that “It’s too hard for an attacker to figure out proprietary protocols. …  That’s never been true. It’s not too hard to reverse engineer proprietary protocols.”

Another example of legacy thinking is that no one is asking for different behavior. While that’s “often true,” he said, it doesn’t account for the fact that customers frequently do not understand the consequences of eschewing encryption.

In addition to eavesdropping and packet sniffing of unencrypted downlinks, Bailey said, data compiled by Aerospace Corp. showed that other “bare minimum, basic” attacks, like radio frequency (RF) jamming are the most prevalent.

Industry standard encryption and authentication technologies could help mitigate such attacks, Bailey said. But he added that encryption could be defeated on the ground if networks aren’t protected. “We have too much trust built into our architectures, into that trusted link between the ground and the spacecraft,” he said, pointing out that in the penetration testing work Aerospace did on live systems, “We abuse that trust continuously.”

Supply Chain Risks

Beyond the attack surface of the satellite operators’ own systems, panelists explained, lays the vast and often dark terrain of their supply chain.

“The satellite supply chain is global. It’s incredibly complex and very often opaque, and every subsystem, from attitude control to the RF components, comes from a different source, and each of those sources introduces its own potential risk to the overall system,” said Laudermilch.

Even something as simple as a list of suppliers might be difficult to compile, said Matt McClung, director of Cyber Engineering for satellite manufacturer Lanteris Space Systems.

“You have to start with a comprehensive list of all your suppliers, and understand what they’re providing to the company: software, hardware, services,” he said. But companies also have to understand their suppliers’ suppliers, so-called fourth party risk.

“Once you have that list, then you can start building a view of what’s the risk associated with each of them,” he said. Software and hardware had to be dealt with differently, he explained, “You can’t treat all the suppliers the same.”

McClung said that the sheer volume of data points about so many companies sometimes makes an automated platform a good investment.

Assessing supply chain risk means evaluating the trade-offs in “buy versus build,” McCormick said. “We build most of ours,” he said, “So we own it through the whole pipeline. But if you are going to go out and use AWS ground stations, or whoever, obviously understanding the risks and tradeoffs is key.”

“I think we’re all in that boat,” added Laudermilch. “We’re all using commercial services at some level.”

Threats in Multiple Orbits

The growth of multi-orbit architectures and the integration of multiple terrestrial networks raises new security risks, explained Vinit Duggal, CISO and vice president for Network Engineering of European operator SES. He described SES’s satellites as “routers in the sky,” connecting different constellations and different networks.

SES this year completed its acquisition of Intelsat, and the company also has a partnership with OneWeb, so being able to track traffic across different networks and constellations and know it is protected from end-to-end is critical, he said. Each handle security slightly differently, “There’s no one right answer. Everybody’s handwriting is a little bit different,” he said.

“For us, it’s around visibility, bringing it back to one funnel, so we can apply the right security to the traffic. … That integration is extremely important. It’s something we’re paying a lot of attention to,” Duggal said.

Duggal added that SES is not seeing any attacks on, or attempts to take over, its actual spacecraft. “We are not seeing any direct command intrusion [or] command spoofing, activity on our assets,” he said. Crediting the company’s use of encryption and a security technique known as “command lock” under which the satellite will not accept certain kinds of instructions.

Bailey, however, pointed out that very high end attacks like those on spacecraft may not be happening at the moment but with increasing strategic competition in the space domain, that isn’t likely to be the case for much longer.

“Your company, probably like others, aren’t seeing a lot of action on the platform itself yet,” Bailey warned, “But we anticipate that changing.”

More from CyberSat 2025: 

• NRO Establishes Space Cyber Program After Last Month’s Moonshine Guardian Exercise
• DHS Wants Satellite Volunteers to Test New Cyber Tools
• Pentagon’s Acting CIO Arrington Pushes Against Complacency in Space Cybersecurity