Photo: Via Satellite illustration

Last year, D-Orbit took the game capture-the-flag to space, hosting a cybersecurity competition conducted on a real spacecraft in orbit. The Capture-the-Flag CTF) cybersecurity competition took place at the European Space Research and Technology Centre (ESTEC) in the Netherlands during the Security for Space Systems (3S) Conference. D-Orbit worked alongside the European Space Agency (ESA) and Mhackeroni.

Grazia Bibiano, Portugal country leader for D-Orbit told Via Satellite the event demonstrated awareness on security for space systems and a commitment in the industry towards cybersecurity in space. For the European space ecosystem, Bibiano said it showed a willingness to embrace a different approach towards the security landscape.

Five finalist teams — ENOFLAG, Superflat, RedRocket, CzechCyberTeam, and PoliTech — competed in real-time cybersecurity challenges aboard ION Satellite Carrier, D-Orbit’s orbital platform. They tackled security scenarios including interpreting real telemetry data, sending command sequences, and interacting with onboard software to uncover and exploit vulnerabilities in a controlled environment isolated from the satellite’s commercial mission.

Davide Avanzi, head of product and space security for D-Orbit told Via Satellite that the key takeaway was bringing together different mindsets in the practical, hands-on based cybersecurity doctrine and the space sector.

“It turns out that hacking a space system is not like attacking any other IT system on the ground. We have seen that there are a set of unexpected constraints that come into play when you want to interact with a satellite and want to hack it, that you don’t find anywhere else,” Avanzi said.

The competition aimed to have a different feel because of the space component. Avanzi said. It’s rare that security teams are able to get hands-on experience with actual satellites in orbit. While it’s possible to simulate certain conditions on the ground, it’s not the same as the full space environment with real data. “For us, it is important to have a scenario that is as realistic as possible for the players of the competition, which then provides us with real data on how attack and defense operations would play out in a real world scenario,” he said.

“These are different conditions to when they are on the ground. On the other hand, space systems engineering often follows a traditional approach towards cybersecurity which might not be enough in modern times, where space has become a defense domain. Businesses are not exempt from this. They often just focus on the defence of the perimeter of the system and it does not take account modern techniques and approaches that we have seen in this competition,” Avanzi added.

Another key takeaway, according to Avanzi, is that it is important not to consider a spacecraft or a space system as an isolated object with a single clear perimeter to defend. He believes the industry should adopt a more defense-in-depth approach adapting proven IT security practices into the space domain. This means moving towards a more zero trust approach even on board.

“You must not presume all the components on board a satellite are secure because you put them there. A supplier could be breached, for example. Another good thing to do is improve the visibility on board a satellite into what happens on the spacecraft and on the ground. This enables a better understanding of what is happening even when the satellite is not in direct contact with the ground. You can then introduce more autonomous defence mechanisms to respond to those cyber attacks on the satellite,” he said.

The goal of the competition was not to discover real vulnerabilities in its satellites and space systems, but rather to simulate research and investments into this field by raising awareness. D-Orbit had real-world scenarios in mind, so it wanted to show like how tiny implementation details can make existing protocols vulnerable and how communications can be eavesdropped and reverse engineered, even without knowing the details about the data exchange in a protocol. “We have shown that encryption is not the panacea to the protection of systems. We need a more defense-in-depth approach that we need to take into consideration when we design spacecraft,” added Avanzi.

Moreover, one of the hardware challenges showed how a compromised component of a spacecraft could take control of other functions and cause vulnerability. It shows that supply chains are a critical point of failure. Even one single hardware component or software that goes into the satellite and is compromised, could put at risk the security of the whole system.

 Designing and implementing infrastructure needed to securely host this kind of event, showed the company the need to re-evaluate and rethink the whole threat model of its own space infrastructure, Bibiano said.

“We need to identify new scenarios that were not taken into consideration when we first designed our system. Beyond all of this, the high value collaborations we have built, helped us strengthen the relationships between the institutional space sector and new space community, bringing us closer together,” she said.

The participation in this event is another sign of growing interest from the cyber community in space related topics.

“We have also seen that the space community is not exempt from cyber attacks. If security was merely a national space domain in the past, it is now a shared responsibility in the private sector, especially for new space companies, which usually take a more commercial and customised approach to space missions,” she said. “Any poorly defended system could be a target for different types of attackers. So, companies are increasingly in the crosshairs of financially motivated threat actors, that are turning their eyes up to the sky.”