This paper was presented at the 44th IEEE Symposium on Security and Privacy (S&P) and received a distinguished paper award.
In this paper, they analyze the security of three real-world satellites and discover 13 vulnerabilities that enable attackers take over two of them. They also publish a survey confirms that these are widespread issues.
Terms used in this abstract are : satellites, satellite security, space segment, satellite firmware, threat taxonomy, software security.
Abstract — Satellites are an essential aspect of our modern society and have contributed significantly to the way we live today, most notable through modern telecommunications, global positioning, and Earth observation. In recent years, and especially in the wake of the New Space Era, the number of satellite deployments has seen explosive growth. Despite its critical importance, little academic research has been conducted on satellite security and, in particular, on the security of onboard firmware. This lack likely stems from by now outdated assumptions on achieving security by obscurity, effectively preventing meaningful research on satellite firmware.
In this paper, we first provide a taxonomy of threats against satellite firmware. We then conduct an experimental security analysis of three real-world satellite firmware images. We base our analysis on a set of real-world attacker models and find several security-critical vulnerabilities in all analyzed firmware images. The results of our experimental security assessment show that modern in-orbit satellites suffer from different software security vulnerabilities and often a lack of proper access protection mechanisms. They also underline the need to overcome prevailing but obsolete assumptions. To substantiate our observations, we also performed a survey of 19 professional satellite developers to obtain a comprehensive picture of the satellite security landscape.
The figure below is a taxonomy of threats against satellite firmware
A taxonomy of threats against satellite firmware
The figure below is a the OPS-SAT threat model
The OPS-SAT threat model
The figure below is an overview of the vulnerabilities identified in the satellite bus and their attacker paths
An overview of the vulnerabilities identified in the satellite bus and their attacker paths
CISPA researchers have contributed to twelve papers at this year’s. Four of these papers have received the highest honor: A Distinguished Paper Award, given out to the top 1% of submitted papers. Congratulations to everyone involved!
🔥 On Tuesday 25 April 2023, the MITRE Corporation released ATT&CK v13, the new version of its framework.
This new version includes significant updates and affects all matrices: Enterprise, Mobile and ICS.
In this article, we summarize the biggest changes : and will go through more details.
✔️ Addition of « Pseudocode analytics for Detection »: I understand this is the most important change in ATT&CK v13. It adds detailed recommendations to the TTPs in the Enterprise matrix to improve their detection by providing more precision and context on what to look for and collect. This new information can be consulted in the CAR (Cyber Analytics Repository) database.
✔️ Addition of new data sources for the Mobile matrix: Data sources represent information that can be collected from logs or probes. They also include characteristics that make it possible to identify the specific properties/values of a data source that are relevant to the detection of a technique or sub-technique.
✔️ Update of the ICS matrix: overhaul of assets, addition of new techniques and refresh of campaign mapping
✔️ Update of APT groups and attack campaigns with the possibility of cross-domain mapping
✔️ Improved coverage of the Cloud: addition of new technologies and completion of execution and lateral movement techniques
✔️ Improved coverage of Linux: updated techniques and sub-techniques with a better understanding of attacks
✔️ Improvements to the web interface, mainly in the search module
✔️ New changelog types to help identify more precisely what has changed in ATT&CK.
“we’re working toward enhanced tools for lower-resourced defenders, improving ATT&CK’s website usability, enhancing ICS and Mobile parity with Enterprise, and evolving overall content and structure this year”
Amy L. Robertson
🤩 A v14 is already announced for October with more details at ATT&CKCon 4.0 which takes place on 24-25 October 2023 :
The MITRE ATT&CK framework is a globally recognized knowledge base and methodology for understanding, organizing, and classifying cyber threats and tactics used by adversaries during different stages of a cyber attack. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge.
The framework was developed by MITRE, a not-for-profit organization that operates federally funded research and development centers (FFRDCs) to address various challenges faced by the U.S. government. However, the framework has gained widespread adoption in the cybersecurity community and is used by organizations around the world.
The MITRE ATT&CK framework provides a comprehensive model that describes the entire lifecycle of a cyber attack, from initial reconnaissance and weaponization to lateral movement, data exfiltration, and impact. It consists of a matrix that outlines various tactics and techniques employed by adversaries, along with information on the platforms they target (e.g., Windows, macOS, Linux) and the types of software they use.
The framework is organized into several categories, including Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, and Impact. Each category is further divided into specific techniques and sub-techniques that adversaries may employ.
For each technique, the framework provides detailed information on how it works, the potential impact, and real-world examples of its usage by known threat actors. This knowledge base allows organizations to better understand the tactics and techniques employed by adversaries and assists in building effective defensive strategies and improving incident response capabilities.
By utilizing the MITRE ATT&CK framework, organizations can map observed adversary behaviors to specific techniques, identify security gaps, prioritize defenses, develop threat intelligence, and share information with the broader cybersecurity community. The framework serves as a common language and reference point for cybersecurity professionals, enabling them to collaborate and exchange knowledge on emerging threats and effective defense strategies.
Overall, the MITRE ATT&CK framework plays a crucial role in enhancing cybersecurity awareness and readiness, facilitating the development of proactive defense measures, and improving the overall resilience of organizations against cyber attacks.
CYSAT ’23 is the first conference in Europe dedicated to satellite and space industry cyber security. It took place from 26 to 27 April 2023 and brought together key players from the European space industry to share challenges and solutions related to cyber risks and cyber security in space.
Faced with cybersecurity challenges and the growing importance of data protection in space, it is crucial to bring together communities of cybersecurity experts to build a European ecosystem capable of addressing current and future industry challenges.
Last years’ event saw more than 450 space specialists, decision-makers and experts come together. In its third year, CYSAT will highlight Europe’s cybersecurity capabilities and solutions dedicated to space from both a technological and geostrategic perspective.
What you will watch:
An exclusive testimony by Colonel Oleksandr Potii, Deputy Chairman of the State Service of Special Communications and Information Protection of Ukraine. A year since the cyber-attack on satellite network KA-SAT, Potii will reflect on what lessons can be learned from this attack.
Talks and keynotes from renowned industry experts, including Philippe Baptiste, President of CNES, Jean-Marc Nasr, Vice-President Space at Airbus Defence and Space, Massimo Mercati, Head of Security at ESA and Greg Wyler, founder of E-Space.
Workshops and demonstrations highlighting the know-how of the space industry
To find the full programme and more information on the event, visit: https://cysat.eu/
You will find below the full recording of the 2 days of conferences with all the speakers.
CYSAT, the only European event about cybersecurity in the space industry
CYSAT is the annual rendez-vous of all professionals at the crossroad between space and cyber. The 3rd edition will be taking place in Paris on April 26-27th at Station F and online.
CYSAT 2023
Here is the final retrospective of CYSAT 2023. We hope you enjoyed this third edition, which took place in Paris on April 26 and 27, 2023, and we hope to see even more of you in 2024.
Let’s continue to raise awareness about cybersecurity in space !
Opening of CYSAT 2023 with Lionel Suchet from CNES
Space is the new frontier of cybersecurity. The growing amount of space data collected and processed in the cloud makes cybersecurity a fundamental topic. CYSAT 2023, as the biggest European event dedicated to space cybersecurity, paved the way to a whole new set of reflexions within the European context.
As the COO of CNES, the French government space agency, Lionel Suchet was appointed Director of Innovation, Applications and Science. This new directorate (DIA) is tasked with supporting the interests, requirements and challenges of all potential users of space data and missions, and planning and proposing CNES’s future orbital systems with a view to nurturing creativity and driving innovation.
CYSAT 2023: Fireside chat with Greg Wyler, E Space
Greg Wyler is Founder, CEO and Chief Architect at E-Space, a global space company focused on bridging Earth and space with the world’s most sustainable low Earth orbit (LEO) satellite network.
With E-Space, Greg has re-imagined LEO satellite system design, manufacturing, economics and service delivery to overcome the limitations associated with legacy LEO systems. Greg is a recognized technology entrepreneur, engineer and visionary, with a proven track record of creating and growing innovative space companies.
In 2007, he founded O3b Networks, followed by starting OneWeb in 2012. Both have proven successful, leveraging satellite technology to fuel global connectivity missions. Greg holds more than 35 patents related to the design, implementation and use of satellite communications technology.
Hack CYSAT 2023 – World premiere: hacking and recovery of a flying satellite
For the third edition of CYSAT, the biggest European event entirely dedicated to cybersecurity for the space industry, taking place on 26-27 April 2023 at Station F in Paris, the European Space Agency (ESA) set up a satellite test bench to simulate attempts to seize control of OPS-SAT, a nanosatellite operated by the agency for demonstration purposes.
Thales’s offensive cybersecurity team stepped up to the challenge, identifying vulnerabilities that could enable malicious actors to disrupt operation of the ESA satellite.
Thanks to ESA and Thales for their hacking demonstration and involvement to raise awareness on cybersecurity risks in the space industry.
CYSAT 2023: Live from Kyiv with General Oleksandr Potii
Live from Kyiv with General Oleksandr Potii, Deputy Chairman of the State Service of Special Communications and Information Protection of Ukraine
CYSAT 2023: Panel « Protection of space systems in the EU »
Panel moderated by Mathieu Bailly, Director of CYSAT and VP space at CYSEC
Guillaume de La Brosse, Head of Unit – Innovation, start-ups, economics at European Commision DG-DEFIS : Protection of space systems in the EU : a paradigm shift ?
Rodrigo da Costa, executive director of EUSPA : EUSPA and the security of the EU Space Program
Claude Schanet, Deputy Chair Security Accreditation Board at EUSPA : EUSP SAB – EU Space programme’s security accreditation authority
CYSAT 2023: Panel « Information sharing and collective intelligence for the global space industry »
Panel moderated by Florent Rizzo, CEO of CyberinFlight
Erin Miller, Executive Director at SPACE-ISAC
Paul Varela, Security engineer at EUSPA
Andre Adelsbach, VP Group Information and Cyber Security of SES
Samuel Visner, Technical Fellow at MITRE & Vice-chair at Space-ISAC
CYSAT 2023: Panel « Overview of cybersecurity challenges for the IRIS2 constellation »
Panel moderated by Mathieu Bailly, Director of CYSAT and VP Space at CYSEC
Nicolas Guillermin, EU Satellite Navigation Programmes Manager at DG for Defence Industry and Space at European Commission
Christophe Allemand, 4S Strategic Programme Line Manager at ESA
Massimo Mercati, Head of Security Office at ESA
CYSAT 2023: Panel « What are the cybersecurity challenges for the IRIS2 constellation »
Panel moderated by Badia Belkouchi, Head of digital and data at Euroconsult
Yacine Felk, COO and co-founder of CYSEC
Alain Yvon, Head of cybersecurity laboratory at Thales SIX
Etienne Gérain, Information security expert at Priamos
Walter Ballheimer, CEO of Reflex Aerospace
Bertrand Leconte, Ground segment security expert at Airbus Defense and Space
CYSAT 2023: Keynote « The Risk governance model for supply chain cybersecurity in space »
Keynote by Rhea Group :
Matteo Merialdo, director cybersecurity products and engineering
Ana-Maria Matejic, director cybersecurity services and operations
CYSAT 2023: Keynote « The war in Ukraine from a space cybersecurity perspective »
Keynote presented by Clément Poirier, Resident fellow at ESPI
CYSAT 2023: Keynote « The approaches taken by the German Space Agency »
Keynote by Sabine Philip-May, Head of Product Assurance & Project support department at DLR
A propos de CYSEC
CYSEC is a Franco-Swiss cybersecurity company that is a pioneer in the protection of satellites and data collected and transmitted in space.
The company has just launched two security products in 2023, ARCA SATCOM dedicated to the satellite internet market, and ARCA SATLINK dedicated to constellation operators.
MITRE CALDERA is a framework for automating cyber defense testing. CALDERA is developed by the MITRE Corporation, a nonprofit organization based in the United States. This framework enables cybersecurity professionals to simulate attacks and defense scenarios in a controlled environment.
CALDERA provides a platform for creating, executing, and analyzing attack campaigns using various tactics, techniques, and procedures (TTPs). It allows users to generate realistic threat scenarios, test their defensive capabilities, and assess the effectiveness of their security measures. The framework supports the emulation of adversary behaviors and can be used for red teaming, threat intelligence analysis, and security tool evaluation. CALDERA aims to enhance organizations’ ability to detect, respond to, and mitigate cyber threats.
MITRE CALDERA is built on the MITRE ATT&CK™ framework and is an active research project at MITRE.
The framework consists of two components:
1. The core system. This is the framework code, including an asynchronous command-and-control (C2) server with a REST API and a web interface.
2. Plugins. These are separate repositories that hang off of the core framework, providing additional functionality. Examples include agents, GUI interfaces, collections of TTPs and more.
MITRE Caldera™ for OT
At the RSA 2023 conference, MITRE released its MITRE Caldera for OT tool, which allows security teams to run automated adversary emulation exercises that are specifically targeted against operational technology (OT).
As MITRE CALDERA is built on the MITRE ATT&CK™ framework, MITRE Caldera for OT is built on the MITRE ATT&CK™ for ICS framework.
“Cybersecurity within critical infrastructure is paramount for national security, the economy, and the safety of the public,” said Mark Bristow, director, Cyber Infrastructure Protection Innovation Center, MITRE.
“OT and industrial control systems (ICS) need innovative security solutions in order to be more resilient against increasing cyber threats. Often, a compliance-based approach has been taken to ICS cybersecurity which ultimately focuses on ‘easy to measure’ security controls like patch levels and password complexity. Instead, MITRE is offering better ways to measure risk and emulate threats that allow us to prioritize which potential scenarios would have the most impact on essential community services,” Bristow continued.
How can ICS/OT organizations know their cyber defenses are robust?
“During the last few years, OT owners and operators have made significant investments to increase their security postures. While these investments are a great step forward, many of these capabilities have not been thoroughly validated to ensure they are working as designed,” added Bristow. “Instead, MITRE Caldera for OT enables security teams to evaluate their cyber defenses against known OT adversaries.”
OT security teams can leverage MITRE Caldera for OT as an automated, preventive tool to examine their OT cyber environment and determine if there are any existing vulnerabilities that adversaries could exploit or gaps in their security architecture.
MITRE Caldera for OT, as part of the MITRE Caldera framework, provides OT-focused plug-ins to enhance red or blue team training, product testing and evaluation, or even measurement against acceptance testing milestones.
Built on the MITRE ATT&CK for ICS framework, MITRE Caldera for OT emulates the attack path and attacker capabilities that are defined either through ATT&CK for ICS or other custom-built plug-ins.
MITRE Caldera for OT Plugins can be found on Github here (coming soon, around mid-May).
Time to designate space systems as critical infrastructure
Recently, the Cybersecurity Solarium Commission (Solarium CSC 2.0) has endorsed designation of space systems as a critical infrastructure sector.
The Cyberspace Solarium Commission (CSC) was established in the John S. McCain National Defense Authorization Act for Fiscal Year 2019 to « develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences. » The finished report was presented to the public on March 11, 2020. The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 reauthorized the Commission to collect and assess feedback on the analysis and recommendations contained within the final report, review the implementation of the recommendations contained within the final report, and completing the activities originally set forth for the Commission.
Until today, CISA (Cybersecurity and Infrastructure Security Agency), the US Federal Agency, defined a list of the 16 critical infrastructure sectors.
In the future, space systems will have to be added to this list of critical infrastructure sectors.
We written an article about this announcement here.
Convergence of IT and OT in the Critical Infrastructure Space systems
Space systems can often be seen as a convergence of IT, OT ans ICS in the Critical Infrastructure Space.
That’s why we often use and apply MITRE ATT&CK for ICS framework to identify attack path abd to know how a space system can be attacked.
Need to learn more about MITRE ATT&CK for ICS framework ?
MITRE ATT&CK for ICS framework is the MITRE ATT&CK framework applied on a specific domain.
The MITRE ATT&CK for ICS Matrix is an overview of the tactics and techniques described in the ATT&CK for ICS knowledge base. It visually aligns individual techniques under the tactics in which they can be applied.
The MITRE ATT&CK for ICS matrix (Source: https://collaborate.mitre.org/attackics/index.php/Main_Page)
Below is the mapping of Stuxnet attack on the ATT&CK for ICS matrix (Than’ks to Airbus Cybersecurity). « Mapping Stuxnet to the ATT&CK for ICS matrix, as shown in figure 3, quickly shows how complex this attack was. Business risk owners can now identify which techniques to focus on if they need to minimise the risk from strikes like Stuxnet. »
Mapping of Stuxnet on the ATT&CK for ICS matrix (Source: https://airbus-cyber-security.com/mitre-attck-for-ics-everything-you-need-to-know/)
« The space sector is in need of new frameworks and methodologies specific to our unique operating environment » said Gregory Falco (Aerospace Security & Space Technology Asst. Prof at Johns Hopkins, Cybersecurity PhD from MIT).
The Aerospace Corporation’s Space Attack Research and Tactic Analysis (SPARTA)
The Aerospace Corporation’s Space Attack Research and Tactic Analysis (SPARTA) framework was already in place. SPARTA is an ATT&CK® like knowledge-base framework but for for Space Missions. SPARTA matrix is intended to provide unclassified information to space professionals about how spacecraft may be compromised due to adversarial actions across the attack lifecycle. You can learn more about SPARTA in our article here.
Space Attack Research and Tactic Analysis (SPARTA) matrix
The SPACE-SHIELD (Space Attacks and Countermeasures Engineering Shield) from ESA
There was also the SPACE-SHIELD (Space Attacks and Countermeasures Engineering Shield) from ESA. SPACE-SHIELD is an ATT&CK® like knowledge-base framework for Space Systems. It is a collection of adversary tactics and techniques, and a security tool applicable in the Space environment to strengthen the security level. The matrix covers the Space Segment and communication links, and it does not address specific types of mission. You can learn more about SPACE-SHIELD in our article here.
SPACE-SHIELD or ATT&CK Matric for Space
The Targeting, Reconnaissance, & Exploitation Kill-Chain for Space Vehicles (TREKS) Cybersecurity Framework
Now, after more than five years spent researching and working on space system cybersecurity, Dr. Jacob Oakley released the Targeting, Reconnaissance, & Exploitation Kill-Chain for Space Vehicles (TREKS) Cybersecurity Framework.
About Dr. Jacob Oakley
Dr. Jacob Oakley is a cybersecurity professional and author with over 17 years of experience. A foremost expert on offensive cybersecurity, cyber warfare, and space system cybersecurity, he has advised Department of Defense (DoD) and Fortune 500 executives on strategic mitigation of risks and threats to globally distributed, multi-domain network architectures.
Dr. Jacob Oakley
The Targeting, Reconnaissance, & Exploitation Kill-Chain for Space Vehicles (TREKS) Cybersecurity framework was developed to provide a taxonomy for understanding, protecting against, and decomposing cybersecurity compromises of space-resident systems, otherwise known as space vehicles (SVs).
TREKS is intended to provide a bridge between the existing frameworks available to address, categorize, taxonomize and analyze cybersecurity compromises of traditional terrestrial based network architectures and the future of cybersecurity for space where those frameworks become more applicable as compromises become more frequent, prolific, and acknowledged. This framework can provide a taxonomy that can be used to characterize foundational aspects of cyber threats to SVs in a way that allows for the identification of trends and enables analysis of this niche target set at the intersection of the space and cyber domains.
Targeting, Reconnaissance, & Exploitation Kill-Chain for Space Vehicles (TREKS) Cybersecurity Framework
« This framework should be utilized to typify a space vehicle (SV) as a target, based on the function of that SV and an actor’s motivation for targeting it, tying those compromise characteristics to what vectors could be leveraged to exploit subsystems and execute effects related to said motivation. The initial version of this framework could be seen as satellite centric, but the intent is to continuously build out the understandings surrounding this taxonomy to best incorporate all manner of SVs, from satellites to weapons to crewed vessels, labs and beyond. » said Dr. Jacob Oakley.
The TREKS Companion: A Guidebook to the TREKS Cybersecurity Framework
The purpose of this guidebook is to act as a reference to the included TREKS cybersecurity framework and aid in its use by the offensive and defensive cybersecurity communities as well as space system owners and operators.
About future work
This guidebook will continue to be a living document, edited, and updated based on feedback from both the space and cyber communities, with new versions released as appropriate.
As was stated at the beginning of this guidebook, this is intended to be a continuously updated living document to make it easier to leverage and utilize the TREKS cybersecurity framework and act as a mechanism to keep the framework itself up to date.
« Like the Aerospace Corporation’s SPARTA framework contextualizes unique vulnerabilities and countermeasures for the space vehicle, the TREKS framework highlights the unique kill chain for the space vehicle. I encourage Space ISAC and others deep in the weeds of space cyber ops to consider leveraging this » said Gregory Falco.
For usage and licensing information please visit the treksframework.org website.
CYSAT 2023 is over. It’s time to review everything that has happened during this amazing event. But first, let’s remember what CYSAT is.
CYSAT is the leading European cybersecurity and space exhibition that took place 26th-27th April in Paris (Station F). This is the biggest European event entirely focused on cybersecurity for the space industry.
Since 2021, the event brings space and cybersecurity experts together to create a European ecosystem capable of responding to the current and future challenges faced by the European space industry.
Faced with cybersecurity challenges and the growing importance of data protection in space, it is crucial to bring together communities of cybersecurity experts to build a European ecosystem capable of addressing current and future industry challenges.
Last years’ event saw more than 450 space specialists, decision-makers and experts come together. In its third year, CYSAT highlighted Europe’s cybersecurity capabilities and solutions dedicated to space from both a technological and geostrategic perspective.
To find the full programme and more information on the event, visit: https://cysat.eu/
Mathieu Bailly, VP at CYSEC, Co-founder and Director of CYSAT, has published on his linkedin profile about the Hacking demo at CYSAT 2023: world first or « déjà vu »❓ Here is what he knows 👇
We publish these key takeaways below with his permission. Thank’s to Mathieu for sharing whith us its key takeaways.
Mathieu Bailly, VP Space chez CYSEC et Directeur de CYSAT
#Hacking demo at CYSAT 2023: world first or « déjà vu »❓Here is what I know 👇
The exact claim is first « ethical hacking demonstration performed on a flying satellite » 🏅
⚠️ Every word counts!
1️⃣ in the real world
Since satellites have been used for intelligence and military communications oh boy they’ve suffered many cyber attacks. Some have been successful, many haven’t.
I’d say most of the « attacks » publicly disclosed have not actually managed to disturb the nominal operations of the space segment
Examples include the Luch-Olympe fly-by, the Viasat attack (the Ka-sat satellite is still working perfectly fine!), all the jamming / spoofing attacks in the black Sea or Iran, etc etc
For the very few which seem to be related to the space segment I’d be very careful as most of the time the actual facts remain scarce and hard to prove (example: ROSAT story in 1998)
2️⃣ Security research
Some researchers did some really interesting stuff to point out the vulnerabilities of space systems but to my best knowledge never actually went all the way
I’m thinking about James Pavur for example that was among the pioneers in space security. He made a big splash by showing he was able to #eavesdrop quite easily on sensitive data transmitted by satellite 📡 but never performed an experiment on the satellite itself.
3️⃣ Ethical hacking
In terms of ethical hacking the number one reference is the US Air Force competition Hack-a-sat.
💬 « it’s been done already in Hack-a-sat » is the number one comment I’ve read below the CYSAT articles.
Well, no. Not yet exactly.
Hack-a-sat 1, 2 and 3 were done on the ground. On flatsats. Nothing was flying in orbit. Check out the testimonials of European hackers at CYSAT 2021 and 2022.
However it is true that hackers will get the chance to hack « Moonlighter », a flying 3U cubesat during Hack-a-sat 4 later this year 👾
4️⃣ Hack CYSAT 2022
There is also a bit of confusion regarding of what happened last year.
We had this idea of hacking a flying satellite back in the summer 2021 with CYSEC CEO and CYSAT co-founder Patrick Trinkler.
It took us a while to find a satellite operator that was okay to let hackers play with it
Finally I heard of OPS-SAT which I thought would be the ideal spacecraft to do a security demo.
Then it took David Evans and I some time to build the case to ESA’s management.
Finally in February 2022 we published the Hack CYSAT open call to invite hackers to submit their ideas, among them Didelot Maurice-Michel that blogged about a vulnerability he spotted and told ESA to fix it, which ESA did. But nothing was done on the 🛰️
5️⃣ random articles
Various articles out there are mixing the words « satellite » and « hacking », like the guys that « hijacked » a satellite to play a movie, etc etc. None of them did what we claim the Thales team did at CYSAT.
👉 So to me it looks like it had never been done before but maybe I’m wrong!
👇 PLEASE comment below if you have other references!
Check this demo in video
All 2023 CYSAT videos are online
All videos about 2023 CYSAT in Paris, the biggest European event around cybersecurity for commercial space, are online and can be seen here.
A propos de CYSEC
CYSEC is a Franco-Swiss cybersecurity company that is a pioneer in the protection of satellites and data collected and transmitted in space.
The company has just launched two security products in 2023, ARCA SATCOM dedicated to the satellite internet market, and ARCA SATLINK dedicated to constellation operators.
CYSAT 2023 is over. It’s time to review everything that has happened during this amazing event. But first, let’s remember what CYSAT is.
CYSAT is the leading European cybersecurity and space exhibition that took place 26th-27th April in Paris (Station F). This is the biggest European event entirely focused on cybersecurity for the space industry.
Since 2021, the event brings space and cybersecurity experts together to create a European ecosystem capable of responding to the current and future challenges faced by the European space industry.
Faced with cybersecurity challenges and the growing importance of data protection in space, it is crucial to bring together communities of cybersecurity experts to build a European ecosystem capable of addressing current and future industry challenges.
Last years’ event saw more than 450 space specialists, decision-makers and experts come together. In its third year, CYSAT highlighted Europe’s cybersecurity capabilities and solutions dedicated to space from both a technological and geostrategic perspective.
To find the full programme and more information on the event, visit: https://cysat.eu/
Mathieu Bailly, VP at CYSEC, Co-founder and Director of CYSAT, has published on his linkedin profile what was the point of the Thales demo at CYSAT. First, Mathieu what was NOT part of the demo.
We publish these key takeaways below with his permission. Thank’s to Mathieu for sharing whith us its key takeaways.
Mathieu Bailly, VP Space chez CYSEC et Directeur de CYSAT
For the short-medium term it is reasonable to assume that cyber attacks on space systems disturbing the nominal operations of the mission (i.e. taking control of the spacecraft bus and/or payload but excluding eavesdropping) remain ground-based.
That means discarding scenarios involving rogue satellites with capabilities to perform non-cooperative rendez-vous. To me that’s fair for the next 5 years.
2 main scenarios:
1. the spacecraft is flying and operational
👉 then the attacker has to go through the ground segment (mission control, ground stations, etc) before reaching the spacecraft
👉 the attacker is capable to send TMTC that are valid and executed on board without the operator noticing or able to react (e..g via its own ground stations)
2. the spacecraft is under development on ground (design, assembly, test, transport, launch)
👉 the attacker manages to access information (e.g. cryptographic keys) or to install a malware / backdoor on board (e.g. corrupting the flight control software)
These are the typical scenarios with the biggest likelihood x severity scores.
👉 None of the above were covered by the Thales demo since the ground segment was out of the scope as the team was granted the access to OPS-SAT (as any other experimenter).
2️⃣ On-board: not representative of most missions ❌
🔹On-board, OPS-SAT is also very « unique » since it’s been pioneering many technology innovation like flying Linux, re-configuring FPGAs on a daily basis, etc (read all OPS-SAT firsts here 🔗 https://lnkd.in/eC3eDgDv) 💪
👉 So the demo by Thales has been done a spacecraft that is currently not representative of the current missions in operations or close to the launch pad (especially institutional missions!)
❓ So what was the point of this demo then ❓
I’m getting there!
🔹The point was to show that current space tech trends (advanced on-board processing, regular in-orbit reconfiguration, as a service models, etc) are all great progress that will soon be adopted by most operators BUT that come at the expense of greater cyber risks 👾
🔹And currently the space industry (especially #newspace) is embracing these innovations without the security culture that should come with it 🤠
👉That’s why showing how security experts can manipulate data, take control of the Attitude and Control system of a modern spacecraft by using various methods of privilege escalation exploiting flaws on access management and Linux helps to spread the word: 📢 BE PREPARED!
Summary of the full attack flow
Summary of the full Thales attack flow
Check this demo in video
An analysis of the CYSAT 2023 Demo by SPARTA team
Brandon Bailey & Brad Roeher from the SPARTA team analyzed, in this article, Thales Group’s CYSAT ’23 presentation material to deconstruct the experiment, extract lessons learned, and document potential countermeasures.
The SPARTA (Space Attack Research and Tactic Analysis) Framework was used to identify the tactics, techniques, and associated countermeasures associated with the experiment/attack.
They utilized the SPARTA Navigator tool to construct the attack chain and generated an Excel export to pinpoint relevant countermeasures. Subsequently, a thorough analysis is conducted to ensure the applicability of the associated countermeasures to the specific Tactics, Techniques, and Procedures (TTPs).
The SPARTA Navigator proves invaluable in presenting a comprehensive array of countermeasures categorized by defense-in-depth, effectively minimizing the risk posed by TTPs. By leveraging the SPARTA Navigator, we successfully map the attack chain to SPARTA TTPs, as exemplified below.
Upon exporting the data from the SPARTA Navigator, they have identified eight countermeasures. Out of these, five pertain to terrestrial countermeasures intended to prevent vulnerable software from infiltrating the spacecraft. The remaining three countermeasures are implemented onboard the spacecraft itself, serving to protect against and/or detect the TTPs executed during the experiment.
All videos about 2023 CYSAT in Paris, the biggest European event around cybersecurity for commercial space, are online and can be seen here.
A propos de CYSEC
CYSEC is a Franco-Swiss cybersecurity company that is a pioneer in the protection of satellites and data collected and transmitted in space.
The company has just launched two security products in 2023, ARCA SATCOM dedicated to the satellite internet market, and ARCA SATLINK dedicated to constellation operators.
The Cyberspace Solarium Commission (CSC) was established in the John S. McCain National Defense Authorization Act for Fiscal Year 2019 to « develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences. » The finished report was presented to the public on March 11, 2020. The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 reauthorized the Commission to collect and assess feedback on the analysis and recommendations contained within the final report, review the implementation of the recommendations contained within the final report, and completing the activities originally set forth for the Commission.
Today, the Cybersecurity Solarium Commission (Solarium CSC 2.0) has endorsed designation of space systems as a critical infrastructure sector.
Time to Designate Space Systems as Critical Infrastructure
America’s adversaries recognize the importance of space systems to U.S. national security and economic prosperity and have tested capabilities to destroy them.
Find below the Executive Summary of the report
You can access to the Executive Summary of the report here.
“We’re in a space race” with China, NASA Administrator Bill Nelson warned in December. The nature of that race is different from the Cold War contest with the Soviet Union that America fought and won. The national security components of the space race today include not just weapons systems but also the security of critical infrastructure — much of which relies on global positioning satellites, remote imagery, and advanced communication. The economic aspect is just as striking. The Space Foundation, a nonprofit advocacy group, has determined that the global space industry generated $469 billion in revenue in 2021. This number will only increase with technological and manufacturing innovation.
More than a decade ago, the U.S. National Security Space Strategy warned that space will become more “congested, contested, and competitive.” This warning proved prescient, but the U.S. government has not done enough to adapt to that reality. Major portions of American space systems are still not designated as critical infrastructure and do not receive the attention or resources such a designation would entail. The majority of today’s space systems were developed under the premise that space was a sanctuary from conflict, but this is no longer the case. The threat from Russia and China is growing. Both those authoritarian powers have placed American and partner space systems in their crosshairs, as demonstrated by their testing of anti-satellite (ASAT) capabilities. The United States needs a more concerted and coherent approach to risk management and public-private collaboration regarding space systems infrastructure.
After interviewing more than 30 industry and government experts, the authors have concluded that designating space systems as a U.S. critical infrastructure sector would close current gaps and signal both at home and abroad that space security and resilience is a top priority. In 2013, Presidential Policy Directive-21 (PPD-21) designated 16 critical infrastructure sectors “so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Space systems clearly meet this threshold.
The term “space systems” encompasses the ecosystem from ground to orbit, including sensors and signals, data and payloads, and critical technologies and supply chains. (See Figure 1.) This terminology (which sidesteps the conceptual debates about whether “space” is an infrastructure or only a domain) aligns with presidential Space Policy Directive-5 (SPD-5) of September 2020, which defines space systems to include ground systems, sensor networks, and space vehicles. SPD-5 provided a set of voluntary best practices “to guide and serve as the foundation for the United States Government approach to the cyber protection of space systems.” This report seeks to build on these efforts, which constituted an important step toward recognizing and addressing the implications of the nexus between the cyber and space domains.
Protecting space systems will require an enhanced model of public-private partnership with genuinely shared risk management responsibilities. On the government side, the agency that serves as lead sector risk management agency (SRMA) for this sector will have a demanding task — but one that NASA is well suited to fulfill so long as it receives the extra resources necessary to develop its capacity to protect national security, civil, and commercial systems. There will need to be subgroups within the sector that maintain relationships with other government agencies. One subgroup should deal with defense and intelligence systems, and another with communications systems already regulated by the Federal Communications Commission (FCC). But no alternative candidate for lead SRMA possesses the same range of requisite capabilities as NASA.
Fostering security and resilience in the space systems sector will require mitigating unique cybersecurity challenges that stem from the geographic and technological particularities of space, as well as new and emerging space-based missions. Substantial investment through congressional appropriation will be imperative because policy without resources is merely rhetoric.
This report does some recommendations for Congress
Recommendation 1: Designate space systems as a critical infrastructure sector.
1.1 – Designate NASA as the SRMA for the space systems sector.
1.2 – Create two directed subgroups within the sector.
1.3 – Do not assign the SRMA as a regulatory role.
1.4 – Articulate and offer industry a clear value proposition.
1.5 – Strengthen international norms and standards.
1.6 – Integrate the National Space Council into the governance of the space systems sector.
Recommendation 2: Give NASA, the lead SRMA, the resources to effectively accomplish the mission.
2.1 – Direct the Congressional Research Service to undertake a legislative review.
Recommendation 3: Marshal and organize the commercial space community to play an instrumental role in governance.
3.1 – Establish a space systems sector coordinating council (SCC).
3.2 – Task the SCC, through its charter, with working to reduce risks to the security and resilience of the commercial space sector.
3.3 – Leverage and build upon the existing work of Information Sharing and Analysis Centers (ISACs), including the Space ISAC.
Recommendation 4: Create a co-led risk management enterprise.
4.1 – Jointly elaborate and widely implement cybersecurity best practices.
4.2 – Pair commercial and government capabilities to model a dynamic risk environment.
4.3 – Add space assets positioned outside of traditional operational areas to enhance U.S. resilience.
The space systems threat spectrum
Here is a quite nice graphic showing at a high level space systems and the threats we have to address.
The examples cited below are illustrative and not exhaustive.
In-Orbit segment
Beams (Tracking/Other Uses), Satellites. Spacecraft. Space Debris,
and Space Mining and Manufacturing
THREATS : Anti-satellite, Command Intrusion, Denial Of Service (DoS), Malware, Payload Control, Space Debris
CYSAT 2023 is over. It’s time to review everything that has happened during this amazing event. But first, let’s remember what CYSAT is.
CYSAT is the leading European cybersecurity and space exhibition that took place 26th-27th April in Paris (Station F). This is the biggest European event entirely focused on cybersecurity for the space industry.
Since 2021, the event brings space and cybersecurity experts together to create a European ecosystem capable of responding to the current and future challenges faced by the European space industry.
Faced with cybersecurity challenges and the growing importance of data protection in space, it is crucial to bring together communities of cybersecurity experts to build a European ecosystem capable of addressing current and future industry challenges.
Last years’ event saw more than 450 space specialists, decision-makers and experts come together. In its third year, CYSAT highlighted Europe’s cybersecurity capabilities and solutions dedicated to space from both a technological and geostrategic perspective.
To find the full programme and more information on the event, visit: https://cysat.eu/
Mathieu Bailly, VP at CYSEC, Co-founder and Director of CYSAT, has published on his linkedin profile the key takeaways he retained during these 2 days. We publish these key takeaways below with his permission. Thank’s to Mathieu for sharing whith us its key takeaways.
Mathieu Bailly, VP Space chez CYSEC et Directeur de CYSAT
My 9️⃣ take-aways from CYSAT season 3 👇 from a happy event director!
1️⃣ A success💥
🔹Our mission 🎯 to raise awareness about #cybersecurity in the #space industry is progressing
🔹This can only be achieved by connecting people. We double the number of participants every year 📈, we manage to get all players involved ✅
🔹Many positive feedback of people happy to meet and network. Just for that CYSAT season 3 was a success!
2️⃣ Tech sessions were a big hit!
🔹NEW this year, many people mentioned the quality of the presentations
🔹Thanks to the startups and researchers on stage (with the normal rate of live demo failures 🤓)
🔹Kudos to all presenters, especially my colleagues Yannick Roelvink and Louis Masson for presenting respectively the CYSEC products ARCA SATCOM and SATLINK 🚀
3️⃣ Ukraine and Viasat 🇺🇦
🔹The 2022 attack definitely shook off the industry
🔹Was important for me to have a first-hand testimonial of General Oleksandr Potii live from Kiev explaining the critical importance of 🛰️
🔹Not only for comms and intelligence on the battlefield but also to allow civilians to stay connected 🌍
4️⃣ Team Europe 🇪🇺
🔹Honored to have space execs coming now to CYSAT using the event to make major announcements
🔹The EU commission represented by Guillaume de La Brosse took the opportunity to promote the upcoming EU Space law and EU Space ISAC. These are two big news, can’t wait to hear more about it
5️⃣ #IRIS2: high expectations
🔹One of the hottest topic this year. Stakes are high and timing is tight!
🔹Was great to have a more extensive appreciation of the Comission’s perspective on the cyber aspects with Nicolas Guillermin
🔹Both EUSPA with Rodrigo da Costa and ESA with Massimo Mercati presented their approach and upcoming opportunities for the industry
6️⃣ Hacking demo 👾
🔹Thales is making the buzz after presenting their successful demo of hacking and recovering ESA’s OPS-SAT 👏
🔹This is something we’ve been trying to do since summer 2021 so very happy to finally see it on stage 👊
🔹Thales team did a great job at explaining the technical aspects of the demo ⚙️ and were very transparent about the support they received from the OPS-SAT team, 👌 David Evans
7️⃣ Greg Wyler: « Less is more »
🔹Very happy to host Greg, a legendary space entrepreneur now full steam with his latest venture E-Space.
🔹I liked his approach of making things as simple as possible to reduce the attack surface and make the CISO or the PSO’s jobs a realistic task.
8️⃣ Finding talents! 👨🎓 👩🎓
🔹I think every single speaker I was on stage with said they were looking for talents. This is a major challenge now
🔹We had about 50 students at CYSAT with free tickets, hope they were able to make the most of it!
9️⃣ CYSAT 2024
Not everything was perfect this year, the acoustic was terrible the first morning, coffee would be appreciated at the start of the day, food can be massively improved, etc we will learn and improve for next year!
All 2023 CYSAT videos are online
All videos about 2023 CYSAT in Paris, the biggest European event around cybersecurity for commercial space, are online and can be seen here.
A propos de CYSEC
CYSEC is a Franco-Swiss cybersecurity company that is a pioneer in the protection of satellites and data collected and transmitted in space.
The company has just launched two security products in 2023, ARCA SATCOM dedicated to the satellite internet market, and ARCA SATLINK dedicated to constellation operators.
Thank’s to Calogero Vinciguerra (Space Policy Officer & Space Threats Response Architecture DO at the European External Action Service, EEAS) and Kimberly King (Senior Engineer at The Aerospace Corporation) for helping me to write this article.
Aerospace Corporation released SPARTA v1.3, a new version of the Space Attack Research and Tactic Analysis (SPARTA) matrix.
The Aerospace Corporation’s Space Attack Research and Tactic Analysis (SPARTA) matrix is intended to provide unclassified information to space professionals about how spacecraft may be compromised due to adversarial actions across the attack lifecycle.
SPARTA is an ATT&CK® like knowledge-base framework but for for Space Missions.
SPARTA framework offers space professionals a taxonomy of potential cyber threats to spacecraft and space missions.
SPARTA framework “is intended to provide unclassified information to space professionals about how spacecraft may be compromised via cyber means.”
SPARTA v1.3 delivers significant updates. You can find all relevant updates in this blog post.
SPARTA cyber-security framework defines and classifies the activities, tactics, techniques and procedures (TTP) implemented by malicious hackers, aimed at compromising the functionality and operation of both space vectors and satellite systems in orbit.
In v1.3, a new presentation from CySat 2023 has been posted here.
Video of the CYSAT 2023: Demo « Hacking Spacecraft using Space Attack Research and Tactic Analysis »
Demo by Brandon Bailey (SPARTA), Senior Cybersecurity Project Manager at The Aerospace Corporation.
What about SPARTA vs. ATT&CK MITRE ?
The current cyber-security frameworks – MITRE’s ATT&CK and Microsoft’s Kubernetes – while representing the industry standard for analyzing attacks on terrestrial devices, however, do not sufficiently cover the space segment scenarios.
What about SPARTA vs. SPACE-SHIELD ?
SPACE-SHIELD (Space Attacks and Countermeasures Engineering Shield) is an ATT&CK® like knowledge-base framework for Space Systems. It is a collection of adversary tactics and techniques, and a security tool applicable in the Space environment to strengthen the security level. The matrix covers the Space Segment and communication links, and it does not address specific types of mission. You can learn more about SPACE-SHIELD here.
Need to go futhermore MITRE ATT&CK framework ?
To go futhermore the concept of MITRE ATT&CK framework applied on specific domain, you can also have a look on the MITRE ATT&CK for ICS Matrix.
The MITRE ATT&CK for ICS Matrix is an overview of the tactics and techniques described in the ATT&CK for ICS knowledge base. It visually aligns individual techniques under the tactics in which they can be applied.
The MITRE ATT&CK for ICS matrix (Source: https://collaborate.mitre.org/attackics/index.php/Main_Page )
Below is the mapping of Stuxnet attack on the ATT&CK for ICS matrix (Than’ks to Airbus Cybersecurity). « Mapping Stuxnet to the ATT&CK for ICS matrix, as shown in figure 3, quickly shows how complex this attack was. Business risk owners can now identify which techniques to focus on if they need to minimise the risk from strikes like Stuxnet. »
Mapping of Stuxnet on the ATT&CK for ICS matrix (Source: https://airbus-cyber-security.com/mitre-attck-for-ics-everything-you-need-to-know/)
About Aerospace Corporation
Source : Linkedin Profile
The Aerospace Corporation has provided independent technical and scientific research, development, and advisory services to national-security space programs since 1960. We operate a federally funded research and development center (FFRDC) for the United States Air Force and the National Reconnaissance Office and support all national-security space programs. We also apply more than 40 years of experience with space systems to projects for civil agencies like NASA and the National Oceanic and Atmospheric Administration, commercial companies, universities, and some international organizations in the national interest.
From our inception, our highly skilled technical people have focused on ensuring the success of every mission and developing the most effective and economic space-related hardware and software in the world. Our insight and involvement in space programs has significantly reduced the risk of launch failure and increased both satellite endurance and performance. Avoiding a single catastrophic failure resulting in the loss of operational capabilities can save the government more than three times the total annual Aerospace FFRDC budget.
We don’t manufacture anything. Our greatest asset is the technical expertise of our people. Our involvement spans all facets of space systems: including systems engineering, testing, analysis, and development; acquisition support; launch readiness and certification; anomaly resolution; and the application of new technologies for existing and next-generation space systems. Our state-of-the-art laboratory facilities are staffed by some of the leading scientists in the world.
🌟 I'm thrilled to share that I've earned the CISM (Certified Information Security Manager) from ISACA. You can view my achievement on Credly.
🌍 This...
Attacks on OT (Operational Technology) systems are made easier due to the OT/IT convergence.
The figure below is showing an example of OT/IT convergence.
Attacks on OT...
What an incredible start to 2024.
I've had some incredible opportunities and I've been able to do some really interesting things.
I continue my role as...
I’m very proud to receive the following certificate of completion for having successfully completed the training course : « Introduction to Cybersecurity in Space...
Avec l'aimable autorisation de Martial Le Guédard, nous reproduisons ci-dessous sa cartographie au sujet des différents acteurs étatiques évoluant dans le domaine du Cyber...
L'illustration ci-dessous est une carte heuristique qui présente les services spécialisés de la communauté du renseignement du 1er cercle. Cette cartographie est mise à...
A la différence des attaques électroniques qui interférent avec la transmission des signaux de Radio Fréquence, les cyberattaques visent quant à elles, les données...
Avec l'aimable autorisation de Martial Le Guédard, nous reproduisons ci-dessous sa cartographie au sujet des différents acteurs étatiques évoluant dans le domaine du Cyber...
L'illustration ci-dessous est une carte heuristique qui présente les services spécialisés de la communauté du renseignement du 1er cercle. Cette cartographie est mise à...
A la différence des attaques électroniques qui interférent avec la transmission des signaux de Radio Fréquence, les cyberattaques visent quant à elles, les données...
