World’s first in-orbit cybersecurity demonstration at CYSAT

Paris, April 25 th, 2023 – In order to raise awareness about cybersecurity vulnerabilities in space systems, security experts from Thales will present during the CYSAT conference how they managed to ethically hack and safely recover OPS-SAT, a shoebox sized satellite and ‘flying laboratory’ from the European Space Agency (ESA).

Cybersecurity has not been historically a priority for space engineers, rather focusing on maximizing the lifetime of satellites. Today the situation is changing as thousands of satellites capable of collecting and transmitting sensitive data are being launched, raising deep concerns about their resilience against cyberattacks in a tense geopolitical context.

Aside from developing its own security products, CYSEC is organizing the 3rd edition of CYSAT in Paris on April 26-27th, the biggest European event dedicated to cybersecurity for the space industry. Its purpose is to bring 500+ stakeholders to the Station F in Paris: space agencies, leading industrial companies, satellite operators, end-users, startups and universities, to learn about the latest threats, but also security products and services.

Ethical hacking is becoming standard in many industries, its purpose is to reward ethical hackers to identify vulnerabilities in a product or a service. Security teams can then immediately fill the gap by implementing defensive strategies, making the product or service more secure.

Security experts from leading tech company Thales were selected for the “Hack CYSAT” challenge for which ESA’s OPS-SAT – a shoebox-sized flying “laboratory” for in-orbit demonstration of revolutionary new control systems and software that would be too risky to trial on a “real” satellite – was made available.

Thales’s Red Team was asked to propose attack scenarios able to disturb the nominal operations of the satellite by targeting the flight computer onboard, the operating system or the various payloads available on board like a camera, a GPS, and Attitude Determination and Control System, a software-defined radio, etc.

“We’re asking people to do, in a controlled environment, exactly what we don’t want to happen in real life. It’s an exciting opportunity to engage with and learn from the best minds across Europe, using one of ESA’s exciting new missions.” said David Evans, OPS-SAT project manager.

The goal of Hack CYSAT is primarily educational, to show space engineers concretely how hackers think and what damage they could do on a satellite, but also how an attack can be detected, remedied, and eventually prevented.

At CYSAT on April 27 th, the Thales team of four cybersecurity researchers will explain how they managed to access the satellite’s onboard system, use standard access rights to gain control of its application environment, and then exploit several vulnerabilities to introduce malicious code into the satellite’s systems. This made it possible to compromise the data sent back to Earth, in particular by modifying the images captured by the satellite’s camera, and to achieve other objectives such as masking selected geographic areas in the satellite imagery while concealing their activities to avoid detection by ESA.

After the demonstration the satellite was then safely recovered by the OPS-SAT team and the vulnerabilities patched, making OPS-SAT more resilient to cyber threats thanks to the Thales team.