New Satellite Will Help Cyber Defenders Train to Stop Hackers in Orbit


Audio of this article is brought to you by the Air & Space Forces Association, honoring and supporting our Airmen, Guardians, and their families. Find out more at afa.org

NATIONAL HARBOR, Md.—U.S. researchers and military contractors are working on new tools to protect space operations from cyber attackers, and one company has launched a satellite to serve as an on-orbit cyber range to test out defenses, speakers said at the AFA’s Air, Space & Cyber conference last week. 

Terrestrial cybersecurity practices aren’t up to handling the cyber defense of space-based systems like satellite communications and Earth observation constellations, according to Charleen Laughlin, the Space Force’s Deputy Chief of Space Operations for cyber and data . Space operations rely on an architecture that includes ground systems as well as on-orbit assets and the data links that connect them, Laughlin told a panel session at the conference.  

But in recent years, she explained, that architecture has grown “more complex, more distributed and dynamic, and  to include commercial and international partners.” The result is that “traditional cybersecurity methods like continuous monitoring and patching become more difficult, especially in contested environments.” 

To help the military and industry develop new cyber defenses, technology contractor Deloitte has launched a microwave oven-sized satellite into low-Earth orbit to act as “an on-orbit, live-fire cyber training range,” said Deloitte Managing Director Brad Pyburn. 

Deloitte-1, a 22-pound cubesat launched from Vandenberg Space Force Base, Calif., in March, will allow Deloitte and its government and private sector partners “to conduct training operations, test [the satellite], even attack it, and make sure it’s resilient and responds in the way that you want. … It’s a way to train your defensive [cyber] maneuvers against an adversary.” 

Deloitte-1, which was declared operational in June, is the first of a nine-strong constellation Deloitte will launch over the next 18 months, Pyburn said, adding that the satellite was the brainchild of Deloitte Principal Ryan Roberts.  

“Satellites, at their core, are just computers with solar panels on them, and yet they lack the cyber protections of even your phone or laptop,” Roberts told Air & Space Forces Magazine in an interview on the sidelines of the conference. 

An internal white paper Roberts authored in 2019 convinced Deloitte executives to invest $10 million dollars of company R&D money over the past five years to develop Deloitte-1 and get it into orbit. He declined to comment on the costs of getting the rest of the constellation up, but he did point out that Deloitte-1 was generating income for the company. 

In addition to its use as a cyber range, “we also do have an operational mission around [radio frequency] collection. So we’re capturing RF data and monetizing that for various customers,” said Roberts, adding it was important that the satellite was a real business asset and “not just some science fair project.” 

In addition to its operational RF collection payload, Deloitte-1 also carries a prototype on-orbit intrusion detection system, dubbed Silent Shield. Silent Shield is “out-of-band,” explained Roberts, meaning it is set behind a one-way diode: able to receive data so it can monitor the satellite’s outputs and performance, but not able to feed anything back into the satellite’s operating or payload software.  

Deloitte cyber specialists have developed a series of 20 cyberattacks to launch against the satellite, gradually increasing in complexity and sophistication, Roberts said. They’ve launched six so far, including an Address Resolution Protocol spoofing attack, in which the attacker masquerades as an element of the payload.  

Like most satellite buses, Deloitte-1 doesn’t employ authentication, so messages travelling across the bus are treated as trusted data. “The satellite inherently trusts itself,” he explained. “If one part of the payload is saying something to another, there’s no way to check where that message is really coming from, so [an attacker] can spoof that traffic and pretend like they’re that other payload [element], and make [the payload] do something it’s not supposed to do.” 

For the purposes of the exercise, Roberts said, attackers were given access that, in real life, they would have to win by penetrating the ground network or spoofing the RF data link to the satellite. “We’re simulating that the adversary has made it onto the satellite from the ground. We’re coming up through our ground network and putting that particular malware or cyber attack on the … satellite,” he said. 

Silent Shield had successfully detected all six attacks so far, sending alerts to ground controllers. “But I have told the team, we need to keep going with these attacks until there is one we cannot detect, because that’s where we’re really going to learn something. When we reach the edge of Silent Shield’s capabilities, that’s when we start to work on improving it.” 

In 60 days, when all 20 attacks had been launched, Deloitte will turn the range over to “partner organizations,” that Roberts declined to name. They will then be able to run their own attacks against the satellite, testing Silent Shield against outside opponents. “We don’t want to be grading our own homework,” said Roberts. 

Roberts said future satellite launches might include versions of Silent Shield which operate as intrusion prevention systems, not just detecting attacks but responding with automated measures: “Turn off a payload, put it in safe mode, reorient the satellite, whatever we program as pre-approved.” Roberts said. 

Once additional satellites are in orbit, equipped with inter-satellite communications via RF or optical connections, Silent Shield could also be tested against attacks coming from other satellites in the constellation.  

Deloitte-1 is not the first on-orbit cyber range: In 2023, French aerospace defense contractor Thales collaborated with the European Space Agency to launch cyberattacks on ESA’s experimental nanosat called OPS-SAT. The following year, the Air Force Research Lab staged the fourth and final year of its Hack-a-Sat capture-the-flag contest, where five teams of white hat hackers competed to hack the Aerospace Corp.’s Moonlighter experimental satellite. 

The difference, said Roberts, is Silent Shield. Those prior experiments had demonstrated the possibility of attacks. Silent Shield was a proof of concept for defense.  

Deloitte-1 is just one way contractors and government officials are rethinking cyber defenses in space. The Aerospace Corporation, a federally funded research and development center, has developed a taxonomy of cyberattacks called the Space Attack Research and Tactic Analysis matrix or SPARTA. The matrix, referenced by speakers on several panels, breaks down the various stages of cyber and other attacks on satellites, listing the specific actions required to complete each stage of the attack, from reconnaissance to execution and impact, allowing defenders to potentially detect incipient attacks and game out their responses.

Audio of this article is brought to you by the Air & Space Forces Association, honoring and supporting our Airmen, Guardians, and their families. Find out more at afa.org