Under ESA’s supervision, a team of experts from Thales Alenia Space recently performed a cybersecurity demonstration that revealed they could covertly access parts of ESA’s OPS-SAT spacecraft that are usually off limits.
OPS-SAT is a flying laboratory which ESA offers to teams from across Europe to test innovative new software that is too risky to load on to normal operational satellites.
Once the Thales team successfully accessed the control layer of the satellite, they were able to demonstrate how they could tamper with images taken with the satellite’s camera and rotate the spacecraft away from its normal pointing.
What happened?
The demonstration was devised by cybersecurity company CYSEC, ESA and Thales. The Thales team then set to work devising a way to upload software to OPS-SAT that looked ‘harmless’ but it actually introduced a vulnerability that they would later exploit. By exploiting this vulnerability at a later time, they successfully accessed the control layer of the software, which is usually off limits for the experimenters.
The software and procedures were first tested on an identical copy of the satellite kept at ESA’s ESOC mission control center. This ensured that it could not do any irrecoverable damage to the satellite before it was installed on board.
Once they gained access to the control layer, the team was then able to replace an image taken with OPS-SAT’s camera and rotate the spacecraft away from the direction it was supposed to be pointing (they changed the satellite’s ‘attitude’).
“The ESA team then recovered the satellite and successfully reverted its software to a previous, safe and secure state,” said Simon Plum, Head of ESA Mission Operations. “This was a well-controlled experiment, in which ESA knew in advance what was going to happen, supervised the tests and retained control throughout the demonstration. The test was done in full isolation from ESA’s operational missions and enabled us to learn even more about possible cyber threats. Thanks to OPS-SAT, our teams across ESA and to the activity’s participants and organizers, such as CYSEC and Thales, we can now further enhance the security of operations at ESOC.”
What was the purpose of the demonstration
Every activity that humankind carries out using computers and other digital systems is exposed to cybersecurity threats. As satellites have become essential for so much of our daily lives, we must ensure they are as secure as possible.
“Spacecraft designers and operators need to understand how potential cyber attackers think. Only then can they build the best possible defence,” said David Evans, OPS-SAT project manager. “Activities like the one carried out by ESA and Thales are often referred to as ‘ethical hacking’ and they are a very effective way for spacecraft engineers to get this knowledge. Watching these attackers work and understanding their methodology was very valuable for us.”
This controlled experiment was an educational exercise and demonstrated the value in having cybersecurity experts with an offensive mindset involved in the development of satellite systems. The OPS-SAT team learned a lot from the experiment and, together with the Thales team and ESA’s Security Office, have used the results of the demonstration to update the security system at OPS-SAT’s SMILE control center.
The method of tampering with the spacecraft highlighted by the Thales team is no longer possible – one less potential path of attack for a real threat. Are other satellites at risk?
OPS-SAT is unique. Its role as a platform for experimentation and innovation means teams external to ESA are allowed to execute software on board the spacecraft. No other ESA satellite operates in this way.
The Thales team also had advanced access to information about OPS-SAT’s inner workings and were allowed to carry out tests on OPS-SAT’s flat sat as part of the cooperation.
OPS-SAT’s ground-based IT systems are isolated from those of any other ESA satellite, so the Thales team and other OPS-SAT experimenters cannot gain access to any other satellite systems.
Was OPS-SAT damaged?
OPS-SAT is designed to ensure it can always be reset to a safe state — in case even a well-meaning experiment causes any unexpected and potentially harmful effects. It also has an in-built system to monitor the satellite’s health and prevent it from becoming irrecoverable.
This cybersecurity experiment was performed entirely within OPS-SAT’s ‘random access memory’ (RAM). This computer memory was completely reset after the demonstration ensuring that any compromised software was removed, and the satellite returned to a known state.
No damage was done to OPS-SAT. OPS-SAT at Europe’s largest cybersecurity conference for the space sector
ESA and the Thales team presented the results of the cybersecurity demonstration at the CYSAT 2023 conference. The yearly event, organized by CYSEC, brings together the European space community to raise awareness of cybersecurity threats to space assets and how we can safeguard the important services they provide.