CYBERSECURITY MAKERSPACE: Developing a Reusable Threat Assessment Framework for Next-Generation Satellites

Satellites power emergency communications, climate monitoring, agricultural predictions, and disaster response. They are also increasingly targeted by cybersecurity threats.

On February 24, 2022, Russia launched a cyberattack against Viasat's KA-SAT satellite network as forces prepared to invade Ukraine. [1] The operation resulted in an immediate and significant loss of communication in the earliest days of the war for the Ukrainian military, which relied on Viasat's services for command and control. This incident demonstrated a critical vulnerability in the space industry's security posture.

Many satellite operators still assume that securing ground stations is sufficient to protect satellites themselves. That assumption no longer holds. 

This is the behind the scenes process of how DISC is systematizing a comprehensive satellite threat assessment to be used by OHB SE, a leading European satellite manufacturer as part of ESA's Cybersecurity Makerspace program.

Why Threat Assessment Matters Now (Operationally, Not Theoretically)

To put into context what DISC is building, here is one example of why cybersecurity threat assessments matter to satellite operators.

Satellites track many things for us on Earth including climate change. According to the Global Climate Observing System, there are 55 essential climate variables (ECVs), of which about 60 per cent can be addressed by satellite data. [2] These variables are key indicators of the Earth's changing climate which can only be tracked via satellites.

Other examples of data we track from Earth observation satellites are: crop health, disaster zones, and early warning signs for humanitarian crises. When these systems are attacked or compromised, recovery involves extensive analysis and re-validation of data integrity.

The stakes are operational and mission-critical.

How do satellite operators and their clients ensure their data is valid? Currently, when satellite operators receive a new spacecraft, they conduct security assessments based on vendor claims and industry checklists. But existing checklists often miss attack scenarios that vendors have not formally anticipated. Operators frequently cannot see inside the satellite's design to understand what data flows might be vulnerable.

A Principles-Based Approach That Scales Across All Satellites

Every satellite is different. A small commercial earth-observation satellite has a completely different architecture than a military surveillance satellite or a large telecommunications platform. Payloads differ. Command frequencies differ. Ground station protocols differ. Risk tolerance differs.

This architectural diversity is why one-size-fits-all security checklists fail. They cannot address the specific vulnerabilities in your satellite.

DISC's approach is built on a universal principle: all satellites are fundamentally systems with controlled information flows.

• Every satellite receives data from somewhere: ground commands, GPS/GNSS timing signals, inter-satellite laser links, sensor data.

• Every satellite transmits data somewhere: telemetry to ground stations, payload data, timing signals to other satellites.

• The critical security question is simple: which of these information flows could be corrupted or manipulated by an attacker, and what are the operational consequences?

Whether assessing a small CubeSat or a custom military platform, the methodology remains consistent:

1. Map the information flows. What data enters and exits the satellite? Where does it originate?

2. Identify potential attack vectors. For each information flow, what would be the impact if an attacker manipulated or corrupted that data?

3. Cross-reference against industry standards. How do established threat frameworks (SPARTA, Space Shield) categorize these vectors?

4. Identify gaps. What scenarios exist in your satellite that the standards do not systematically address?

5. Prioritize by operational impact. Which gaps would cause the most severe operational damage if exploited?

   
   

The result is a framework that is scalable (the methodology applies to all satellites) and customizable (the findings are specific to each satellite's mission and architecture).

DISC's approach includes proprietary elements. The way the assessment questions are structured, how risks are prioritized, and how gaps are uncovered represents DISC's competitive expertise developed through years of threat modeling work in defense and telecommunications. Those details stay confidential. But the underlying principle is sound and defensible: systematic

Bridging Industry Standards: SPARTA and Space Shield Assessment of Information Flow v

Every system has a perspective on how to approach a problem. Two major threat assessment frameworks guide the space industry today:

• SPARTA is a U.S. framework, developed by Aerospace Corporation. [3] It emphasizes scenarios where attackers compromise ground stations and infrastructure, potentially leading to near-total satellite loss of functionality.

• Space Shield is a European framework, developed by the European Space Agency. [4] It emphasizes data integrity corruption and operational degradation scenarios, with particular focus on in-space threats.

  
  

Neither framework is incomplete. They reflect different operational risk philosophies. But satellite operators cannot easily satisfy both frameworks simultaneously, and neither framework addresses every threat vector specific to individual satellite designs.

DISC's threat assessment framework uses both SPARTA and Space Shield as reference points. We identify threats that appear in both frameworks (universally critical), threats that appear in one framework but not the other (operationally important for specific contexts), and threats that do not appear in either framework but are specific to the customer's satellite architecture and mission.

This approach ensures that DISC's threat assessments are grounded in recognized standards while identifying satellite-specific vulnerabilities that broader frameworks miss.lnerabilities is how you understand satellite security before launch.

Our threat assessment framework addresses this directly: at the design stage, we identify the security gaps that attackers will likely target. This is not about compliance checkboxes. It is about operational resilience.

Three Satellites, One Evolving Methodology

DISC is testing its threat assessment methodology across satellites from different architectural classes:

• Satellite One: A satellite architecture implemented in a Magellan development lab, assessed as part of our earlier Department of Defence innovation work (eClypse development). This completed assessment provided the foundation for understanding threat modeling in space environments.

• Satellite Two: A 6U commercial earth-observation CubeSat representing an off-the-shelf non-customized satellite, freely available on the open market. This platform represents the low- end of the satellite complexity spectrum.

• Satellite Three: An OHB SE custom satellite (to be selected). This platform represents the high end: bespoke design and intensive engineering, suitable for dual-use scenarios. By assessing satellites at both ends of the complexity range, DISC validates that its principles-based methodology actually scales. If the approach works for both a minimalist CubeSat and a sophisticated military platform, it should work across the entire spectrum.

DISC is anticipating to find new threat categories in each assessment. The framework evolves as our team learns. But the core methodology stays constant: understanding information flows and assessing corruption scenarios. That consistency is what makes the framework scalable.

From Proof of Concept to Operational Tool

DISC is currently completing Phase 1: systematic threat assessment of a commercial satellite, combined with preliminary architectural review of the OHB platform.

In the second half of 2026, DISC will report findings from the commercial satellite assessment. Those findings will show the specific threat categories identified, the operational consequences prioritized, and the customizations made to the framework based on that satellite's unique architecture.

From there, the framework evolves. Each new satellite brings new architectural questions. Each new operator brings different risk tolerances and mission profiles. The framework stays principles-based (which keeps it scalable) but accumulates context and applicability across diverse satellite types.

Eventually, it becomes an operational tool that satellite operators can use confidently before launch.

Why This Matters for Your Satellite Program

If you operate satellites or evaluate security frameworks for spacecraft, understanding your threat landscape before launch is critical. Our threat assessment framework provides a systematic, standards-informed, and operationally focused approach to identifying security gaps specific to your satellite architecture.

For organizations planning satellite launches and evaluating security vendors, early-stage threat assessment can prevent costly design revisions or operational surprises after deployment.

DISC is currently accepting new partnerships for threat assessment work. If you are evaluating approaches to satellite cybersecurity, contact DISC to discuss how systematic threat assessment can strengthen your program.

REFERENCES

REFERENCE #1: [1] Viasat, "KA-SAT Network cyber attack overview." February 2022. https://www.viasat.com/perspectives/corporate/2022/ka-sat-network-cyber-attack-overview/

REFERENCE #2: [2] European Space Agency, "What is an Essential Climate Variable?" https://climate.esa.int/en/about-us-new/climate-change-initiative/what-are-ecvs/

REFERENCE #3: [3] Aerospace Corporation, SPARTA Documentation, https://aerospace.org/article/leveraging-sparta-matrix

REFERENCE #4: [4] European Space Agency, Space Shield, https://spaceshield.esa.int/