A small satellite named Deloitte-1 is hunting for hackers in orbit.
Launched in March, it’s the first of nine spacecraft the consulting firm Deloitte expects to be operating over the next 18 months to demonstrate a technology to detect cyber intrusions targeted at satellites in space.
The company is building these satellites to prove that defending space networks from cyberattack requires putting defenses in orbit and not just on the ground.
“Deloitte doesn’t just do taxes and audits,” Bradley Pyburn, a retired U.S. Air Force major general who served as chief of staff of the United States Cyber Command, said at the recent Air Space & Cyber Conference.
Now a managing director at Deloitte’s government and public services sector, Pyburn works with client firms that operate spacecraft or depend on satellite data.
“We’re learning with our partners what it means to put a constellation in orbit, make it resilient and make it survivable,” he said.
Deloitte’s move comes amid a broader rethink of how to protect space infrastructure from cyber threats. For years, experts have warned of the risks but, as the space economy expands and dependence on satellite data deepens, a wave of new technologies is emerging to keep those systems secure. The question now is whether those protections can evolve fast enough to stay ahead of the hackers.
The numbers don’t lie
For satellite operators, the threat landscape has evolved. The Space Information Sharing and Analysis Center reported a 118% surge in space-related cyber incidents so far in 2025 compared to 2024, with roughly 117 publicly reported incidents from January through August 2025. The Space ISAC said these numbers represent only what gets reported publicly, suggesting the actual attack volume is higher.
The asymmetry of the problem is concerning, Pyburn said. “When you think about space capabilities, ground segments, uplinks, downlinks, space architectures, cross links, all these different things that you have to think about, defenders have to be perfect everywhere,” he said. “But the offensive team only has to get it right once.”
That calculus is what drove Deloitte to invest in the Silent Shield cyber defense system, an on-orbit testbed to monitor and protect against cyber threats to space assets.
This approach to space cyber defense mirrors military doctrine, said Pyburn. “You’ve got to be able to respond and act in the presence of adversaries in the domain of warfare you’re going to operate in.”
Compliance not enough
Military and intelligence agencies treat space as a contested environment where adversaries ranging from nation states to criminal groups actively seek to undermine military and intelligence capabilities, disrupt operations, steal sensitive data and threaten critical infrastructure.
“I often call cyber the soft underbelly of our space enterprise, given the novel attack surface that we create with these global networks that extend out to geosynchronous orbit,” the head of U.S. Space Command Gen. Stephen Whiting said.
Similarly, Christopher Scolese, director of the National Reconnaissance Office, which is in charge of U.S. spy satellites, said cyber is his “number one concern.”
The Defense Department requires military programs and contractors to comply with what it calls a Cybersecurity Risk Management Construct (CRMC), a framework for managing cybersecurity risks in a consistent and automated way. The Pentagon recently rolled out the CRMC as a replacement for the older Risk Management Framework (RMF).
But these policies only go so far in preventing attacks, industry executives argue.
“You can build a perfectly RMF-approved, CRMC-approved, defensible system, and then the adversary gets a vote,” Pyburn said. “You’ve got to build in that ability to fight through whatever is happening.”
Timothy Zentz, vice president of cyber offense and defense at Nightwing, offered a similar view.
Requirements like CRMC are “a necessary thing that the government should do and implement, but our belief is that it’s incomplete. It’s a good first step.”
Zentz’s company, Nightwing, is a defense and intelligence contractor focused on cybersecurity. The company was previously part of Raytheon’s cybersecurity and intelligence business unit and was acquired last year by a private equity firm and spun off as an independent company.
Many defense systems will pass the compliance checks, but the reality is that there are “well funded, capable adversaries looking at that system and identifying vulnerabilities in it,” Zentz told <em>SpaceNews. “Even for the RMF certified systems, we are focused on working with our customers to look for those unknown vulnerabilities, so that they can be remediated before that system sees a cyber-contested environment.”
The bottom line is that the world — and all of the space infrastructure that supports global activities — is changing, Zentz said. “Space is becoming a more active domain. There’s more and more assets in space used for our day-to-day services,” he added. The more ground stations, the more space assets are in orbit, “the bigger that attack surface is for adversaries to exploit.”
Based on his experience at Nightwing and previously at Raytheon, Zentz said he expects that “the threats are probably advancing more rapidly than the solutions.”
Cyber and space warfare
One illustration of how closely connected the cyber and space domains are is the Salt Typhoon campaign that began a few years ago as a cyber operation targeting telecommunications companies, but expanded in scope to include an attack on a satellite communications provider.
This campaign, attributed to a Chinese state-sponsored hacking group, initially breached U.S. telecom providers such as Verizon, AT&T, T-Mobile and others, compromising core network components. By mid-2025, the campaign extended to the satellite communications sector. Viasat was one of the telecommunications providers targeted but the unauthorized access did not affect the company’s services and company officials said customer data was not breached.
But the incident showed the campaign’s reach and sophistication in going after critical communication infrastructure beyond traditional telecom networks.
A cyberattack against Viasat’s ground network during Russia’s invasion of Ukraine in 2022 has become something of a teaching moment in the space community. That event demonstrated how adversaries can achieve strategic objectives without directly targeting satellites, said Ron Bushar, managing director and chief information security officer at Google Public Sector.
Russian actors targeted the ground-based satellite infrastructure — the KA-SAT terrestrial network, specifically modems used by thousands of customers.
“We were on the front lines in cyber during the invasion of Ukraine, and the first indicators of the operation were outages for commercial satellite systems,” Bushar said at the Air Space & Cyber Conference. Further investigations revealed that the Russians had been planning to target the modem systems for about six to eight months prior to the invasion. “It was more of a tactical exercise on their part, in preparation for combat operations,” he said.
The Russians could have taken a much more sophisticated approach and attempted a “cutting edge sort of attack in space, but it wasn’t necessary,” Bushar said. “They were able to target very specifically just the modems and just the downlinks in the country, nowhere else. It was very precise, and it was effective.”
Ransomware nightmare
Companies also increasingly worry about ransomware attacks against a satellite network that would focus on compromising either ground systems or the satellite’s command-and-control software, locking those functions until ransom is paid.
“Imagine a ransomware attack against a large constellation of satellites, what that could mean, and how lucrative that could be for a criminal,” said Ryan Roberts, a principal at Deloitte who runs the Silent Shield program.
“We should require that each new satellite that goes up into orbit have a basic level of cyber protection on it,” he told SpaceNews.
He said the deployment of Silent Shield is yielding significant data and lessons that Deloitte is leveraging as it continues to build more satellites with internal investment funding in a partnership with satellite manufacturer Spire Global.
Roberts explained that Silent Shield is an out-of-band cyber intrusion detection system, which ensures that the payload doesn’t create more risks to the mission. Out of band means that if the Silent Shield payload were infiltrated by a virus or other cyber weapon, it wouldn’t be able to use that foothold to attack the satellite itself. Deloitte-1 has several operational missions aboard.
“It is a one way connection, so it only ingests traffic coming off of the satellite. It cannot insert any traffic into the satellite,” Roberts said.
That was by design, he added, “because we didn’t want to do the adversary’s job for them and introduce additional cyber risk into the satellite.”
Roberts said Deloitte started thinking about the cyber challenges in space years ago as more clients sought help protecting their systems.
At the beginning “we were engineering and implementing sort of bespoke cyber capabilities for ground segments,” he said. “About five years into that journey, it occurred to us that while we were getting after the ground segment and we were helping to lower cyber risk there, that we were continuing to launch satellites into orbit.”
While satellites are certainly engineering marvels, he noted, “they are essentially computers with solar panels on them, and yet they lack even the most basic cyber protections.”
Many threat profiles
To test the cyber defense that is now operating on Deloitte-1, the company designed 20 different threat profiles based on the so-called SPARTA framework created by The Aerospace Corporation, Roberts said. “We’re actually launching those cyber attacks against our own Deloitte-1 vehicle to see if Silent Shield can actually detect them.”
SPARTA, short for Space Attack Research and Tactic Analysis, is a tool that provides unclassified information to space professionals about how spacecraft may be compromised via cyber means.
So far, he said, Silent Shield has passed the first seven of the 20 tests. “We’re starting from the least complex to the most complex in terms of cyber attack,” he said.
Because so many systems today lack cyber protections, they are vulnerable to even the least complex hacks, such as ARP spoofing or so-called “man in the middle” type attacks, said Roberts.
ARP spoofing is a technique where an attacker pretends to be a friendly communicator sending commands to a satellite. “The satellite doesn’t know the difference. It trusts all the traffic on that bus as being friendly traffic,” he said. “And that is a relatively basic cyber attack that we see on terrestrial systems all the time.”
Two paths forward
Deloitte is also developing a software-based Silent Shield known as a massless payload. Roberts said a software-only payload might be the best option for legacy satellites that can’t be modified with new hardware. “How do we get some modicum of cyber protections to those legacy satellites in orbit today,” he added. “We think the massless version, a software package that we could upload, is the solution to that problem.”
The challenge of protecting legacy spacecraft has emerged as a critical concern across the industry. While older satellites can sometimes be retrofitted with encryption, the process is technically complex and highly dependent on the hardware and software capabilities of the original satellite design. In many cases, newer cryptographic solutions and software-reprogrammable end cryptographic units can provide ground-to-space encryption for the telemetry and commanding links.
The industry is responding with multiple approaches. Viasat in September announced it is developing a new space-based encryption solution to support data security for U.S. Space Force satellites. The company was contracted to build a next-generation cryptography solution to secure sensitive data from space-to-ground. The effort represents a complementary strategy to systems focused on intrusion detection.
But because there isn’t a lot of available power on legacy satellites, a cyber defense software application could be designed, for example, to only operate once a day for a short time. “That’s not optimal,” Roberts said, but for a legacy satellite it would provide more protection than it currently has.
The next eight Deloitte satellites will be launched in clusters of two, three and three over the next 18 months. The first five will have the massless version of Silent Shield. The last three will have the hardware payload and will operate as a network with inter-satellite links to demonstrate what happens if a cyber attack hits one satellite and then laterally moves into the other ones.
Commercial-government convergence
While historically concerns about cybersecurity have focused on government and military space systems, most of the satellites projected to fly to orbit in the foreseeable future will be owned and operated by private companies.
Roberts referenced a recent “State of the Space Industrial Base” report published by U.S. defense agencies that points out that largest investors in the new space economy are “Fortune 500 companies who understand how to turn new space capabilities into products, software and services that give them a strategic advantage in the global marketplace.”
With so many constellations now in orbit, that “increasingly makes them a juicier target for our cyber adversaries that are not just nation states, but cyber criminals who may want to leverage space for their own return on investment,” he said.
These concerns can’t be isolated on the commercial side or the government side of the space ecosystem, Roberts said. “There is a lot of overlap there,” which he said is a positive development as the government leverages more commercial innovation. “But from a cyber perspective, it’s not as easy to say that’s a government cyber risk, or that’s a commercial cyber risk. I think we have to start to bundle them together.”
Deloitte is marketing Silent Shield to commercial firms and also to the U.S. Space Force as a training tool that service members could use to prepare for real-world cyberwarfare.
AI-enabled future
There is likely to be much more AI-driven automation in cybersecurity going forward, Roberts said.
Although computers can autonomously detect threats and alert an operator on the ground, humans then have to do something about it. In the future it might be possible to detect an anomaly on the satellite, and have AI turn off a port, shut off a payload, put the vehicle in safe mode or take other actions that the system was pre-approved to conduct.
“AI is sort of purpose built for those sorts of things,” he said. “Today we are taking the traffic off of Deloitte-1 and we are using the data to train AI models on the ground,” he said. However, the computing required to do AI at the edge is “very hungry, and uses a lot of energy,” he said. When more computing power is available on satellites, “it will help us get to a point where we can put those AI models at the edge.”
Roberts predicts the technology will evolve to where the AI can understand what is normal about the satellite better than a human could.
This article first appeared in the November 2025 issue of SpaceNews Magazine with the title “Protecting satellites from cyberattacks before hackers get there first.”