"There is a convergence of the space and cyber domains," said Sam Visner, who chairs the Space Information Sharing and Analysis Center, summing up what industry and government officials describe as a fast-moving change in the threat picture for satellites and other space systems.
Sam Visner on eroding norms and early cyber conflicts
Visner told ISMG that space had historically relied on norms and legal agreements that discouraged physical attacks on satellites, but those norms are fraying as space systems become tightly coupled with cyberspace. He pointed to routine GPS jamming and spoofing and cited a high-profile example: "the first act of war in the Russians' full-scale invasion of Ukraine in 2022 had been a cyberattack on a U.S. commercial satellite system, Viasat." That history, he said, illustrates why cyberattacks on space systems are growing even while physical attacks remain constrained by older norms.
The onboard detection gap — Ernest Wong and DHS S&T's response
Ernest Wong, technical lead for space systems at the Department of Homeland Security's Science and Technology Division (S&T), describes an "onboard detection gap." Operators largely depend on telemetry beamed to ground stations to spot compromises, but telemetry and traditional indicators of compromise (IOCs) are often insufficient in orbit. Satellites run many different operating systems, flight software stacks and bus architectures, Wong told ISMG, so single-signature IOCs are hard to define and visibility into compromises can be limited.
To address that, DHS S&T and the federally funded Aerospace Corporation are developing indicators of behavior (IOBs) — malware-agnostic checks for anomalous behavior that could reveal novel or previously unseen attacks. The partners built SpaceCOP, a software package to detect and sometimes repel hostile activity onboard; Brandon Bailey, principal engineer for space cybersecurity at the Aerospace Corp., said ten commercial partners are testing SpaceCOP and that the plan is to open source it later this year. Wong added that automated response tools are the logical next step, given the scale and intermittency of low Earth orbit (LEO) constellations.
Deloitte's Silent Shield: an on-orbit intrusion detector
Deloitte has one of the few cyber tools already in orbit. The firm launched Deloitte-1 from Vandenberg Space Force base last year — the first of a planned nine-satellite constellation — carrying an operational RF payload and a prototype on-orbit intrusion detection system named Silent Shield. The cubesat weighs 22 pounds and is roughly the size of a microwave oven.
Ryan Roberts, a Deloitte principal, explained that Silent Shield is intentionally out-of-band and placed behind a one-way diode so it can monitor satellite outputs without feeding anything back into the primary operating or payload software. Deloitte's operators have run a series of 40 progressively sophisticated cyberattacks against the satellite; Roberts said Silent Shield detected all of them. Deloitte has since launched Deloitte-2 and -3 and plans to demonstrate that Silent Shield can be uploaded to existing satellites via software updates — a key test for protecting legacy birds already on orbit. The constellation currently flies "in a cluster or a ball," and Deloitte is also testing inter-satellite communications and lateral movement scenarios “because that is the sort of TTP that might be leveraged” by advanced adversaries.
Proof Labs, BigBear.ai and Redwire: AI, synthetic telemetry, and ground-based anomaly detection
Other efforts are taking a machine-learning approach. U.S. Space Force contractor Proof Labs is developing the Cyber Resilience On-Orbit program, an AI-powered system that detects anomalous satellite or payload behavior from the ground. Dick Wilkinson, cofounder and chief technology officer of Proof Labs, said the AI is trained on high-fidelity synthetic satellite telemetry assembled by BigBear.ai using a digital model built by Redwire Space Systems. Proof Labs plans to make the tool available to military and civilian customers this year.
Alongside detection tools, Space-ISAC is leading a working group of the OASIS Cyber Threat Intelligence Technical Committee that manages the STIX standard, to create a space-industry–adapted, machine-readable threat-intelligence format. That work is intended to help automate sharing of threat information between operators and defenders.
What this means for commercial satellite operators, DHS S&T and Aerospace, and U.S. Space Force contractors
- Commercial satellite operators: face pressure to add onboard detection or accept limited visibility if they rely solely on ground telemetry; some vendors are demonstrating the ability to retrofit legacy satellites via software uploads.
- DHS S&T and the Aerospace Corporation: are promoting indicators of behavior and SpaceCOP as an open-source path to broad adoption and to enable autonomous response capabilities suited to LEO mega-constellations.
- U.S. Space Force contractors and defense customers: are being offered both on-orbit and ground-based AI detection tools — exemplified by Proof Labs' program — intended to serve military and civilian customers this year.
The picture that emerges from these projects is a pragmatic race: build detection that fits the physical limits of spacecraft, invent behavior-based signals where signature catalogs do not exist, and test methods to respond automatically because thousands of LEO satellites will not be manageable from the ground alone. The coming months will test whether open-sourced tools such as SpaceCOP, one-way, out-of-band monitors like Silent Shield, and AI trained on synthetic telemetry can be integrated without undermining the deterministic, mission-critical software that operators are reluctant to change.




