My recent family trip to Rome was great; getting away from the office for a week, exploring the city, walking through historical sites, enjoying the food, and just being present with my family was exactly what I needed.
One day, while walking through a cool little alley, we stumbled across a pasta-and tiramisu-making class. It looked fun, and as the saying goes, “when in Rome, do as the Romans do.” For a few hours, I replaced malware, cybersecurity, and critical infrastructure with flour, eggs, water, timing, pressure, and patience.
The more I settled into the class, the more I realized that even making pasta is a system. It looks simple from the outside, but if you care about the result, small details matter. Too much water changes the dough. Too much pressure changes the texture. Rush the process, and the result won’t be quite right.
This is true in food, in business, and in cybersecurity.
At the end of the class, something completely unexpected happened; I met Jeff Goldblum.
He was warm, funny, elegant, and very human. Like most people who meet him, I thought about his iconic film roles, the jazz piano, and his unique ability to be famous yet still approachable. That was before my cybersecurity brain took over.
I kept thinking about a scene from the 1996 film Independence Day, where his character David Levinson infects the alien mothership with malware.
This made me think, “Is malware spreading in space even possible?”
Of course it is.
It’s not exactly the Hollywood version, but the core idea is plausible. Any system that runs software, receives data, accepts commands, or trusts outside input can be attacked. The mothership had no threat model for trusting human systems, which maps directly onto space infrastructure today.
The Space Boom
Timing matters here. Space feels like it is entering a new boom cycle, moving beyond rockets, NASA, and SpaceX going public.
The broader story is global. Amazon Kuiper is entering the satellite broadband race. Europe is building IRIS² as a secure and sovereign connectivity constellation for government communications, crisis response, critical infrastructure, and encrypted services. China is moving aggressively with large constellation programs such as Thousand Sails and Guowang. India is expanding its space and defense satellite ambitions. Japan is investing more in space security. Operators like Viasat, OneWeb, Planet, Maxar, Intelsat, Iridium, Eutelsat, SKY Perfect JSAT, and others are building communications, imaging, navigation, defense, and data services in orbit.
The conversation is also moving beyond satellites-as-communications infrastructure. Elon Musk has discussed putting AI data centers in orbit, arguing that Earth is power constrained while space has constant sunlight. Last year, Starcloud launched a spacecraft with an Nvidia H100 chip and demonstrated running a version of Google’s Gemini AI model from space. Additionally, Google revealed Project Suncatcher to explore satellite clusters equipped with TPUs and optical links as well as plans to launch prototype satellites in 2027.
That is a very different kind of space economy.
Space is moving from transportation to communication, from communication to data, from data to computation, and from computation to AI. Space is becoming a global digital infrastructure layer involving nation-states, commercial operators, defense agencies, and multinational supply chains.
...and every digital infrastructure layer eventually becomes a cyber target.
Cybersecurity... in Space
Is cybersecurity in space a real problem? Are there any real incidents? Are they different from other incidents?
Yes, yes, and yes.
Space started as a government and defense domain. For decades, most space programs were owned or heavily controlled by governments, militaries, intelligence agencies, and national research organizations. That matters because these environments do not always disclose incidents publicly. Some failures are described as anomalies. Some incidents are classified. Some are handled quietly by agencies, contractors, or defense partners.
The public record is only a small part of the incident history.
Even with that limitation, there are already several organizations monitoring cybersecurity risks and incidents related to space, including Space ISAC, NASA OIG, and ENISA.
Space ISAC focuses on space cyberthreats and incident tracking, NASA OIG offers detailed investigations and root cause analysis for NASA and JPL incidents, and ENISA’s Space Threat Landscape is a public aggregator of space cyber risks and historical examples.
By reconciling their results with public sources, I compiled the following incidents list to shed some light on why these breaches happened and their impact:
Year | Organization | Incident | How the breach happened | Root cause | Public source URL |
1998 to 2000 | U.S. Government / NASA | Moonlight Maze | Long running cyber espionage campaign stole U.S. government, defense, and NASA related data. | Poor monitoring, weak segmentation, weak interagency visibility | https://nsarchive.gwu.edu/document/19207-national-security-archive-united-states-navy |
1999 | NASA / DTRA | Jonathan James | Stole credentials, installed backdoors, intercepted emails, accessed NASA systems. Impact grew because networks and trust zones were not well segregated. | Flat network, weak segmentation, weak credentials | https://www.nytimes.com/2000/09/22/technology/teen-hacker-sentenced.html |
2001 to 2002 | NASA / DoD | Gary McKinnon | Scanned exposed systems, used weak passwords, gained admin access, installed remote tools. | Exposed systems, weak passwords, no MFA | https://www.justice.gov/archive/criminal/cybercrime/press-releases/2002/mckinnonIndict.htm |
2007 to 2008 | Landsat 7 / Terra AM 1 | Ground station interference | Reported interference through ground station path, not direct satellite hacking. | Ground station exposure, weak command path separation | |
2007 plus | Turla | Satellite link hijacking | Abused unencrypted satellite internet links to hide command and control traffic. | Unencrypted satellite links, weak authentication | |
2009 | NASA | Mission network malware | NASA mission systems had malware infections and thousands of unauthorized connections. | Malware, weak endpoint controls, weak segmentation | |
2009 to 2012 | NASA | Lost laptops with ISS data | NASA lost laptops and portable devices, some unencrypted, including ISS related material. | Device loss, lack of encryption, sensitive data stored locally | |
2011 | NASA | 47 APT attacks | NASA reported 47 APT attacks, 13 successful, including credential theft. | Phishing, credential theft, weak MFA | |
2011 | NASA JPL | 87 GB stolen | Attackers gained full access to 18 servers, changed accounts, uploaded tools, changed logs, and stole data. | Weak segmentation, excessive privilege, poor monitoring | |
2011 | JAXA HTV | Malware infection | Employee opened a malicious email on an unpatched computer. Malware infected the machine and leaked login information. | File based attack, malicious email, unpatched Office software | https://global.jaxa.jp/press/2012/03/20120327_security_e.html |
2012 | JAXA Epsilon | Rocket data malware | Malware infected a Tsukuba Space Center computer and may have leaked Epsilon, M-V, H-IIA, and H-IIB rocket data. | File based malware, engineering workstation compromise | https://global.jaxa.jp/press/2012/11/20121130_security_e.html |
2012 | NASA / ESA | Web server breaches by The Unknowns | Hackers exploited web server weaknesses and disclosed vulnerabilities. | Web app flaws, weak patching | |
2014 | NOAA | Satellite data systems breach | Attackers exploited known vulnerabilities in internet-facing NOAA web apps, stole admin credentials, and moved across systems. | Web app vulnerabilities, unpatched systems, credential theft | |
2014 | NASA JPL | Public upload malware | Public users could upload and execute files on a server supporting JPL astronomical missions and research. | File based attack, unsafe upload, no sanitization | |
2014 | German Aerospace Center, DLR | APT compromise | Public reporting described cyber espionage and spear phishing against aerospace systems. | Email attack, credential theft, poor monitoring | https://securityaffairs.com/24031/cyber-crime/german-aerospace-center-espionage.html |
2016 | NASA JPL | Website misconfiguration | Anonymous user gained elevated privileges and executed code on a development server. | Misconfiguration, excessive privilege | |
2017 | NASA JPL | Ground operations source code server | Unknown flaw allowed remote code execution on source code systems. Logs were not reviewed fast enough. | Unpatched vulnerability, poor log review | |
2018 | NASA JPL | Deep Space Network related breach | External user account was compromised. Attackers moved laterally into mission systems due to weak segmentation and poor asset inventory. | Weak segmentation, third party access, poor inventory | |
2018 | NASA | Employee PII breach | HR server compromise exposed employee personal data. | Weak access control, sensitive data exposure | https://federalnewsnetwork.com/cybersecurity/2018/12/nasa-suffers-breach-of-employee-data/ |
2019 | ISRO | DTrack malware reports | Public reports said DTrack malware was found and possible domain controller compromise occurred. ISRO confirmation was limited. | Likely file-based malware, credential compromise | https://www.cfr.org/cyber-operations/compromise-of-indian-nuclear-power-plant |
2020 | Visser Precision, SpaceX supplier | Ransomware | Supplier was hit by ransomware and proprietary customer files were leaked. | Supplier compromise, ransomware, flat network | |
2020 | SolarWinds | Supply chain attack affecting aerospace and government | Malicious software update gave attackers trusted access into many networks, including NASA and the FAA | Trusted software supply chain compromise | https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a |
2022 | Viasat KA SAT | Satellite internet outage | Attackers exploited VPN misconfiguration, reached trusted management network, and issued commands that wiped modem flash data. | VPN compromise, weak management network segmentation | https://www.viasat.com/perspectives/corporate/2022/ka-sat-network-cyber-attack-overview/ |
2022 | Roscosmos | NB65 breach claim | Hackers claimed breach of Russian space assets. Operational impact was disputed. | Unverified | https://ui.adsabs.harvard.edu/abs/2024arXiv240210324T/abstract |
2023 | Boeing Global Services | LockBit ransomware | LockBit attacked Boeing’s parts and distribution business. Boeing said flight safety was not affected. | Ransomware, lateral movement, weak segmentation | |
2023 | Maximum Industries, SpaceX supplier | LockBit claim | LockBit claimed theft of SpaceX related engineering drawings from a supplier. Not fully verified publicly. | Supplier compromise, data theft | https://cyberir.mit.edu/site/lockbit-ransomware-claims-data-breach-spacex-contractor/ |
2023 to 2024 | JAXA | VPN and Microsoft 365 breach | Attackers likely exploited a VPN vulnerability, expanded access, compromised accounts, and accessed Microsoft 365. | VPN vulnerability, cloud identity compromise | |
2024 | Maxar Space Systems | Employee data breach | Attacker accessed an external DMZ host. Employee data was exposed; operations reportedly not impacted. | Internet facing DMZ exposure, weak isolation | |
2025 | Polish Space Agency, POLSA | Cyber incident | Unauthorized access detected. POLSA disconnected its network while investigating. | Unknown, likely network intrusion | |
2025 | Israeli VSAT and Satellite Controls | VSAT and satellite disruption and control claims | Space ISAC reported claims against Israeli satellite control segments and Israeli VSAT systems during geopolitical conflict. | Hacktivism, DDoS, disruption, ground segment targeting | https://spaceisac.org/wp-content/uploads/2025/10/Space-ISAC_Q3-2025-Public-Report_TLP-CLEAR-1-1.pdf |
2025 | U.S. Satellite Communications Provider | Salt Typhoon targeting satcom provider | Space ISAC reported that Salt Typhoon targeted a U.S. satellite communications provider as part of broader telecom operations. | Edge device compromise, telecom and satcom targeting | https://spaceisac.org/wp-content/uploads/2025/10/Space-ISAC_Q3-2025-Public-Report_TLP-CLEAR-1-1.pdf |
2025 | Russian Aerospace and Defense Sectors | Highly targeted spear phishing lures as part of Operation Cargo Talon | Cyber espionage campaign to compromise entities and exfiltrate sensitive data. | Spear phishing, file-based attack | https://spaceisac.org/wp-content/uploads/2025/10/Space-ISAC_Q3-2025-Public-Report_TLP-CLEAR-1-1.pdf |
2025 | Iran’s Satellite Software and Infrastructure | Lab Dookhtegan maritime VSAT targeting | Threat actor reportedly targeted satellite software supporting maritime VSAT infrastructure, resulting in communications disruptions and deleted files. | Satcom software support, supplier and service exposure | https://spaceisac.org/wp-content/uploads/2025/10/Space-ISAC_Q3-2025-Public-Report_TLP-CLEAR-1-1.pdf |
2025 | European Telecom, Defense, Aerospace, and Satellite Sectors | Iranian MINIBIKE malware targeting | Iranian APT UNC159 reportedly used tailored malware against European telecom, aerospace, and defense organizations. | Malware, file-based delivery likely | https://spaceisac.org/wp-content/uploads/2025/10/Space-ISAC_Q3-2025-Public-Report_TLP-CLEAR-1-1.pdf |
2025 | Aerospace, Defense, and Space Organizations | Cyber espionage campaign via China-nexus APT group, RedNovember | RedNovember reportedly targets high-profile government and private sector space and aerospace organizations globally using the open-source, multi-platform Go backdoor Pantegana. | Espionage, network intrusion | https://spaceisac.org/wp-content/uploads/2025/10/Space-ISAC_Q3-2025-Public-Report_TLP-CLEAR-1-1.pdf |
2025 to 2026 | ESA | Engineering collaboration servers | External engineering collaboration servers were compromised. Public reporting claimed code, tokens, credentials, config files, and mission documents were exposed. | Credential theft, token theft, exposed collaboration systems | |
2026 | ESA | Large data leak reports | Public reports claimed hundreds of GB of ESA related data leaked, including credentials and project documents. ESA reportedly opened investigation. | Unknown / Under investigation |
Digging into Cybersecurity Patterns
When I looked across the incidents, I found the same cybersecurity failures across other critical infrastructure sectors: unsafe files, supplier compromises, weak software update processes, removable media risks, stolen credentials, and poor network segmentation.
What surprised me was how often spacecraft or satellites were not the targets. The attack path usually started on the ground. Ground stations, engineering systems, suppliers, and supporting networks were often treated differently than the mission itself, even though compromising them could yield the same outcome.
That said, while most public incidents today originate from terrestrial systems, as space programs evolve and access to orbit becomes cheaper and more common, we should not assume that cyberattacks will always originate from Earth. In the future, it is conceivable that the threat landscape will expand as nation-states or even commercial operators position spacecraft, satellites, or other orbital assets closer to a target to support cyberattacks, electronic warfare, interception, jamming, spoofing, or intelligence gathering operations.
Detection vs. Prevention
Many of the incidents also exposed the limits of relying primarily on traditional firewalls and detection-based security.
In the 2018 NASA JPL breach, attackers compromised an external account and moved laterally through poorly segmented networks. The perimeter defenses were not enough once trust had been established. In the 2022 Viasat KA-SAT attack, attackers reached a trusted management network through a compromised VPN / firewall path and issued legitimate management commands.
Again, the problem was not simply detecting malicious traffic, but the failure to use a unidirectional gateway, which would have enforced one-way data movement by design rather than policy, preventing attackers from reaching critical systems in the first place.
Several file-based incidents tell a similar story. The 2011 JAXA HTV malware incident started when someone opened a malicious email attachment on an unpatched workstation. The 2014 JPL upload malware incident allowed untrusted files to reach mission-supporting systems. Detection tools may identify malicious content after the fact, but once a file is opened or executed, the damage may already be done.
The lesson: we should treat space systems as critical infrastructure and the cyber infrastructure that supports them as mission-critical infrastructure. Many of these incidents were not failures of detection, but failures of prevention. Once attackers reached trusted networks, engineering environments, management systems, or mission systems, firewalls and alerts were often too late.
Cybersecurity Strategies for Space
Once we identify the risk and the root causes behind the reported incidents, what do we do about it?
Cybersecurity for space has many of the same root causes as traditional cybersecurity, but it adds two dimensions that change everything—time and environment.
On Earth, if something goes wrong, we assume we can connect, inspect, patch, restore, or send someone onsite. In space, many of those assumptions break down. Communication is slower, more expensive, more limited, and gets harder the farther you move from Earth.
The Moon is close enough that signals take a little over one second each way, but even that creates a round-trip delay of more than two seconds. Mars can be anywhere from about 4 to 24 minutes one way, depending on where Earth and Mars are in their orbits. For deep space missions, the problem becomes even worse. Voyager is so far away that communication can take almost an entire day one way.
That changes the cybersecurity model.
Modern security tools increasingly depend on constant interaction with the cloud: reputation lookups, hash checks, signature updates, AI model updates (a growing dependency as AI-enabled systems move into orbit), sandbox submissions, telemetry uploads, and centralized verdicts. On Earth, this works because connectivity is fast and reliable. In space, it becomes dangerous to assume the same model will work.
On the Moon, some of this is still technically possible, but it is not something you should depend on. Every cloud lookup adds delay. Every sandbox submission must travel to Earth and back. Every remote desktop session becomes slower. Every large forensic upload competes with mission bandwidth. If the Earth link is congested, degraded, jammed, or unavailable, cloud-based security becomes unreliable.
If this is already difficult on the Moon, it becomes dramatically harder on Mars, and impossible to do in real time in deep space.
The same is true for patching. If you run a space mission for many years, you cannot assume you can patch your infrastructure like you can a laptop, a server, or a cloud workload. A spacecraft may be operating with old hardware, limited memory, radiation-hardened processors, constrained bandwidth, limited power, and a very small communication window.
If the update is wrong, if the command is malformed, or if the software behaves differently in flight than it did in simulation, recovery may be difficult or worse; it becomes impossible.
Voyager is a perfect example. NASA launched Voyager 1 and Voyager 2 in 1977, and the team is still maintaining them nearly five decades later. Updating or correcting software on a spacecraft that old and that far away takes incredible engineering. But it also proves the point that patching a spacecraft is slow, risky, and nothing like patching systems on Earth.
Galileo is another useful example. After it launched, Galileo’s high-gain antenna failed to fully deploy, which meant the spacecraft could not use its planned high-speed communication link. NASA and JPL still recovered major scientific findings through compression, software changes, and careful mission planning. That proved a key point: in space, communication limitations define missions.
The cybersecurity question is simple; what do you do when you cannot rely on fast communication, constant visibility, cloud-based response, or sending someone onsite? I suggest three strategies.
1. Move space cybersecurity from detection first to prevention first
Detection is still useful, especially on ground systems, terminals, and enterprise environments around the mission, but it assumes you can see the attack, and then quickly analyze, respond, and recover. In space, that assumption is weak because visibility may be limited, communication may be delayed, compute may be constrained, and recovery may be slow or impossible. By the time you detect the problem, the mission could already be in jeopardy.
That is why the strategy must be preventionbefore trust.
Every file, software update, AI model, payload package, command package, and removable media device should be treated as untrusted until it is inspected, validated, sanitized, and approved. Use multiscanning, sandboxing, content disarm and reconstruction (CDR), schema validation, signed updates, allowlists, command validation, and audit trails before anything reaches the mission environment.
2. Implement segmentation by design
Don’t treat mission control like normal enterprise IT nor let engineering systems freely touch operational systems. Ensure supplier access is narrow, temporary, logged, and isolated, and aggressively separate ground stations, command paths, software update systems, test environments, and collaboration tools.
Not a single compromised laptop, stolen credential, infected file, bad update, or supplier breach should be able to move into mission operations.
Firewalls are important, but in the most sensitive mission paths, I would not trust a firewall alone. Firewalls are software controlled, meaning they can be misconfigured, bypassed, or compromised. A data diode or unidirectional gateway is the better model because it enforces one-way data movement by design, not just by policy.
3. Move critical security decisions closer to the mission
Long missions need local validation, onboard integrity checks, safe mode behavior, rollback planning where possible, and security processing closer to the spacecraft. That also means investing in ruggedized, radiation-tolerant hardware capable of enforcing security controls locally. As we move security decisions away from Earth and closer to the mission, we cannot assume that traditional cloud services, enterprise appliances, or software agents will always be available, practical, or compatible with the operating environment.
The cloud can support planning, analysis, and coordination from Earth, but it should not be the real-time control loop for deciding whether something is safe.
The farther we move from Earth, the more cybersecurity must shift from detecting and responding to preventing, isolating, and hosting locally.
Sending Cybersecurity Towards a New Frontier
Launching a MetaDefender Kiosk Mini was our first space mission, not a marketing stunt. To me, the Kiosk Mini mission represents what I believe is the foundation of cybersecurity in space: independent computation, prevention before trust, deterministic file security, and hardware that can keep working in harsh environments.
First, it is an independent system. Although we sent it to an extreme altitude, it was not cloud-connected during the mission. It used local computation and operated in an air-gapped model. We plan to include a unidirectional data gateway or data diode in a future mission.
Second, the Kiosk used Deep CDR™ Technology technology to process thousands of malware samples from a USB drive during the mission in a controlled and isolated test environment. Deep CDR™ Technology is deterministic, meaning it does not need to guess whether a file is malicious. It assumes the file may be malicious, removes risky active content, and regenerates a clean version. If you lock the process down properly, it does not require frequent signature updates to prevent many unknown file-based threats, because the Kiosk rebuilds the file before trusting it.
Lastly, we tested the hardware in a harsh environment. The Kiosk Mini had to deal with extreme temperature, low pressure, violent motion, the balloon bursting, high G forces during descent, spinning, falling, and even landing in a river. It kept working for a while after all that. This matters because space cybersecurity is a software and hardware problem.
The Real Lesson
Space cybersecurity cannot be built around the idea that someone on Earth will always be available to fix the problem. It must be local, deterministic, segmented, and prevention-first. The farther the mission gets from Earth, the more important it becomes to reduce what the mission has to trust.
Trust fewer systems. Verify more. Bring the security processing into the spacecraft. Segment aggressively. Inspect before entry. Sanitize before use. Use one-way data movement where needed. Build security into the mission before launch because the farther you get from Earth, the harder it is for Earth to save you.
As of today, CISA defines 16 sectors as critical infrastructure:
- Chemical
- Commercial Facilities
- Communications
- Critical Manufacturing
- Dams
- Defense Industrial Base
- Emergency Services
- Energy
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation Systems
- Water and Wastewater Systems
I believe space should be the 17th sector.
I was not expecting to be thinking about pasta when one of our cybersecurity devices landed in a river after traveling to the edge of space, but I have my family and Jeff Goldblum to thank for the inspiration. I was also reminded that whether it is pasta dough, cybersecurity, or deep space, small details matter.
I have always loved space. Like many kids, I once dreamed about becoming an astronaut. Instead, I built a cybersecurity company and privately fly airplanes, but sending a cybersecurity product toward space felt like a strange, meaningful way to reconnect with my childhood dream.
More than the altitude, technology, and cool video, cybersecurity has to work in environments where humans cannot easily reach, repair, or reset. In space, there is no simple onsite support, quick replacement, or easy second chance. The system must have full trust before it leaves the ground.
