Satellite-as-a-Service: A Cybersecurity Perspective

Satellite-as-a-Service (SataaS) provides users with access to satellite capabilities without requiring ownership or direct operation of space assets. This paradigm enables the deployment and execution of applications in orbit without the need for custom hardware or dedicated missions, significantly lowering the entry barrier to space. In addition, SataaS supports rapid in-orbit experimentation, even for applications at early development stages. A notable example is the European Space Agency’s OPS-SAT1 mission, which demonstrated the feasibility of executing untrusted or low Technology Readiness Level (TRL) software on an operational satellite. This was enabled through a secure secondary on-board computer (OBC) capable of assuming spacecraft control in the event of unsafe behavior.
At the German Aerospace Center (DLR), we are developing the Stellar Apps platform, secure execution environment for third-party on-board applications designed to facilitate access to space for low-TRL and AI-driven applications while ensuring host satellite safety and integrity. By offering a standardized execution framework, Stellar Apps enables in-orbit validation of novel software, addressing key challenges in modern small satellite ecosystems.
Despite these advantages, rapid prototyping introduces significant safety and security challenges. Experimental applications may contain latent defects, security vulnerabilities, or even malicious code. Consequently, cybersecurity becomes a critical concern for SataaS, complementing the inherent safety requirements of satellite operations. While certain strategies can be adapted from cloud computing, the unique constraints of space systems—including limited uplink bandwidth, restricted computational resources, and strict power budgets—require substantial modification of existing solutions.
Motivated by a comprehensive threat analysis, this paper presents a multi-layered security architecture implemented within the Stellar Apps platform. The approach spans four complementary levels: (i) pre-deployment security through offline vulnerability analysis, (ii) application-level isolation using containerization technologies, (iii) node-level protection via access control and continuous application monitoring, and (iv) system-level supervision through node health and behavior monitoring.