Cyber Security in the Space Sector - growing capability and threat
The roadshow’s over. The threats aren’t.
The UK space sector has a cyber security problem. Not a theoretical one. Not a future one. A structural vulnerability that’s growing faster than the sector’s willingness to address it.
In most engineering disciplines, you wouldn’t sign off a component without knowing its material properties. You test it. You trace its provenance through the supply chain. You design for the conditions it will face - not the conditions you hope for. That discipline is non-negotiable.
Yet across the space sector, the same rigour disappears at the boundary between hardware and software.
Code is integrated from subcontractors without equivalent scrutiny applied. Cyber security is not treated as an engineering requirement. The gap between how we treat physical and digital materials is where adversaries are exploiting.
Space West listened to the UK’s space sector throughout the Space Security Roadshow. There is a shared desire for the engineering discipline that keeps structures safe to extend to the systems that control them. Space should lead this conversation.
The dependency is real - and growing
Society increasingly runs on satellite infrastructure. GPS navigation, financial transaction timing, telecommunications - a 2025 CGI and UK Space Agency report assessed that losing access to these services would trigger serious economic disruption within days.
The infrastructure carrying that weight is ageing.
Satellites typically operate for 7 years or more. Factoring in design and build time, platforms in orbit today may be running technology conceived over a decade ago - long before the current threat landscape existed. Capabilities that were once the preserve of nation-states are now accessible to a wider range of actors.
Simultaneously, the number of potential targets is rising sharply. Around 10,200 satellites were in orbit in 2024. ESA estimates that figure could reach 100,000 by 2030. Each additional platform is another entry point for an attacker - what the security community calls the “attack surface”.
The familiar threats are the dangerous ones
The most accessible route into space systems is through the ground infrastructure – the networks and software that control, communicate with and process data from platforms in orbit. The attack methods are familiar - phishing, malware, and weaknesses in web-based systems.
Space projects are rarely delivered by a single company. Primary contractors depend on subcontractors, who depend on their own suppliers. The code running a mission-critical system may have been written across several organisations, with limited visibility on behalf of the prime.
A weakness anywhere in that chain is a weakness everywhere. For the sector to retain trust, resilience can’t stop at the prime contractor.
The threat on the horizon that demands action today
The risk that should focus the sector most is one that hasn’t fully arrived yet - but is already causing damage.
Quantum computing, when mature, will be capable of decrypting methods that protect today’s sensitive communications. RSA encryption – which secures everything from banking to satellite command links – can’t be cracked by classical computers in any practical timeframe.
A sufficient quantum computer could do it in hours rather than billions of years. IBM assesses that such a machine is plausible by 2035.
Adversaries aren’t waiting. Intelligence agencies and hostile actors are already intercepting and storing encrypted data now, intending to decrypt it once quantum capability catches up. The security community calls this “harvest now, decrypt later.” If the data has long-term value - and satellite communications often do - it’s already being collected.
This creates an urgent design problem. Satellites being built today will still be in service in a post-quantum world. The hardware needs to support new, quantum-resistant encryption standards - known as post-quantum cryptography. Those platforms can’t be upgraded later. The choices being made now determine whether assets designed in 2026 remain secure in 2040.
The National Cyber Security Centre (NCSC) has set 2035 as the transition deadline and recommends that organisations start now: understand where you rely on encryption, assess the risks, and build flexibility into your systems so that cryptographic methods can be swapped out as standards evolve. That flexibility - known as crypto-agility - is a design decision that has to be made upfront, not retrofitted.
The NCSC has also endorsed Avella and Arqit to lead in post-quantum protection methods.
The UK is well placed to lead on this
None of this is cause for paralysis. The UK has genuine advantages here. A mature space supply chain. A national cyber security infrastructure through the NCSC and NPSA. A growing ecosystem of specialist security firms. And, critically, a manufacturing and engineering R&D base that already knows how to embed quality, traceability and resilience into complex systems.
The sector already has the mindset this challenge demands. Cyber resilience isn’t a new discipline - it’s a familiar one applied to a different material. The engineering culture exists. It just needs to be extended.
There’s also a commercial case. Organisations that can demonstrate engineering-grade cyber resilience across their supply chain will be more competitive.
Unity of action that will mitigate the shared burden of consequence, ongoing collaborations such as CySpace and SpaceISAC are examples to be followed.
As government and defence customers raise the bar on digital assurance, the companies that got there early will win more contracts. This isn’t just about managing risk. It’s about building a reputation that opens doors.
Cyber security is an engineering discipline
Guidance exists. The NCSC, the National Protective Security Authority and UKSA’s Security and Resilience team all publish practical resources, with the latter happy to be contacted. Cyber Essentials certification sets a baseline. But a baseline isn’t a standard.
The UK space sector needs to start treating cyber-security the way we treat structural performance: designed in from the outset, tested under realistic conditions, traceable through the supply chain, and maintained throughout the life of the asset.
You wouldn’t launch an untested structure. Don’t launch an unprotected one.
Connect with Space West to find out how we can support your business and learn how we are accelerating growth and innovation.