Satellites, spacecraft, and defense systems rely on increasingly complex software ecosystems that integrate open-source, third-party, and legacy components. Recent cybersecurity events have highlighted how vital it is to track, secure, and manage these software supply chains.
The Risk of Vulnerable Third-Party Components
At Black Hat 2025, some very serious vulnerabilities were discovered in some of the most commonly used platforms for satellite control: Yamcs, OpenC3 Cosmos, and NASA’s cFS Aquila. Such flaws-range from remote code execution, denial of service, weak encryption to manipulation of satellite operations-force criminals into changing orbital paths or stealing cryptographic keys, usually without even detection.
Even seeming-to-be-secure encryption libraries such as CryptoLib-which NASA uses-were found to harbor multiple critical vulnerabilities. Exploiting these, attackers could crash the onboard software, reset its security state, or compromise encrypted communications. These findings reinforce that third-party components remain among the easiest risks to exploit in aerospace and defense software.
SBOMs: Ensuring Transparency Across the Software Stack
Software Bill of Materials lists all components within a system involved. In practice, it finds vulnerabilities, manages risk, considers compliance, and goes into incident response. The SBOM can be only as good as its accuracy, completeness, or governance structure.
In other words, to improve security posture, an organization must hold centralized processes for the validation, enrichment, and continuous surveillance of SBOMs, so that both upstream ones (those from development) and downstream ones (those from deployed systems) are held accountable, validated, and acted upon.
Closing the Gaps
Modern SBOM platforms, such as Keysight’s solutions, enhance binary similarity checks and code emulation to detect components when source information is partial or missing. This allows SBOMs to be reliably created for firmware and software or for container images so that no single component-in whatever form it exists-goes untracked.
Hence, giving full visibility, rigorous validation, and operational governance serve systems in aerospace and defense better in recognizing vulnerabilities, quick incident response, and establishing trust across software supply chains. This closes critical gaps while trying to keep mission-critical systems safe from the ever-evolving cyber threats.
(This article has been adapted and modified from content on Keysight Technologies.)
