HBSE CubeSat Sized Hardware Based Security Element (HBSE) and Service Development - Implementation

  • Status
    Ongoing
  • Status date
    2025-08-08
  • Activity Code
    6B.133
Objectives

The objective of the HBSE project is to develop and commercialise a hardware-based security solution tailored for CubeSats. This solution ensures end-to-end data protection, robust authentication, and secure key management for satellite communication and payload operations. The system addresses the growing need for high-assurance data security in the rapidly expanding CubeSat market, especially for commercial Earth observation and Internet of Things (IoT) / Machine-to-Machine (M2M) constellations.

By providing a platform-independent security module, HBSE enables satellite operators, platform providers, and mission owners to safeguard valuable data, meet compliance requirements, and enhance trust in shared and multi-user satellite architectures. The project aims to deliver a ready-to-integrate product with flexible service models and easy compatibility with new and existing satellite platforms.

Challenges

Key challenges include integrating advanced security features into resource-constrained CubeSats and providing robust key management resistant to evolving cyber threats. The project must balance high security standards with cost-effectiveness and user-friendliness, while addressing industry concerns about performance, scalability, and long-term reliability in low Earth orbit (LEO).

Benefits

The HBSE solution offers significant advantages over software-based or legacy satellite security systems. By implementing hardware-based encryption and key management, HBSE delivers enhanced protection against unauthorized access, cyber-attacks, and data breaches – starting directly at the payload level.

Unlike most competitors, HBSE is platform-agnostic, allowing seamless integration across various CubeSat platforms and shared payload missions. The product enables operators to comply with international security standards, ensures data confidentiality even when multiple parties are involved, and reduces the risk of command hijacking or data tampering. With flexible configuration, cost-efficient integration, and scalable support for constellation deployments, HBSE future-proofs satellite data security in an increasingly competitive market.

Features

HBSE consists of a flight-proven hardware security module embedded in the satellite platform, coupled with a ground-based key management and data dissemination service. Key features include end-to-end encryption for satellite telemetry and payload data, secure authentication and access control, platform-level and per-payload key diversification, and tamper-resistant key storage using secure elements.

The system supports both symmetric and asymmetric cryptography, with robust integration into CubeSat onboard computers and intelligent payload controllers. The ground segment delivers certificate authority services, secure provisioning, user and role management, and real-time monitoring. HBSE is compatible with standard industry protocols, allowing easy integration, scalability, and compliance with evolving space cybersecurity requirement.

System Architecture

The HBSE system architecture comprises three main elements: the satellite’s onboard security module (integrated with the on-board computer and intelligent payload controller), the ground-based key management authority, and the secure data dissemination platform. Onboard, the secure element handles all cryptographic operations and key storage, ensuring data is encrypted and authenticated at the source.

The ground segment manages certificate issuance, key lifecycle, and secure communication between the satellite, mission operations center, and end-users. The architecture supports role-based access, auditability, and modular integration with existing and future CubeSat platforms. Data flow is encrypted end-to-end, with flexible support for both platform-level and payload-level protection, ensuring confidentiality and integrity throughout the mission lifecycle.

Plan

The project advances through well-defined phases, beginning with a kick off to align objectives and schedule. Design and development are structured around the Preliminary Design Review (PDR) and Critical Design Review (CDR), ensuring technical readiness before integration.

System-level testing and qualification are confirmed at Test Readiness Review (TRR) and Telecommunications Regulatory Board (TRB). The project culminates with the Final Review, where the integrated solution is demonstrated in an operational scenario and prepared for commercial deployment.

Progress meetings and regular reporting ensure that all risks and milestones are continuously monitored and managed throughout the project.

Current status

Key documents and software design packages have been prepared for the upcoming PDR. Core components – including the hardware security module and software architecture – have been developed and initial integration is underway. The security chip has been initialised and tested for key writing, diversification, and encryption/authentication. Software infrastructure elements, including certificate authority and identity management, have reached their first functional versions.

No critical issues have been identified. Next steps include the PDR data package delivery and further system integration and testing.