The NIS2 Directive demands cybersecurity for critical infrastructure. The Death Star is definitely critical infrastructure — and definitely not compliant. An analysis of the most famous vulnerability in film history.
The NIS2 Directive requires operators of critical infrastructure to handle: risk management, incident reporting, supply chain security and governance. The Death Star is a space station with 1.2 million crew members — infrastructure does not get more critical than that.
And yet: a single exhaust port, a saboteur in the supply chain, no encryption of the construction plans, no patch management. If the Empire were a German company, the BSI would have kicked the door in long ago.
The Death Star has a 2-meter-wide exhaust port leading directly to the reactor core. Galen Erso built it in as a backdoor — and nobody did a risk assessment.
Systematic risk analysis of all critical systems, including regular penetration tests.
The destruction of the first Death Star was covered up internally. The news only reached Outer Rim bases weeks later. No 24-hour reporting obligation.
Security incidents must be reported to the responsible authority within 24 hours.
Galen Erso, a saboteur, was the lead engineer of the Death Star. No background check, no four-eyes principle. The entire supply chain was compromised.
Cybersecurity requirements for suppliers, supply chain vulnerability checks.
Plan after Death Star destruction: build Death Star II. No diversification, no backup concept. Single point of failure is doubled instead of eliminated.
Business continuity plans, backup systems, disaster recovery for critical infrastructure.
Who is responsible for cybersecurity? Tarkin? Vader? Palpatine? Nobody. No CISO, no security department, no clear responsibilities.
Management must approve cybersecurity measures and is personally liable.
The Death Star plans are stored on an unencrypted data archive on Scarif. R2-D2 can hack imperial systems with a standard interface. Every terminal, every time.
Encryption of sensitive data, multi-factor authentication, role-based access control.
Known vulnerability (exhaust port) is not patched. On the Death Star II: the vulnerability is its half-built state — and it's deployed anyway.
Regular patching, vulnerability scanning and coordinated disclosure.
Stormtroopers are trained in combat, but not in cybersecurity. Social engineering by rebels (stolen uniforms, faked codes) works every time.
Regular cybersecurity training for all employees, phishing awareness.
Average score: 1.4/5 — The Empire runs the largest critical infrastructure in the galaxy with the cybersecurity maturity of a seed-stage startup. No risk management, no incident reporting, compromised supply chain.
The exhaust port vulnerability (CVE-0000-BBY): Galen Erso intentionally built a vulnerability into the Death Star — a 2-meter-wide thermal exhaust port leading directly to the reactor core. A single proton torpedo is enough for destruction. Under NIS2, a penetration test would have caught this immediately. But: no test, no patch, no four-eyes principle in design.
Rogue One as a supply chain attack: The entire film "Rogue One" is essentially a supply chain attack. A compromised supplier (Galen Erso) plants a backdoor, and attackers (the rebels) steal the technical documentation (the plans) from an inadequately secured archive on Scarif. NIS2 Article 21 requires supply chain security precisely for this scenario.
R2-D2 as a penetration tester: R2-D2 hacks into the Death Star's central systems in seconds — control trash compactors, open doors, locate prisoners. No network segmentation, no authentication, no anomaly detection. If R2-D2 were a red team tester, his report would have one line: "Everything open."
Hopefully more secure than the Death Star.
Start NIS2 Applicability CheckInspiriert von European Union — NIS2 Directive