Detection of a high number of CAN error frames from multiple nodes, indicating that an attacker might be deliberately causing errors to disrupt communication on the bus or cause certain subsystems to enter error-passive or bus-off states.
| ID | Name | Description | |
| LM-0001 | Hosted Payload | The adversary pivots through the host–payload boundary to reach additional subsystems. Hosted payloads exchange power, time, housekeeping, and data with the bus via defined gateways (e.g., SpaceWire, 1553, Ethernet) and often support file services, table loads, and command dictionaries distinct from the host’s. A foothold on the payload can be used to inject traffic through the gateway processor, request privileged services (time/ephemeris distribution, firmware loads), or ride shared backplanes where payload traffic is bridged into C&DH networks. In some designs, payload processes execute on host compute or expose maintenance modes that temporarily widen access, creating paths from the payload into attitude, power, storage, or recorder resources. The movement is transitive: compromise a co-resident unit, then traverse the trusted interface that already exists for mission operations. | |
| LM-0002 | Exploit Lack of Bus Segregation | On flat architectures, where remote terminals, subsystems, and payloads share a common bus with minimal partitioning, any node that can transmit may influence many others. An attacker leverages this by forging message IDs or terminal addresses, replaying actuator/sensor frames, seizing or imitating bus-controller roles, or abusing gateway bridges that forward traffic between links (e.g., 1553↔SpaceWire/CAN). Because consumers often act on the latest valid-looking message, crafted traffic from one compromised device can reconfigure peers, toggle power domains, or write persistent parameters. Weak role enforcement and broadcast semantics allow privilege escalation from a peripheral to effective system-wide influence, turning the shared medium into a highway for further compromise. | |
| LM-0004 | Visiting Vehicle Interface(s) | Docking, berthing, or short-duration attach events create high-trust, high-bandwidth connections between vehicles. During these operations, automatic sequences verify latches, exchange status, synchronize time, and enable umbilicals that carry data and power; maintenance tools may also push firmware or tables across the interface. An attacker positioned on the visiting vehicle can exploit these handshakes and service channels to inject commands, transfer files, or access bus gateways on the host. Because many actions are expected “just after dock,” malicious traffic can ride the same procedures that commission the interface, allowing lateral movement from the visiting craft into the target spacecraft’s C&DH, payload, or support subsystems. | |
| LM-0006 | Launch Vehicle Interface | During integration and ascent, payloads and the launch vehicle exchange power, discrete lines, and data via umbilicals, separation avionics, and shared EGSE networks. Protections can be reduced or heterogeneous because timelines are tight and responsibilities cross organizations. An attacker positioned on either side (vehicle or payload) can use these commissioning links, health/status queries, time distribution, inhibit lines, separation commands, or telemetry gateways, to inject messages, transfer files, or alter configuration that propagates across the interface. Before fairing close and prior to separation, this brief but high-trust coupling provides a route to move from one platform to the other and to seed artifacts that persist after deployment. | |