Threats by DiD Layer

Space

Data

Compromise Cryptographic Mechanism

Eavesdropping

Data Modification/Corruption

Propulsion EMI

S/C Software

Scheduling Table Attack

Time Synchronized Execution

Critical Subsystem Attack

FSW Code Exploitation

Malicious Software

3rd Party Software

On-Orbit Software Update

SBC

Proximity Operations

Exploit Lack of Bus Segregation

Malicious Use Of Hardware Commands

Timing Disruption

Watchdog Timer Attack

Clock Synchronization Attack

Boot Memory Compromise

Single Event Upset

Power Drain

Software Defined Radio

Operating System Attack

IDS/IPS

Fault Management Exploitation

Compromise/Corrupt Running State

Undetected Attack

Cyber Incident Recovery

Crypto

Unauthorized Access

Replay

Tapping of Communications Link

Safe Mode Inidications

Spoofing

Comms Link

Weak Communication Protocols

Jamming

Ground

Compromise Ground System

Prevention

Masquerading/Insider Threat

TT&C Hardware Failure

Critical Design Details Leaked

Space Debris

Unidentified/Exposed Critical Assets

Inadequate Security Planning/Design

Development Environment Compromise

Insufficient Testing

Supply Chain Attack

ASIC/FPGA Compromise

Ground

Data

Automated Collection

Cloud Storage Object Discovery

Data Destruction

Data Encrypted for Impact

Data Manipulation

Data Manipulation: Runtime Data Manipulation

Data Manipulation: Stored Data Manipulation

Data from Cloud Storage Object

Data from Information Repositories: Code Repositories

Data from Information Repositories: Confluence

Data from Information Repositories: Sharepoint

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Defacement

Defacement: External Defacement

Disk Wipe

Disk Wipe: Disk Content Wipe

Disk Wipe: Disk Structure Wipe

Dynamic Resolution: Fast Flux DNS

Email Collection

Email Collection: Local Email Collection

Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Exfiltration Over C2 Channel

Exfiltration Over Web Service

File and Directory Discovery

File and Directory Permissions Modification

File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Group Policy Discovery

Permission Groups Discovery

Ground Software

Compromise Client Software Binary

Exploit Public-Facing Application

Exploitation for Credential Access

Exploitation for Defense Evasion

Exploitation for Privilege Escalation

Exploitation of Remote Services

Forge Web Credentials: Web Cookies

Masquerading: Invalid Code Signature

Steal Web Session Cookie

Supply Chain Compromise: Compromise Software Dependencies and Development Tools

Supply Chain Compromise: Compromise Software Supply Chain

Template Injection

XSL Script Processing

Endpoint

Abuse Elevation Control Mechanism

Abuse Elevation Control Mechanism: Bypass User Account Control

Abuse Elevation Control Mechanism: Elevated Execution with Prompt

Abuse Elevation Control Mechanism: Setuid and Setgid

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Access Token Manipulation

Access Token Manipulation: Create Process with Token

Access Token Manipulation: Make and Impersonate Token

Access Token Manipulation: Parent PID Spoofing

Access Token Manipulation: SID-History Injection

Access Token Manipulation: Token Impersonation/Theft

Account Access Removal

Account Discovery

Account Discovery: Cloud Account

Account Discovery: Domain Account

Account Discovery: Email Account

Account Discovery: Local Account

Account Manipulation

Account Manipulation: Additional Cloud Credentials

Account Manipulation: Additional Cloud Roles

Account Manipulation: Additional Email Delegate Permissions

Account Manipulation: Device Registration

Account Manipulation: SSH Authorized Keys

Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Application Window Discovery

Archive Collected Data

Archive Collected Data: Archive via Custom Method

Archive Collected Data: Archive via Library

Archive Collected Data: Archive via Utility

Audio Capture

Automated Exfiltration

BITS Jobs

Boot or Logon Autostart Execution

Boot or Logon Autostart Execution: Active Setup

Boot or Logon Autostart Execution: Authentication Package

Boot or Logon Autostart Execution: Kernel Modules and Extensions

Boot or Logon Autostart Execution: LSASS Driver

Boot or Logon Autostart Execution: Login Items

Boot or Logon Autostart Execution: Port Monitors

Boot or Logon Autostart Execution: Print Processors

Boot or Logon Autostart Execution: Re-opened Applications

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Boot or Logon Autostart Execution: Security Support Provider

Boot or Logon Autostart Execution: Shortcut Modification

Boot or Logon Autostart Execution: Time Providers

Boot or Logon Autostart Execution: Winlogon Helper DLL

Boot or Logon Autostart Execution: XDG Autostart Entries

Boot or Logon Initialization Scripts

Boot or Logon Initialization Scripts: Login Hook

Boot or Logon Initialization Scripts: Logon Script (Windows)

Boot or Logon Initialization Scripts: Network Logon Script

Boot or Logon Initialization Scripts: RC Scripts

Boot or Logon Initialization Scripts: Startup Items

Browser Bookmark Discovery

Browser Extensions

Browser Session Hijacking

Brute Force

Brute Force: Credential Stuffing

Brute Force: Password Guessing

Brute Force: Password Spraying

Build Image on Host

Clipboard Data

Command and Scripting Interpreter

Command and Scripting Interpreter: AppleScript

Command and Scripting Interpreter: JavaScript

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: Python

Command and Scripting Interpreter: Unix Shell

Command and Scripting Interpreter: Visual Basic

Command and Scripting Interpreter: Windows Command Shell

Communication Through Removable Media

Container Administration Command

Create Account

Create Account: Domain Account

Create Account: Local Account

Create or Modify System Process

Create or Modify System Process: Launch Agent

Create or Modify System Process: Launch Daemon

Create or Modify System Process: Systemd Service

Create or Modify System Process: Windows Service

Credentials from Password Stores

Credentials from Password Stores: Credentials from Web Browsers

Credentials from Password Stores: Keychain

Credentials from Password Stores: Password Managers

Credentials from Password Stores: Securityd Memory

Credentials from Password Stores: Windows Credential Manager

Data Staged

Data Staged: Local Data Staging

Data Staged: Remote Data Staging

Debugger Evasion

Deobfuscate/Decode Files or Information

Direct Volume Access

Domain Policy Modification

Domain Policy Modification: Domain Trust Modification

Domain Policy Modification: Group Policy Modification

Domain Trust Discovery

Dynamic Resolution

Endpoint Denial of Service

Endpoint Denial of Service: Application Exhaustion Flood

Endpoint Denial of Service: Application or System Exploitation

Endpoint Denial of Service: OS Exhaustion Flood

Endpoint Denial of Service: Service Exhaustion Flood

Escape to Host

Event Triggered Execution

Event Triggered Execution: Accessibility Features

Event Triggered Execution: AppCert DLLs

Event Triggered Execution: AppInit DLLs

Event Triggered Execution: Application Shimming

Event Triggered Execution: Change Default File Association

Event Triggered Execution: Component Object Model Hijacking

Event Triggered Execution: Emond

Event Triggered Execution: Image File Execution Options Injection

Event Triggered Execution: LC_LOAD_DYLIB Addition

Event Triggered Execution: Netsh Helper DLL

Event Triggered Execution: PowerShell Profile

Event Triggered Execution: Screensaver

Event Triggered Execution: Trap

Event Triggered Execution: Unix Shell Configuration Modification

Event Triggered Execution: Windows Management Instrumentation Event Subscription

Execution Guardrails

Execution Guardrails: Environmental Keying

Exfiltration Over Other Network Medium

Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth

Exploitation for Client Execution

Firmware Corruption

Forced Authentication

Gather Victim Host Information

Gather Victim Host Information: Client Configurations

Gather Victim Host Information: Firmware

Gather Victim Host Information: Hardware

Gather Victim Host Information: Software

Hide Artifacts

Hide Artifacts: Email Hiding Rules

Hide Artifacts: Hidden File System

Hide Artifacts: Hidden Files and Directories

Hide Artifacts: Hidden Users

Hide Artifacts: Hidden Window

Hide Artifacts: NTFS File Attributes

Hide Artifacts: Process Argument Spoofing

Hide Artifacts: Resource Forking

Hide Artifacts: Run Virtual Instance

Hide Artifacts: VBA Stomping

Hijack Execution Flow

Hijack Execution Flow: COR_PROFILER

Hijack Execution Flow: DLL Search Order Hijacking

Hijack Execution Flow: DLL Side-Loading

Hijack Execution Flow: Dylib Hijacking

Hijack Execution Flow: Dynamic Linker Hijacking

Hijack Execution Flow: Executable Installer File Permissions Weakness

Hijack Execution Flow: KernelCallbackTable

Hijack Execution Flow: Path Interception by PATH Environment Variable

Hijack Execution Flow: Path Interception by Search Order Hijacking

Hijack Execution Flow: Path Interception by Unquoted Path

Hijack Execution Flow: Services File Permissions Weakness

Hijack Execution Flow: Services Registry Permissions Weakness

Impair Defenses

Impair Defenses: Disable Windows Event Logging

Impair Defenses: Disable or Modify System Firewall

Impair Defenses: Disable or Modify Tools

Impair Defenses: Downgrade Attack

Impair Defenses: Impair Command History Logging

Impair Defenses: Safe Mode Boot

Implant Internal Image

Indicator Removal on Host

Indicator Removal on Host: Clear Command History

Indicator Removal on Host: Clear Linux or Mac System Logs

Indicator Removal on Host: Clear Windows Event Logs

Indicator Removal on Host: File Deletion

Indicator Removal on Host: Network Share Connection Removal

Indicator Removal on Host: Timestomp

Indirect Command Execution

Inhibit System Recovery

Input Capture

Input Capture: Credential API Hooking

Input Capture: GUI Input Capture

Input Capture: Keylogging

Input Capture: Web Portal Capture

Inter-Process Communication

Inter-Process Communication: Component Object Model

Inter-Process Communication: Dynamic Data Exchange

Inter-Process Communication: XPC Services

Masquerading

Masquerading: Double File Extension

Masquerading: Masquerade Task or Service

Masquerading: Match Legitimate Name or Location

Masquerading: Rename System Utilities

Masquerading: Right-to-Left Override

Masquerading: Space after Filename

Modify Authentication Process

Modify Authentication Process: Domain Controller Authentication

Modify Authentication Process: Network Device Authentication

Modify Authentication Process: Password Filter DLL

Modify Authentication Process: Pluggable Authentication Modules

Modify Authentication Process: Reversible Encryption

Modify Registry

Multi-Factor Authentication Interception

Native API

Network Service Discovery

Network Share Discovery

OS Credential Dumping

OS Credential Dumping: /etc/passwd and /etc/shadow

OS Credential Dumping: Cached Domain Credentials

OS Credential Dumping: DCSync

OS Credential Dumping: LSA Secrets

OS Credential Dumping: LSASS Memory

OS Credential Dumping: NTDS

OS Credential Dumping: Proc Filesystem

OS Credential Dumping: Security Account Manager

Obfuscated Files or Information

Obfuscated Files or Information: Binary Padding

Obfuscated Files or Information: Compile After Delivery

Obfuscated Files or Information: Indicator Removal from Tools

Obfuscated Files or Information: Software Packing

Obfuscated Files or Information: Steganography

Office Application Startup

Office Application Startup: Add-ins

Office Application Startup: Office Template Macros

Office Application Startup: Office Test

Office Application Startup: Outlook Forms

Office Application Startup: Outlook Home Page

Office Application Startup: Outlook Rules

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery: Domain Groups

Permission Groups Discovery: Local Groups

Plist File Modification

Pre-OS Boot

Pre-OS Boot: Bootkit

Pre-OS Boot: Component Firmware

Pre-OS Boot: ROMMONkit

Pre-OS Boot: System Firmware

Process Discovery

Process Injection

Process Injection: Asynchronous Procedure Call

Process Injection: Dynamic-link Library Injection

Process Injection: Extra Window Memory Injection

Process Injection: ListPlanting

Process Injection: Portable Executable Injection

Process Injection: Proc Memory

Process Injection: Process Doppelgänging

Process Injection: Process Hollowing

Process Injection: Ptrace System Calls

Process Injection: Thread Execution Hijacking

Process Injection: Thread Local Storage

Process Injection: VDSO Hijacking

Query Registry

Reflective Code Loading

Remote Service Session Hijacking

Remote Service Session Hijacking: RDP Hijacking

Remote Services: Distributed Component Object Model

Remote Services: Remote Desktop Protocol

Remote Services: SMB/Windows Admin Shares

Remote Services: SSH

Remote Services: Windows Remote Management

Remote System Discovery

Resource Hijacking

Rootkit

Scheduled Task/Job

Scheduled Task/Job: At

Scheduled Task/Job: Container Orchestration Job

Scheduled Task/Job: Cron

Scheduled Task/Job: Scheduled Task

Scheduled Task/Job: Systemd Timers

Screen Capture

Server Software Component

Server Software Component: IIS Components

Server Software Component: SQL Stored Procedures

Server Software Component: Terminal Services DLL

Server Software Component: Transport Agent

Server Software Component: Web Shell

Service Stop

Shared Modules

Software Discovery

Software Discovery: Security Software Discovery

Stage Capabilities: Install Digital Certificate

Steal Application Access Token

Steal or Forge Kerberos Tickets

Steal or Forge Kerberos Tickets: AS-REP Roasting

Steal or Forge Kerberos Tickets: Golden Ticket

Steal or Forge Kerberos Tickets: Kerberoasting

Steal or Forge Kerberos Tickets: Silver Ticket

Subvert Trust Controls

Subvert Trust Controls: Code Signing

Subvert Trust Controls: Code Signing Policy Modification

Subvert Trust Controls: Gatekeeper Bypass

Subvert Trust Controls: Install Root Certificate

Subvert Trust Controls: SIP and Trust Provider Hijacking

System Binary Proxy Execution

System Binary Proxy Execution: CMSTP

System Binary Proxy Execution: Compiled HTML File

System Binary Proxy Execution: Control Panel

System Binary Proxy Execution: InstallUtil

System Binary Proxy Execution: MMC

System Binary Proxy Execution: Mavinject

System Binary Proxy Execution: Mshta

System Binary Proxy Execution: Msiexec

System Binary Proxy Execution: Odbcconf

System Binary Proxy Execution: Regsvcs/Regasm

System Binary Proxy Execution: Regsvr32

System Binary Proxy Execution: Rundll32

System Binary Proxy Execution: Verclsid

System Information Discovery

System Location Discovery

System Location Discovery: System Language Discovery

System Network Configuration Discovery

System Network Configuration Discovery: Internet Connection Discovery

System Network Connections Discovery

System Owner/User Discovery

System Script Proxy Execution

System Script Proxy Execution: PubPrn

System Service Discovery

System Services

System Services: Launchctl

System Services: Service Execution

System Shutdown/Reboot

System Time Discovery

Taint Shared Content

Traffic Signaling: Port Knocking

Trusted Developer Utilities Proxy Execution

Trusted Developer Utilities Proxy Execution: MSBuild

Unsecured Credentials

Unsecured Credentials: Bash History

Unsecured Credentials: Credentials In Files

Unsecured Credentials: Group Policy Preferences

Unsecured Credentials: Private Keys

User Execution

User Execution: Malicious File

User Execution: Malicious Image

Valid Accounts

Valid Accounts: Default Accounts

Valid Accounts: Local Accounts

Video Capture

Virtualization/Sandbox Evasion

Virtualization/Sandbox Evasion: System Checks

Virtualization/Sandbox Evasion: Time Based Evasion

Virtualization/Sandbox Evasion: User Activity Based Checks

Windows Management Instrumentation

Network

Adversary-in-the-Middle

Adversary-in-the-Middle: ARP Cache Poisoning

Adversary-in-the-Middle: DHCP Spoofing

Command and Scripting Interpreter: Network Device CLI

Data from Configuration Repository

Data from Configuration Repository: Network Device Configuration Dump

Data from Configuration Repository: SNMP (MIB Dump)

Lateral Tool Transfer

Modify System Image

Modify System Image: Downgrade System Image

Modify System Image: Patch System Image

Network Boundary Bridging

Network Boundary Bridging: Network Address Translation Traversal

Network Denial of Service

Network Denial of Service: Direct Network Flood

Network Denial of Service: Reflection Amplification

Network Sniffing

Non-Application Layer Protocol

Pre-OS Boot: TFTP Boot

Protocol Tunneling

Proxy

Remote Services: VNC

Traffic Signaling

Transfer Data to Cloud Account

Trusted Relationship

Weaken Encryption

Weaken Encryption: Disable Crypto Hardware

Weaken Encryption: Reduce Key Space

CND/IR

Active Scanning

Active Scanning: Scanning IP Blocks

Active Scanning: Vulnerability Scanning

Active Scanning: Wordlist Scanning

Application Layer Protocol

Application Layer Protocol: DNS

Application Layer Protocol: File Transfer Protocols

Application Layer Protocol: Mail Protocols

Application Layer Protocol: Web Protocols

Automated Exfiltration: Traffic Duplication

Cloud Infrastructure Discovery

Cloud Service Dashboard

Cloud Service Discovery

Container and Resource Discovery

Create Account: Cloud Account

Data Encoding

Data Encoding: Non-Standard Encoding

Data Encoding: Standard Encoding

Data Manipulation: Transmitted Data Manipulation

Data Obfuscation

Data Obfuscation: Junk Data

Data Obfuscation: Protocol Impersonation

Data Obfuscation: Steganography

Data Transfer Size Limits

Defacement: Internal Defacement

Deploy Container

Dynamic Resolution: DNS Calculation

Email Collection: Email Forwarding Rule

Email Collection: Remote Email Collection

Encrypted Channel

Encrypted Channel: Asymmetric Cryptography

Encrypted Channel: Symmetric Cryptography

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration Over Web Service: Exfiltration to Code Repository

Fallback Channels

Forge Web Credentials

Forge Web Credentials: SAML Tokens

Impair Defenses: Disable Cloud Logs

Impair Defenses: Indicator Blocking

Ingress Tool Transfer

Internal Spearphishing

Modify Cloud Compute Infrastructure

Modify Cloud Compute Infrastructure: Create Cloud Instance

Modify Cloud Compute Infrastructure: Create Snapshot

Modify Cloud Compute Infrastructure: Delete Cloud Instance

Modify Cloud Compute Infrastructure: Revert Cloud Instance

Multi-Factor Authentication Request Generation

Multi-Stage Channels

Non-Standard Port

Obfuscated Files or Information: HTML Smuggling

Permission Groups Discovery: Cloud Groups

Proxy: Domain Fronting

Proxy: Internal Proxy

Proxy: Multi-hop Proxy

Remote Access Software

Remote Service Session Hijacking: SSH Hijacking

Remote Services

Rogue Domain Controller

Scheduled Transfer

Stage Capabilities: Drive-by Target

Stage Capabilities: Link Target

Stage Capabilities: Upload Malware

Stage Capabilities: Upload Tool

Subvert Trust Controls: Mark-of-the-Web Bypass

Unsecured Credentials: Cloud Instance Metadata API

Unsecured Credentials: Container API

Unsecured Credentials: Credentials in Registry

Unused/Unsupported Cloud Regions

Use Alternate Authentication Material

Use Alternate Authentication Material: Application Access Token

Use Alternate Authentication Material: Pass the Hash

Use Alternate Authentication Material: Pass the Ticket

Use Alternate Authentication Material: Web Session Cookie

Valid Accounts: Cloud Accounts

Valid Accounts: Domain Accounts

Web Service

Web Service: Bidirectional Communication

Web Service: One-Way Communication

Perimeter

Drive-by Compromise

Dynamic Resolution: Domain Generation Algorithms

External Remote Services

Impair Defenses: Disable or Modify Cloud Firewall

Phishing

Phishing: Spearphishing Attachment

Phishing: Spearphishing Link

Phishing: Spearphishing via Service

Proxy: External Proxy

User Execution: Malicious Link

Web Service: Dead Drop Resolver

Physical

Exfiltration Over Physical Medium

Exfiltration Over Physical Medium: Exfiltration over USB

Hardware Additions

Replication Through Removable Media

Prevention

Acquire Infrastructure

Acquire Infrastructure: Botnet

Acquire Infrastructure: DNS Server

Acquire Infrastructure: Domains

Acquire Infrastructure: Server

Acquire Infrastructure: Virtual Private Server

Acquire Infrastructure: Web Services

Brute Force: Password Cracking

Compromise Accounts

Compromise Accounts: Email Accounts

Compromise Accounts: Social Media Accounts

Compromise Infrastructure

Compromise Infrastructure: Botnet

Compromise Infrastructure: DNS Server

Compromise Infrastructure: Domains

Compromise Infrastructure: Server

Compromise Infrastructure: Virtual Private Server

Compromise Infrastructure: Web Services

Data from Information Repositories

Develop Capabilities

Develop Capabilities: Code Signing Certificates

Develop Capabilities: Digital Certificates

Develop Capabilities: Exploits

Develop Capabilities: Malware

Establish Accounts

Establish Accounts: Email Accounts

Establish Accounts: Social Media Accounts

Gather Victim Identity Information

Gather Victim Identity Information: Credentials

Gather Victim Identity Information: Email Addresses

Gather Victim Identity Information: Employee Names

Gather Victim Network Information

Gather Victim Network Information: DNS

Gather Victim Network Information: Domain Properties

Gather Victim Network Information: IP Addresses

Gather Victim Network Information: Network Security Appliances

Gather Victim Network Information: Network Topology

Gather Victim Network Information: Network Trust Dependencies

Gather Victim Org Information

Gather Victim Org Information: Business Relationships

Gather Victim Org Information: Determine Physical Locations

Gather Victim Org Information: Identify Business Tempo

Gather Victim Org Information: Identify Roles

Obtain Capabilities

Obtain Capabilities: Code Signing Certificates

Obtain Capabilities: Digital Certificates

Obtain Capabilities: Exploits

Obtain Capabilities: Malware

Obtain Capabilities: Tool

Obtain Capabilities: Vulnerabilities

Phishing for Information

Phishing for Information: Spearphishing Attachment

Phishing for Information: Spearphishing Link

Phishing for Information: Spearphishing Service

Search Closed Sources

Search Closed Sources: Purchase Technical Data

Search Closed Sources: Threat Intel Vendors

Search Open Technical Databases

Search Open Technical Databases: CDNs

Search Open Technical Databases: DNS/Passive DNS

Search Open Technical Databases: Digital Certificates

Search Open Technical Databases: Scan Databases

Search Open Technical Databases: WHOIS

Search Open Websites/Domains

Search Open Websites/Domains: Search Engines

Search Open Websites/Domains: Social Media

Search Victim-Owned Websites

Software Deployment Tools

Stage Capabilities

Supply Chain Compromise

Supply Chain Compromise: Compromise Hardware Supply Chain

SV-AV-5 - Fault Management Exploitation

Using fault management system against you. Understanding the fault response could be leveraged to get satellite in vulnerable state. Example, safe mode with crypto bypass, orbit correction maneuvers, affecting integrity of TLM to cause action from ground, or some sort of RPO to cause S/C to go into safe mode;

Informational References

CENTRA - Chinese Research into Cyber Vulnerabilities of Satellite Bus Standards
Orbital Security Alliance - Commercial Space System Security Guidelines

ID: SV-AV-5

DiD Layer: IDS/IPS

CAPEC #: 74 | 166 | 578 | 581 | 620

NIST Rev5 Control Tag Mapping: CP-10 | CP-10(4) | CP-12 | IR-4 | IR-4(3) | SA-5 | SC-24 | SI-11 | SI-17

Lowest Threat Tier to
Create Threat Event: V

Notional Risk Rank Score: 24

High-Level Requirements

The Program shall protect all fault management documents (i.e., FMEA/FMECA artifacts) from inadvertent and inappropriate disclosure.

Low-Level Requirements

Requirement	Rationale/Additional Guidance/Notes
This is not a cyber control for the spacecraft, but these controls would apply to ground system, contractor networks, etc. where design sensitive information would reside. NIST 800-171 is insufficient to properly protect this information from exposure, exfiltration, etc. Should require contractors to be CMMC 2.0 Level 3 certified (https://www.acq.osd.mil/cmmc/about-us.html). The Program shall identify and properly classify mission sensitive design/operations information and access control shall be applied in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. {SV-CF-3,SV-AV-5} {SA-5}	Essential Elements of Information (EEI):
The Program shall protect documentation and Essential Elements of Information (EEI) as required, in accordance with the risk management strategy. {SV-CF-3,SV-AV-5} {SA-5}	Least privilege and need to know should be employed with the protection of all documentation. Documentation can contain sensitive information that can aid in vulnerability discovery, detection, and exploitation. For example, command dictionaries for ground and space systems should be handles with extreme care. Additionally, design documents for missions contain many key elements that if compromised could aid in an attacker successfully exploiting the system.
The Program shall distribute documentation to only personnel with defined roles and a need to know. {SV-CF-3,SV-AV-5} {SA-5}
See threat ID SV-CF-3 to help with protecting design specific information, in this case the FMEA/FMECA artifacts so that particular fault responses are not disclosed via documentation. {SV-AV-5}
The spacecraft shall provide or support the capability for recovery and reconstitution to a known state after a disruption, compromise, or failure. {SV-AV-5,SV-AV-6,SV-AV-7} {CP-10,CP-10(4),IR-4}	Cyber-safe mode is an operating mode of a spacecraft during which all nonessential systems are shut down and the spacecraft is placed in a known good state using validated software and configuration settings. Within cyber-safe mode authentication and encryption should still be enabled. The spacecraft should be capable of reconstituting firmware and SW functions to preattack levels to allow for the recovery of functional capabilities. This can be performed by self-healing, or the healing can be aided from the ground. However, the spacecraft needs to have the capability to replan, based on available equipment still available after a cyberattack. The goal is for the vehicle to resume full mission operations. If not possible, a reduced level of mission capability should be achieved.
The spacecraft shall provide the capability to enter the spacecraft into a configuration-controlled and integrity-protected state representing a known, operational cyber-safe state (e.g., cyber-safe mode). {SV-AV-5,SV-AV-6,SV-AV-7} {CP-12,SI-17,IR-4(3)}
The spacecraft shall enter a cyber-safe mode when conditions that threaten the spacecraft are detected with restrictions as defined based on the cyber-safe mode. {SV-AV-5,SV-AV-6,SV-AV-7} {CP-12,SI-17,IR-4(3)}	Cyber-safe mode is using a fail-secure mentality where if there is a malfunction that the spacecraft goes into a fail-secure state where cyber protections like authentication and encryption are still employed (instead of bypassed) and the spacecraft can be restored by authorized commands. The cyber-safe mode should be stored in a high integrity location of the on-board SV so that it cannot be modified by attackers.
The spacecraft's cyber-safe mode software/configuration should be stored onboard the spacecraft in memory with hardware-based controls and should not be modifiable. {SV-AV-5,SV-AV-6,SV-AV-7} {SI-17}
The spacecraft shall fail to a known secure state for all types of failures preserving information necessary to determine cause of failure and to return to operations with least disruption to mission operations. {SV-AV-5,SV-AV-6,SV-AV-7} {SC-24,SI-17}
The spacecraft shall generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. {SV-AV-5,SV-AV-6,SV-AV-7} {SI-11}
The spacecraft shall reveal error messages only to operations personnel monitoring the telemetry. {SV-AV-5,SV-AV-6,SV-AV-7} {SI-11}

Related SPARTA Techniques and Sub-Techniques

ID		Name	Description
REC-0001		Gather Spacecraft Design Information	Threat actors may gather information about the victim spacecraft's design that can be used for future campaigns or to help perpetuate other techniques. Information about the spacecraft can include software, firmware, encryption type, purpose, as well as various makes and models of subsystems.
	REC-0001.09	Fault Management	Threat actors may gather information about any fault management that may be present on the victim spacecraft. This information can help threat actors construct specific attacks that may put the spacecraft into a fault condition and potentially a more vulnerable state depending on the fault response.
REC-0004		Gather Launch Information	Threat actors may gather the launch date and time, location of the launch (country & specific site), organizations involved, launch vehicle, etc. This information can provide insight into protocols, regulations, and provide further targets for the threat actor, including specific vulnerabilities with the launch vehicle itself.
	REC-0004.01	Flight Termination	Threat actor may obtain information regarding the vehicle's flight termination system. Threat actors may use this information to perform later attacks and target the vehicle's termination system to have desired impact on mission.
REC-0007		Monitor for Safe-Mode Indicators	Threat actors may gather information regarding safe-mode indicators on the victim spacecraft. Safe-mode is when all non-essential systems are shut down and only essential functions within the spacecraft are active. During this mode, several commands are available to be processed that are not normally processed. Further, many protections may be disabled at this time.
IA-0010		Exploit Reduced Protections During Safe-Mode	Threat actors may take advantage of the victim spacecraft being in safe mode and send malicious commands that may not otherwise be processed. Safe-mode is when all non-essential systems are shut down and only essential functions within the spacecraft are active. During this mode, several commands are available to be processed that are not normally processed. Further, many protections may be disabled at this time.
EX-0006		Disable/Bypass Encryption	Threat actors may perform specific techniques in order to bypass or disable the encryption mechanism onboard the victim spacecraft. By bypassing or disabling this particular mechanism, further tactics can be performed, such as Exfiltration, that may have not been possible with the internal encryption process in place.
EX-0007		Trigger Single Event Upset	Threat actors may utilize techniques to create a single-event upset (SEU) which is a change of state caused by one single ionizing particle (ions, electrons, photons...) striking a sensitive node in a spacecraft(i.e., microprocessor, semiconductor memory, or power transistors). The state change is a result of the free charge created by ionization in or close to an important node of a logic element (e.g. memory "bit"). This can cause unstable conditions on the spacecraft depending on which component experiences the SEU. SEU is a known phenomenon for spacecraft due to high radiation in space, but threat actors may attempt to utilize items like microwaves to create a SEU.
EX-0011		Exploit Reduced Protections During Safe-Mode	Threat actors may take advantage of the victim spacecraft being in safe mode and send malicious commands that may not otherwise be processed. Safe-mode is when all non-essential systems are shut down and only essential functions within the spacecraft are active. During this mode, several commands are available to be processed that are not normally processed. Further, many protections may be disabled at this time.
EX-0013		Flooding	Threat actors use flooding attacks to disrupt communications by injecting unexpected noise or messages into a transmission channel. There are several types of attacks that are consistent with this method of exploitation, and they can produce various outcomes. Although, the most prominent of the impacts are denial of service or data corruption. Several elements of the space vehicle may be targeted by jamming and flooding attacks, and depending on the time of the attack, it can have devastating results to the availability of the system.
	EX-0013.01	Valid Commands	Threat actors may utilize valid commanding as a mechanism for flooding as the processing of these valid commands could expend valuable resources like processing power and battery usage. Flooding the spacecraft bus, sub-systems or link layer with valid commands can create temporary denial of service conditions for the space vehicle while the spacecraft is consumed with processing these valid commands.
	EX-0013.02	Erroneous Input	Threat actors inject noise/data/signals into the target channel so that legitimate messages cannot be correctly processed due to impacts to integrity or availability. Additionally, while this technique does not utilize system-relevant signals/commands/information, the target spacecraft may still consume valuable computing resources to process and discard the signal.
EX-0016		Jamming	Threat actors may attempt to jam Global Navigation Satellite Systems (GNSS) signals (i.e. GPS, Galileo, etc.) to inhibit a spacecraft's position, navigation, and/or timing functions.
	EX-0016.03	Position, Navigation, and Timing (PNT)	Threat actors may attempt to jam Global Navigation Satellite Systems (GNSS) signals (i.e. GPS, Galileo, etc.) to inhibit a spacecraft's position, navigation, and/or timing functions.
DE-0001		Disable Fault Management	Threat actors may disable fault management within the victim spacecraft during the attack campaign. During the development process, many fault management mechanisms are added to the various parts of the spacecraft in order to protect it from a variety of bad/corrupted commands, invalid sensor data, and more. By disabling these mechanisms, threat actors may be able to have commands processed that would not normally be allowed.
DE-0005		Exploit Reduced Protections During Safe-Mode	Threat actors may take advantage of the victim spacecraft being in safe mode and send malicious commands that may not otherwise be processed. Safe-mode is when all non-essential systems are shut down and only essential functions within the spacecraft are active. During this mode, several commands are available to be processed that are not normally processed. Further, many protections (i.e. security features) may be disabled at this time which would ensure the threat actor achieves evasion.
IMP-0001		Deception (or Misdirection)	Measures designed to mislead an adversary by manipulation, distortion, or falsification of evidence or information into a system to induce the adversary to react in a manner prejudicial to their interests. Threat actors may seek to deceive mission stakeholders (or even military decision makers) for a multitude of reasons. Telemetry values could be modified, attacks could be designed to intentionally mimic another threat actor's TTPs, and even allied ground infrastructure could be compromised and used as the source of communications to the spacecraft.
IMP-0002		Disruption	Measures designed to temporarily impair the use or access to a system for a period of time. Threat actors may seek to disrupt communications from the victim spacecraft to the ground controllers or other interested parties. By disrupting communications during critical times, there is the potential impact of data being lost or critical actions not being performed. This could cause the spacecraft's purpose to be put into jeopardy depending on what communications were lost during the disruption. This behavior is different than Denial as this attack can also attempt to modify the data and messages as they are passed as a way to disrupt communications.
IMP-0003		Denial	Measures designed to temporarily eliminate the use, access, or operation of a system for a period of time, usually without physical damage to the affected system. Threat actors may seek to deny ground controllers and other interested parties access to the victim spacecraft. This would be done exhausting system resource, degrading subsystems, or blocking communications entirely. This behavior is different from Disruption as this seeks to deny communications entirely, rather than stop them for a length of time.
IMP-0004		Degradation	Measures designed to permanently impair (either partially or totally) the use of a system. Threat actors may target various subsystems or the hosted payload in such a way to rapidly increase it's degradation. This could potentially shorten the lifespan of the victim spacecraft.

Related SPARTA Countermeasures

ID	Name	Description
CM0000	Countermeasure Not Identified	This technique is a result of utilizing TTPs to create an impact and the applicable countermeasures are associated with the TTPs leveraged to achieve the impact
CM0001	Protect Sensitive Information	Organizations should look to identify and properly classify mission sensitive design/operations information (e.g., fault management approach) and apply access control accordingly. Any location (ground system, contractor networks, etc.) storing design information needs to ensure design info is protected from exposure, exfiltration, etc. Space system sensitive information may be classified as Controlled Unclassified Information (CUI) or Company Proprietary. Space system sensitive information can typically include a wide range of candidate material: the functional and performance specifications, any ICDs (like radio frequency, ground-to-space, etc.), command and telemetry databases, scripts, simulation and rehearsal results/reports, descriptions of uplink protection including any disabling/bypass features, failure/anomaly resolution, and any other sensitive information related to architecture, software, and flight/ground /mission operations. This could all need protection at the appropriate level (e.g., unclassified, CUI, proprietary, classified, etc.) to mitigate levels of cyber intrusions that may be conducted against the project’s networks. Stand-alone systems and/or separate database encryption may be needed with controlled access and on-going Configuration Management to ensure changes in command procedures and critical database areas are tracked, controlled, and fully tested to avoid loss of science or the entire mission. Sensitive documentation should only be accessed by personnel with defined roles and a need to know. Well established access controls (roles, encryption at rest and transit, etc.) and data loss prevention (DLP) technology are key countermeasures. The DLP should be configured for the specific data types in question.
CM0009	Threat Intelligence Program	A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities and mitigate risk. Leverage all-source intelligence services or commercial satellite imagery to identify and track adversary infrastructure development/acquisition. Countermeasures for this attack fall outside the scope of the mission in the majority of cases.
CM0020	Threat modeling	Use threat modeling, attack surface analysis, and vulnerability analysis to inform the current development process using analysis from similar systems, components, or services where applicable. Reduce attack surface where possible based on threats.
CM0022	Criticality Analysis	Conduct a criticality analysis to identify mission critical functions, critical components, and data flows and reduce the vulnerability of such functions and components through secure system design. Focus supply chain protection on the most critical components/functions. Leverage other countermeasures like segmentation and least privilege to protect the critical components.
CM0081	Defensive Jamming and Spoofing	A jammer or spoofer can be used to disrupt sensors on an incoming kinetic ASAT weapon so that it cannot steer itself effectively in the terminal phase of flight. When used in conjunction with maneuver, this could allow a satellite to effectively “dodge” a kinetic attack. Similar systems could also be used to deceive SDA sensors by altering the reflected radar signal to change the location, velocity, and number of satellites detected, much like digital radio frequency memory (DRFM) jammers used on many military aircraft today. A spacebased jammer can also be used to disrupt an adversary’s ability to communicate.* *https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210225_Harrison_Defense_Space.pdf?N2KWelzCz3hE3AaUUptSGMprDtBlBSQGate with an ASAT weapon.
CM0082	Deception and Decoys	Deception can be used to conceal or mislead others on the “location, capability, operational status, mission type, and/or robustness” of a satellite. Public messaging, such as launch announcements, can limit information or actively spread disinformation about the capabilities of a satellite, and satellites can be operated in ways that conceal some of their capabilities. Another form of deception could be changing the capabilities or payloads on satellites while in orbit. Satellites with swappable payload modules could have on-orbit servicing vehicles that periodically move payloads from one satellite to another, further complicating the targeting calculus for an adversary because they may not be sure which type of payload is currently on which satellite. Satellites can also use tactical decoys to confuse the sensors on ASAT weapons and SDA systems. A satellite decoy can consist of an inflatable device designed to mimic the size and radar signature of a satellite, and multiple decoys can be stored on the satellite for deployment when needed. Electromagnetic decoys can also be used in space that mimic the RF signature of a satellite, similar to aircraft that use airborne decoys, such as the ADM-160 Miniature Air-launched Decoy (MALD).* *https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210225_Harrison_Defense_Space.pdf?N2KWelzCz3hE3AaUUptSGMprDtBlBSQG
CM0083	Antenna Nulling and Adaptive Filtering	Satellites can be designed with antennas that “null” or minimize signals from a particular geographic region on the surface of the Earth or locations in space where jamming is detected. Nulling is useful when jamming is from a limited number of detectable locations, but one of the downsides is that it can also block transmissions from friendly users that fall within the nulled area. If a jammer is sufficiently close to friendly forces, the nulling antenna may not be able to block the jammer without also blocking legitimate users. Adaptive filtering, in contrast, is used to block specific frequency bands regardless of where these transmissions originate. Adaptive filtering is useful when jamming is consistently within a particular range of frequencies because these frequencies can be filtered out of the signal received on the satellite while transmissions can continue around them. However, a wideband jammer could interfere with a large enough portion of the spectrum being used that filtering out the jammed frequencies would degrade overall system performance. * *https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210225_Harrison_Defense_Space.pdf?N2KWelzCz3hE3AaUUptSGMprDtBlBSQG
CM0085	Electromagnetic Shielding	Satellite components can be vulnerable to the effects of background radiation in the space environment and deliberate attacks from HPM and electromagnetic pulse weapons. The effects can include data corruption on memory chips, processor resets, and short circuits that permanently damage components.* *https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210225_Harrison_Defense_Space.pdf?N2KWelzCz3hE3AaUUptSGMprDtBlBSQG
CM0002	COMSEC	A component of cybersecurity to deny unauthorized persons information derived from telecommunications and to ensure the authenticity of such telecommunications. COMSEC includes cryptographic security, transmission security, emissions security, and physical security of COMSEC material. It is imperative to utilize secure communication protocols with strong cryptographic mechanisms to prevent unauthorized disclosure of, and detect changes to, information during transmission. Systems should also maintain the confidentiality and integrity of information during preparation for transmission and during reception. Spacecraft should not employ a mode of operations where cryptography on the TT&C link can be disabled (i.e., crypto-bypass mode). The cryptographic mechanisms should identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.
CM0031	Authentication	Authenticate all communication sessions (crosslink and ground stations) for all commands before establishing remote connections using bidirectional authentication that is cryptographically based. Adding authentication on the spacecraft bus and communications on-board the spacecraft is also recommended.
CM0073	Traffic Flow Analysis Defense	Utilizing techniques to assure traffic flow security and confidentiality to mitigate or defeat traffic analysis attacks or reduce the value of any indicators or adversary inferences. This may be a subset of COMSEC protections, but the techniques would be applied where required to links that carry TT&C and/or data transmissions (to include on-board the spacecraft) where applicable given value and attacker capability. Techniques may include but are not limited to methods to pad or otherwise obfuscate traffic volumes/duration and/or periodicity, concealment of routing information and/or endpoints, or methods to frustrate statistical analysis.
CM0036	Session Termination	Terminate the connection associated with a communications session at the end of the session or after an acceptable amount of inactivity which is established via the concept of operations.
CM0005	Ground-based Countermeasures	This countermeasure is focused on the protection of terrestrial assets like ground networks and development environments/contractor networks, etc. Traditional detection technologies and capabilities would be applicable here. Utilizing resources from NIST CSF to properly secure these environments using identify, protect, detect, recover, and respond is likely warranted. Additionally, NISTIR 8401 may provide resources as well since it was developed to focus on ground-based security for space systems (https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8401.ipd.pdf). Furthermore, the MITRE ATT&CK framework provides IT focused TTPs and their mitigations https://attack.mitre.org/mitigations/enterprise/. Several recommended NIST 800-53 Rev5 controls are provided for reference when designing ground systems/networks.
CM0034	Monitor Critical Telemetry Points	Monitor defined telemetry points for malicious activities (i.e., jamming attempts, commanding attempts (e.g., command modes, counters, etc.)). This would include valid/processed commands as well as commands that were rejected. Telemetry monitoring should synchronize with ground-based Defensive Cyber Operations (i.e., SIEM/auditing) to create a full space system situation awareness from a cybersecurity perspective.
CM0035	Protect Authenticators	Protect authenticator content from unauthorized disclosure and modification.
CM0070	Alternate Communications Paths	Establish alternate communications paths to reduce the risk of all communications paths being affected by the same incident.
CM0006	Cloaking Safe-mode	Attempt to cloak when in safe-mode and ensure that when the system enters safe-mode it does not disable critical security features. Ensure basic protections like encryption are still being used on the uplink/downlink to prevent eavesdropping.
CM0032	On-board Intrusion Detection & Prevention	Utilize on-board intrusion detection/prevention system that monitors the mission critical components or systems and audit/logs actions. The IDS/IPS should have the capability to respond to threats (initial access, execution, persistence, evasion, exfiltration, etc.) and it should address signature-based attacks along with dynamic never-before seen attacks using machine learning/adaptive technologies. The IDS/IPS must integrate with traditional fault management to provide a wholistic approach to faults on-board the spacecraft. Spacecraft should select and execute safe countermeasures against cyber-attacks. These countermeasures are a ready supply of options to triage against the specific types of attack and mission priorities. Minimally, the response should ensure vehicle safety and continued operations. Ideally, the goal is to trap the threat, convince the threat that it is successful, and trace and track the attacker — with or without ground support. This would support successful attribution and evolving countermeasures to mitigate the threat in the future. “Safe countermeasures” are those that are compatible with the system’s fault management system to avoid unintended effects or fratricide on the system.
CM0042	Robust Fault Management	Ensure fault management system cannot be used against the spacecraft. Examples include: safe mode with crypto bypass, orbit correction maneuvers, affecting integrity of telemetry to cause action from ground, or some sort of proximity operation to cause spacecraft to go into safe mode. Understanding the safing procedures and ensuring they do not put the spacecraft in a more vulnerable state is key to building a resilient spacecraft.
CM0044	Cyber-safe Mode	Provide the capability to enter the spacecraft into a configuration-controlled and integrity-protected state representing a known, operational cyber-safe state (e.g., cyber-safe mode). Spacecraft should enter a cyber-safe mode when conditions that threaten the platform are detected. Cyber-safe mode is an operating mode of a spacecraft during which all nonessential systems are shut down and the spacecraft is placed in a known good state using validated software and configuration settings. Within cyber-safe mode, authentication and encryption should still be enabled. The spacecraft should be capable of reconstituting firmware and software functions to pre-attack levels to allow for the recovery of functional capabilities. This can be performed by self-healing, or the healing can be aided from the ground. However, the spacecraft needs to have the capability to replan, based on equipment still available after a cyber-attack. The goal is for the spacecraft to resume full mission operations. If not possible, a reduced level of mission capability should be achieved. Cyber-safe mode software/configuration should be stored onboard the spacecraft in memory with hardware-based controls and should not be modifiable.
CM0068	Reinforcement Learning	Institute a reinforcement learning agent that will detect anomalous events and redirect processes to proceed by ignoring malicious data/input.
CM0043	Backdoor Commands	Ensure that all viable commands are known to the mission/spacecraft owner. Perform analysis of critical (backdoor/hardware) commands that could adversely affect mission success if used maliciously. Only use or include critical commands for the purpose of providing emergency access where commanding authority is appropriately restricted.
CM0045	Error Detection and Correcting Memory	Use Error Detection and Correcting (EDAC) memory and integrate EDAC scheme with fault management and cyber-protection mechanisms to respond to the detection of uncorrectable multi-bit errors, other than time-delayed monitoring of EDAC telemetry by the mission operators on the ground. The spacecraft should utilize the EDAC scheme to routinely check for bit errors in the stored data on board the spacecraft, correct the single-bit errors, and identify the memory addresses of data with uncorrectable multi-bit errors of at least order two, if not higher order in some cases.
CM0048	Resilient Position, Navigation, and Timing	If available, use an authentication mechanism that allows GNSS receivers to verify the authenticity of the GNSS information and of the entity transmitting it, to ensure that it comes from a trusted source. Have fault-tolerant authoritative time sourcing for the spacecraft's clock. The spacecraft should synchronize the internal system clocks for each processor to the authoritative time source when the time difference is greater than the FSW-defined interval. If Spacewire is utilized, then the spacecraft should adhere to mission-defined time synchronization standard/protocol to synchronize time across a Spacewire network with an accuracy around 1 microsecond.
CM0029	TRANSEC	Utilize TRANSEC in order to prevent interception, disruption of reception, communications deception, and/or derivation of intelligence by analysis of transmission characteristics such as signal parameters or message externals. For example, jam-resistant waveforms can be utilized to improve the resistance of radio frequency signals to jamming and spoofing. Note: TRANSEC is that field of COMSEC which deals with the security of communication transmissions, rather than that of the information being communicated.