Tapping of communications links (wireline, RF, network) resulting in loss of confidentiality; Traffic analysis to determine which entities are communicating with each other without being able to read the communicated information
| SPARTA ID | Requirement | Rationale/Additional Guidance/Notes |
|---|---|---|
| SPR-17 | The [spacecraft] shall protect the confidentiality and integrity of all information at rest using cryptography.{SV-CF-1,SV-CF-2,SV-AC-3}{AC-3,SA-8(19),SC-28,SC-28(1),SI-7(6)} | * The intent as written is for all transmitted traffic to be protected. This includes internal to internal communications and especially outside of the boundary. |
| SPR-20 | The [spacecraft] shall prevent use of a mode of operations where cryptography on the TT&C link can be disabled; encryption and authentication shall remain enabled even when automated access control mechanisms are overridden.{SV-AC-1,SV-CF-1,SV-CF-2}{AC-3(10),SA-8(18),SA-8(19),SC-16(2),SC-16(3),SC-40,SC-40(4)} | Emergency or override modes often become attack vectors if protections are weakened. Cryptography must remain enforced even during safe-mode or degraded operations. Removing encryption capability creates a single-point catastrophic exposure. Persistent protection ensures no operational shortcut undermines mission assurance. |
| SPR-31 | The [spacecraft] shall fail securely to a secondary device in the event of an operational failure of a primary boundary protection device (i.e., crypto solution).{SV-AC-1,SV-AC-2,SV-CF-1,SV-CF-2}{CP-13,SA-8(19),SA-8(24),SC-7(18),SI-13,SI-13(4)} | If a primary boundary protection device fails, the spacecraft must not revert to insecure operation. Secure failover ensures continuity of confidentiality and integrity protections. This prevents adversaries from inducing failure states to bypass encryption. Redundancy strengthens mission resilience. |
| SPR-40 | The [spacecraft] shall only use communication protocols that support encryption within the mission.{SV-AC-7,SV-CF-1,SV-CF-2}{SA-4(9),SA-8(18),SA-8(19),SC-40(4)} | Protocols lacking encryption create unavoidable exposure. Selecting encryption-capable protocols ensures confidentiality and integrity can be enforced mission-wide. This reduces risk from protocol downgrade attacks. |
| SPR-44 | The [spacecraft] shall maintain the confidentiality and integrity of information during preparation for transmission and during reception in accordance with [organization] provided encryption matrix.{SV-CF-1,SV-CF-2,SV-IT-2}{SA-8(19),SC-8,SC-8(1),SC-8(2),SC-8(3)} | * Preparation for transmission and during reception includes the aggregation, packing, and transformation options performed prior to transmission and the undoing of those operations that occur upon receipt. |
| SPR-52 | The [spacecraft] shall limit the generation and storage of sensitive/critical mission or system information. Generation shall be done on-demand where possible, and the information shall be deleted immediately when no longer needed.{SV-CF-3,SV-CF-1}{SI-21} | Reducing the amount and lifetime of sensitive data directly reduces attack surface and exfiltration risk. On-demand generation limits exposure windows and minimizes residual data available for compromise. Immediate deletion prevents recovery via memory scraping, shared resource reuse, or post-compromise forensic harvesting by an adversary. Data minimization is a foundational secure-by-design principle in resource-constrained spacecraft. |
| SPR-119 | The [spacecraft] shall implement cryptography for the indicated uses using the indicated protocols, algorithms, and mechanisms, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards: [NSA- certified or approved cryptography for protection of classified information, FIPS-validated cryptography for the provision of hashing].{SV-AC-1,SV-AC-2,SV-CF-1,SV-CF-2,SV-AC-3}{IA-7,SC-13} | Use of NSA-certified or FIPS-validated cryptography ensures compliance with federal mandates and high-assurance algorithms. Standardized implementations reduce algorithmic weaknesses. Alignment with policy ensures interoperability and trustworthiness. Proper certification mitigates cryptographic implementation flaws. |
| SPR-163 | The [spacecraft] shall employ monitoring mechanisms to detect and respond to unauthorized or excessive use of external systems, safeguarding the organization's information and ensuring the integrity, confidentiality, and availability of its resources.Monitoring shall be performed on crosslink communications as well as space to ground communications (including direct to user tactical downlinks such as utilized in real-time imagery acquisition).{SV-AC-6,SV-DCO-1,SV-CF-1}{AC-20,AC-20(1)} | Monitoring detects anomalous bandwidth use, potential exfiltration, or misuse. Crosslinks are lateral movement pathways between spacecraft. Oversight protects enterprise integrity. Visibility supports coordinated response. |
| SPR-201 | The [spacecraft] shall monitor all inbound/outbound communications to detect unusual or unauthorized behavior and respond appropriately (disregard command, deny connection, etc.){SV-IT-1,SV-AC-2,SV-IT-2,SV-CF-1}{SI-4(4)} | Continuous traffic inspection detects unauthorized behavior. Both inbound and outbound flows may signal compromise. Real-time response reduces dwell time. Visibility across communication paths is essential in contested environments. |
| SPR-244 | The [organization] shall define the secure communication protocols to be used within the mission in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.{SV-AC-7,SV-CF-1}{PL-7,RA-5(4),SA-4(9),SA-8(18),SA-8(19),SC-8(1),SC-16(3),SC-40(4),SI-12} | Standardized secure protocols reduce interoperability risk. Alignment with federal standards ensures validated cryptography. Defined protocols prevent ad hoc insecure implementations. Governance strengthens communication assurance. |
| SPR-343 | The [organization] shall develop and document program-specific access control policies for controlling information flow and leakage on-board the spacecraft.{SV-AC-1,SV-CF-1,SV-CF-3}{AC-1,AC-3,AC-3(3),AC-3(4),AC-3(13)} | Access control policies must reflect mission architecture and threat environment. Formal documentation ensures consistent enforcement. Leakage prevention requires clear governance. Policy clarity supports compliance and auditing. |
| SPR-375 | The [organization] shall develop and document program-specific system and communications protection policies in accordance with CNSSP 12. {SV-AC-7,SV-CF-1,SV-AC-3}{SC-1} | Alignment with CNSSP 12 ensures compliance with national security requirements. Standardized communications protection strengthens cryptographic assurance. Program-specific tailoring ensures relevance. Policy integration strengthens governance. |
| SPR-462 | The [spacecraft] shall support delegation of temporary data storage to [organization]-authorized alternate nodes or spacecraft and shall preserve confidentiality, integrity, and access controls for the delegated data.{SV-CF-1,SV-CF-2,SV-AC-1}{CP-2(6),SC-28,AC-3} | Delegated storage or processing expands trust boundaries. Maintaining CIA protections during delegation prevents exposure. Secure federation supports constellation-based architectures. Controlled delegation strengthens distributed resilience. |
| SPR-488 | The [spacecraft] shall implement traffic flow security on uplink, downlink, and crosslink communications to conceal or randomize transmission timing, size, and observable patterns, using [organization]‑defined techniques such as padding or constant‑rate telemetry, randomized schedules, or filler traffic in accordance with the System TRANSEC Plan. The [spacecraft] shall ensure traffic flow security does not disable required authentication or encryption and shall coordinate implementation with TRANSEC and anti‑fingerprinting measures.{SV-CF-1,SV-CF-2}{SC-8(4),SC-40} | Concealing traffic patterns reduces adversary inference capability. Padding and scheduling obscure operational tempo. Coordination with TRANSEC ensures layered protection. Traffic flow security enhances confidentiality. |
| ID | Name | Description | |
|---|---|---|---|
| REC-0005 | Eavesdropping | Adversaries seek to passively (and sometimes semi-passively) capture mission communications across terrestrial networks and RF/optical links to reconstruct protocols, extract telemetry, and derive operational rhythms. On networks, packet captures, logs, and flow data from ground stations, mission control, and cloud backends can expose service boundaries, authentication patterns, and automation. In the RF domain, wideband recordings, spectrograms, and demodulation of TT&C and payload links, spanning VHF/UHF through S/L/X/Ka and, increasingly, optical, enable identification of modulation/coding, framing, and beacon structures. Even when links are encrypted, metadata such as carrier plans, symbol rates, polarization, and cadence can support traffic analysis, timing attacks, or selective interference. Community capture networks and open repositories amplify the reach of a modest adversary. | |
| REC-0005.01 | Uplink Intercept Eavesdropping | Uplink reconnaissance focuses on capturing the command path from ground to spacecraft to learn telecommand framing, authentication fields, timing, and anti-replay behavior. Valuable artifacts include emission designators, symbol rates, polarization sense, Doppler profiles, and any preambles or ranging tones that gate command acceptance. Even if payload and TT&C share spectrum, their authentication postures often differ, knowledge an adversary can exploit. Partial captures, console screenshots, or training recordings reduce the effort needed to build an SDR pipeline that “looks right” on the air. Where missions authenticate without encrypting the uplink, traffic analysis can reveal command cadence and maintenance windows. | |
| REC-0005.02 | Downlink Intercept | Downlink collection aims to harvest housekeeping telemetry, event logs, ephemerides, payload data, and operator annotations that reveal system state and procedures. Even when payload content is encrypted, ancillary channels (beacons, health/status, low-rate engineering downlink) can disclose mode transitions, battery and thermal margins, safing events, and next-pass predictions. Community ground networks and public dashboards may inadvertently provide stitched datasets that make trend analysis trivial. Captured framing and coding parameters also help an adversary build testbeds and refine timing for later actions. | |
| REC-0005.03 | Proximity Operations | In proximity scenarios, an adversary platform (or co-located payload) attempts to observe emissions and intra-vehicle traffic at close range, RF side-channels, optical/lasercom leakage, and, in extreme cases, electromagnetic emanations consistent with TEMPEST/EMSEC concerns. Physical proximity can expose harmonics, intermodulation products, local oscillators, and bus activity that are undetectable from the ground, enabling reconstruction of timing, command acceptance windows, or even limited protocol content. In hosted-payload or rideshare contexts, a poorly segregated data path may permit passive observation of TT&C gateways, crosslinks, or payload buses. | |
| REC-0005.04 | Active Scanning (RF/Optical) | Active scanning moves beyond passive collection: an adversary transmits or injects probes intended to elicit identifiable responses that reveal frequencies, protocols, or device behavior. Examples include stimulating auto-track or auto-reply beacons, provoking ranging responses, tickling access schemes (TDMA/FDMA bursts), or sending benign-looking frames to observe AGC, saturation, or error counters. Optical/lasercom analogs include alignment pings or modulation patterns that solicit acquisition messages. The objective is RF “banner grabbing”, learning enough to build compatible demod/decoder chains or to map control surfaces, without necessarily breaching authentication. Because scans can resemble normal acquisition attempts, they may blend into the noise floor of operations. | |
| REC-0007 | Monitor for Safe-Mode Indicators | Adversaries watch for telltale signs that the spacecraft has entered a safed or survival configuration, typically sun-pointing or torque-limited attitude, reduced payload activity, conservative power/thermal setpoints, and low-rate engineering downlink. Indicators include specific mode bits or beacon fields, changes in modulation/coding and cadence, distinctive event packets (e.g., wheel unload aborts, brownout recovery), elevated heater duty, altered load-shed states, and operator behaviors such as emergency DSN requests, longer ground passes, or public anomaly notices. This reconnaissance helps time later actions to coincide with periods of reduced bandwidth, altered monitoring, or maintenance command availability. It may also reveal how safing affects authentication (e.g., whether rapid-response paths or recovery consoles differ from nominal). | |
| EX-0011 | Exploit Reduced Protections During Safe-Mode | The adversary times on-board actions to the period when the vehicle is in safe-mode and operating with altered guardrails. In many designs, safe-mode enables contingency command dictionaries, activates alternate receivers or antennas, reduces data rates, and prioritizes survival behaviors (sun-pointing, thermal/power conservation). Authentication checks, anti-replay windows, rate/size limits, and interlocks may differ from nominal; counters can be reset, timetag screening relaxed, or maintenance procedures made available for recovery. Ground cadence also changes, longer passes, emergency scheduling, atypical station selection, creating predictable windows for interaction. Using knowledge of these patterns, an attacker issues maintenance-looking loads, recovery scripts, parameter edits, or boot/patch sequences that the spacecraft is primed to accept while safed. Because responses (telemetry beacons, acknowledgments, mode bits) resemble normal anomaly recovery, the first execution event blends with expected behavior, allowing unauthorized reconfiguration, software modification, or state manipulation to occur under the cover of fault response. | |
| EX-0015 | Side-Channel Attack | Adversaries extract secrets or steer execution by observing or perturbing physical byproducts of computation rather than the intended interfaces. Passive channels include timing, power draw, electromagnetic emissions, acoustic/optical leakage, and thermal patterns correlated with operations such as key use, counter updates, or parser activity. Active channels deliberately induce faults during runtime, e.g., voltage or clock glitches, electromagnetic/laser injection, or targeted radiation, to flip bits, skip checks, or bias intermediate values. On spacecraft, prime targets include crypto modules, SDR/FPGA pipelines, bootloaders, and bus controllers whose switching behavior or error handling reveals protocol state or key material. With sufficient samples, or with repeated fault attempts, statistical features emerge that reduce entropy of the sensitive variable under study; in effect, a successful fault campaign turns into information leakage comparable to a passive side channel. Collection vantage points range from on-orbit proximity (for EM/optical), to ATLO and ground test (for direct probing), to instrumented compromised hardware already in the signal path. | |
| EXF-0001 | Replay | The adversary re-sends previously valid commands or procedures to cause the spacecraft to transmit data again, then captures the resulting downlink. Typical targets are recorder playbacks, payload product dumps, housekeeping snapshots, or file directory listings. By aligning replays with geometry (e.g., when the satellite is in view of actor-controlled apertures) and with acceptance conditions (counters, timetags, mode), the attacker induces legitimate transmissions that appear routine to operators. Variants include selectively replaying index ranges to fetch only high-value intervals, reissuing subscription/telemetry-rate changes to increase data volume, or queueing playbacks that fire during later passes when interception is feasible. | |
| EXF-0002 | Side-Channel Exfiltration | Information is extracted not by reading files or decrypting frames but by observing physical or protocol byproducts of computation, power draw, electromagnetic emissions, timing, thermal signatures, or traffic patterns. Repeated measurements create distinctive fingerprints correlated with internal states (key use, table loads, parser branches, buffer occupancy). Matching those fingerprints to models or templates yields sensitive facts without direct access to the protected data. In space systems, vantage points span proximity assets (for EM/thermal), ground testing and ATLO (for direct probing), compromised on-board modules that can sample rails or sensors, and remote observation of link-layer timing behaviors. | |
| EXF-0002.01 | Power Analysis Attacks | The attacker infers secrets by measuring instantaneous power consumption of target devices, often crypto engines or controllers, and correlating traces with hypothesized internal operations. Simple power analysis (SPA) extracts structure (operation sequences, key-dependent branches); differential/correlation power analysis (DPA/CPA) uses many traces and statistics to recover key bits from tiny data-dependent variations. Practically, measurements may come from instrumented rails during I&T, from a compromised payload monitoring local supplies, or from co-located hardware that senses current/voltage fluctuations. With sufficient traces and alignment (triggering on command/crypto invocation), internal values become observable through their power signatures. | |
| EXF-0002.02 | Electromagnetic Leakage Attacks | Switching activity in chips, buses, and clocks radiates EM energy that can be captured and analyzed to reveal internal computation. Near-field probes (in test) or proximity receivers (on-orbit assets) can observe harmonics and modulation tied to cipher rounds, key schedules, or protocol framing, sometimes with finer granularity than power analysis. Coupling paths include packages, harnesses, SDR front ends, and poorly shielded enclosures. By training on known operations and comparing spectra or time-domain signatures, an adversary can recover keys or reconstruct processed data without touching logical interfaces. | |
| EXF-0002.03 | Traffic Analysis Attacks | In a terrestrial environment, threat actors use traffic analysis attacks to analyze traffic flow to gather topological information. This traffic flow can divulge information about critical nodes, such as the aggregator node in a sensor network. In the space environment, specifically with relays and constellations, traffic analysis can be used to understand the energy capacity of spacecraft node and the fact that the transceiver component of a spacecraft node consumes the most power. The spacecraft nodes in a constellation network limit the use of the transceiver to transmit or receive information either at a regulated time interval or only when an event has been detected. This generally results in an architecture comprising some aggregator spacecraft nodes within a constellation network. These spacecraft aggregator nodes are the sensor nodes whose primary purpose is to relay transmissions from nodes toward the ground station in an efficient manner, instead of monitoring events like a normal node. The added functionality of acting as a hub for information gathering and preprocessing before relaying makes aggregator nodes an attractive target to side channel attacks. A possible side channel attack could be as simple as monitoring the occurrences and duration of computing activities at an aggregator node. If a node is frequently in active states (instead of idle states), there is high probability that the node is an aggregator node and also there is a high probability that the communication with the node is valid. Such leakage of information is highly undesirable because the leaked information could be strategically used by threat actors in the accumulation phase of an attack. | |
| EXF-0002.04 | Timing Attacks | Execution time varies with inputs and branches; precise measurement turns that variance into information. The attacker times acknowledgments, response latencies, or framing gaps to learn which code paths ran (e.g., MAC verified vs. failed, table entry present vs. absent) and to infer bits of secrets in timing-sensitive routines such as cryptographic checks. On resource-constrained processors and deterministic RTOSes, small differences persist across runs, making remote timing feasible over RF if clocks and propagation are accounted for. Combined with chosen inputs and statistics, these measurements leak internal state faster than brute-force cryptanalysis. | |
| EXF-0002.05 | Thermal Imaging attacks | Threat actors can leverage thermal imaging attacks (e.g., infrared images) to measure heat that is emitted as a means to exfiltrate information from spacecraft processors. Thermal attacks rely on temperature profiling using sensors to extract critical information from the chip(s). The availability of highly sensitive thermal sensors, infrared cameras, and techniques to calculate power consumption from temperature distribution [7] has enhanced the effectiveness of these attacks. As a result, side-channel attacks can be performed by using temperature data without measuring power pins of the chip. | |
| EXF-0003 | Signal Interception | The adversary captures mission traffic in transit, on ground networks or over the space link, so that payload products, housekeeping, and command/ack exchanges can be reconstructed offline. Vantage points include tapped ground LANs/WANs between MOC and stations, baseband interfaces (IF/IQ), RF/optical receptions within the antenna field of view, and crosslink monitors. Depending on protection, the haul ranges from plaintext frames to encrypted bitstreams whose headers, rates, and schedules still yield valuable context (APIDs, VCIDs, pass timing, file manifest cues). Intercepted sessions can guide later replay, cloning, or targeted downlink requests. | |
| EXF-0003.01 | Uplink Exfiltration | Here the target is command traffic from ground to space. By receiving or tapping the uplink path, the adversary collects telecommand frames, ranging/acquisition exchanges, and any file or table uploads. If confidentiality is weak or absent, opcode/argument content, dictionaries, and procedures become directly readable; even when encrypted, session structure, counters, and acceptance timing inform future command-link intrusion or replay. Captured material can reveal maintenance windows, contingency dictionaries, and authentication schemes that enable subsequent exploitation. | |
| EXF-0003.02 | Downlink Exfiltration | The attacker records spacecraft-to-ground traffic, real-time telemetry, recorder playbacks, payload products, and mirrored command sessions, to obtain mission data and health/state information. With sufficient signal quality and protocol knowledge, frames and packets are demodulated and extracted for offline use; where protection exists only on uplink or is inconsistently applied, downlink content may still be in clear. Downlinked command echoes, event logs, and file catalogs can expose internal activities and aid follow-on targeting while the primary objective remains data capture at scale. | |
| EXF-0004 | Out-of-Band Communications Link | Some missions field secondary links, separate frequencies and hardware, for limited, purpose-built functions (e.g., rekeying, emergency commanding, beacons, custodial crosslinks). Adversaries co-opt these channels as covert data paths: embedding content in maintenance messages, beacon fields, or low-rate housekeeping; initiating vendor/service modes that carry file fragments; or switching to contingency profiles that bypass normal routing and monitoring. Because these paths are distinct from the main TT&C and may be sparsely supervised, they provide discreet avenues to move data off the spacecraft or to external relays without altering the primary link’s traffic patterns. | |
| EXF-0005 | Proximity Operations | A nearby vehicle serves as the collection platform for unintended emissions and other proximate signals, effectively a mobile TEMPEST/EMSEC sensor. From close range, the adversary measures near-field RF, conducted/structure-borne emissions, optical/IR signatures, or leaked crosslink traffic correlated with on-board activity, then decodes or models those signals to recover information (keys, tables, procedure execution, payload content). Proximity also enables directional gain and repeated sampling passes, turning weak side channels into usable exfiltration without engaging the victim’s logical interfaces. | |
| IMP-0006 | Theft | Threat actors may attempt to steal the data that is being gathered, processed, and sent from the victim spacecraft. Many spacecraft have a particular purpose associated with them and the data they gather is deemed mission critical. By attempting to steal this data, the mission, or purpose, of the spacecraft could be lost entirely. | |
| ID | Name | Description | NIST Rev5 | D3FEND | ISO 27001 | |
|---|---|---|---|---|---|---|
| CM0002 | COMSEC | A component of cybersecurity to deny unauthorized persons information derived from telecommunications and to ensure the authenticity of such telecommunications. COMSEC includes cryptographic security, transmission security, emissions security, and physical security of COMSEC material. It is imperative to utilize secure communication protocols with strong cryptographic mechanisms to prevent unauthorized disclosure of, and detect changes to, information during transmission. Systems should also maintain the confidentiality and integrity of information during preparation for transmission and during reception. Spacecraft should not employ a mode of operations where cryptography on the TT&C link can be disabled (i.e., crypto-bypass mode). The cryptographic mechanisms should identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters. | AC-17 AC-17(1) AC-17(10) AC-17(2) AC-18 AC-18(1) AC-2(11) AC-3(10) CA-3 IA-4(9) IA-5 IA-5(7) IA-7 PL-8 PL-8(1) SA-8(18) SA-8(19) SA-9(6) SC-10 SC-12 SC-12(1) SC-12(2) SC-12(3) SC-12(6) SC-13 SC-16(3) SC-28(1) SC-28(3) SC-7 SC-7(10) SC-7(11) SC-7(18) SC-7(5) SC-8(1) SC-8(3) SI-10 SI-10(3) SI-10(5) SI-10(6) SI-19(4) SI-3(8) | D3-ET D3-MH D3-MAN D3-MENCR D3-NTF D3-ITF D3-OTF D3-CH D3-DTP D3-NTA D3-CAA D3-DNSTA D3-IPCTA D3-NTCD D3-RTSD D3-PHDURA D3-PMAD D3-CSPP D3-MA D3-SMRA D3-SRA | A.5.14 A.6.7 A.8.1 A.8.16 A.5.14 A.8.1 A.8.20 A.5.14 A.8.21 A.5.16 A.5.17 A.5.8 A.5.14 A.8.16 A.8.20 A.8.22 A.8.23 A.8.26 A.8.12 A.5.33 A.8.20 A.8.24 A.8.24 A.8.26 A.5.31 A.5.33 A.8.11 | |
| CM0030 | Crypto Key Management | Leverage best practices for crypto key management as defined by organization like NIST or the National Security Agency. Leverage only approved cryptographic algorithms, cryptographic key generation algorithms or key distribution techniques, authentication techniques, or evaluation criteria. Encryption key handling should be performed outside of the onboard software and protected using cryptography. Encryption keys should be restricted so that they cannot be read via any telecommands. | CM-3(6) PL-8 PL-8(1) SA-3 SA-4(5) SA-8 SA-9(6) SC-12 SC-12(1) SC-12(2) SC-12(3) SC-12(6) SC-28(3) SC-8(1) | D3-CH D3-CP | A.5.8 A.5.2 A.5.8 A.8.25 A.8.31 A.8.27 A.8.28 A.5.33 A.8.24 | |
| CM0031 | Authentication | Authenticate all communication sessions (crosslink and ground stations) for all commands before establishing remote connections using bidirectional authentication that is cryptographically based. Adding authentication on the spacecraft bus and communications on-board the spacecraft is also recommended. | AC-14 AC-17 AC-17(10) AC-17(2) AC-18 AC-18(1) IA-2 IA-3(1) IA-4 IA-4(9) IA-7 IA-9 PL-8 PL-8(1) SA-3 SA-4(5) SA-8 SA-8(15) SA-8(9) SC-16 SC-16(1) SC-16(2) SC-32(1) SC-7(11) SC-8(1) SI-14(3) SI-7(6) | D3-MH D3-MAN D3-CH D3-BAN D3-MFA D3-TAAN D3-CBAN | A.5.14 A.6.7 A.8.1 A.5.14 A.8.1 A.8.20 A.5.16 A.5.16 A.5.8 A.5.2 A.5.8 A.8.25 A.8.31 A.8.27 A.8.28 A.5.33 | |
| CM0033 | Relay Protection | Implement relay and replay-resistant authentication mechanisms for establishing a remote connection or connections on the spacecraft bus. | AC-17(10) IA-2(8) IA-3 IA-3(1) IA-4 IA-7 SC-13 SC-16(1) SC-23 SC-23(1) SC-23(3) SC-7 SC-7(11) SC-7(18) SI-10 SI-10(5) SI-10(6) SI-3(8) | D3-ITF D3-NTA D3-OTF | A.5.16 A.5.14 A.8.16 A.8.20 A.8.22 A.8.23 A.8.26 A.8.24 A.8.26 A.5.31 | |
| CM0073 | Traffic Flow Analysis Defense | Utilizing techniques to assure traffic flow security and confidentiality to mitigate or defeat traffic analysis attacks or reduce the value of any indicators or adversary inferences. This may be a subset of COMSEC protections, but the techniques would be applied where required to links that carry TT&C and/or data transmissions (to include on-board the spacecraft) where applicable given value and attacker capability. Techniques may include but are not limited to methods to pad or otherwise obfuscate traffic volumes/duration and/or periodicity, concealment of routing information and/or endpoints, or methods to frustrate statistical analysis. | SC-8 SI-4(15) | D3-NTA D3-ANAA D3-RPA D3-NTCD | A.5.10 A.5.14 A.8.20 A.8.26 | |
| CM0003 | TEMPEST | The spacecraft should protect system components, associated data communications, and communication buses in accordance with TEMPEST controls to prevent side channel / proximity attacks. Encompass the spacecraft critical components with a casing/shielding so as to prevent access to the individual critical components. | PE-19 PE-19(1) PE-21 SC-8(3) | D3-PH D3-RFS | A.7.5 A.7.8 A.8.12 | |
| CM0036 | Session Termination | Terminate the connection associated with a communications session at the end of the session or after an acceptable amount of inactivity which is established via the concept of operations. | AC-12 AC-12(2) SC-10 SI-14(3) SI-4(7) | D3-SDA | A.8.20 | |
| CM0055 | Secure Command Mode(s) | Provide additional protection modes for commanding the spacecraft. These can be where the spacecraft will restrict command lock based on geographic location of ground stations, special operational modes within the flight software, or even temporal controls where the spacecraft will only accept commands during certain times. | AC-17(1) AC-17(10) AC-2(11) AC-2(12) AC-3 AC-3(2) AC-3(3) AC-3(4) AC-3(8) CA-3(7) IA-10 PL-8 PL-8(1) SA-3 SA-8 SC-7 SI-3(8) | D3-AH D3-ACH D3-MFA D3-OTP | A.8.16 A.5.15 A.5.33 A.8.3 A.8.4 A.8.18 A.8.20 A.8.2 A.8.16 A.5.8 A.5.2 A.5.8 A.8.25 A.8.31 A.8.27 A.8.28 A.5.14 A.8.16 A.8.20 A.8.22 A.8.23 A.8.26 | |
| CM0005 | Ground-based Countermeasures | This countermeasure is focused on the protection of terrestrial assets like ground networks and development environments/contractor networks, etc. Traditional detection technologies and capabilities would be applicable here. Utilizing resources from NIST CSF to properly secure these environments using identify, protect, detect, recover, and respond is likely warranted. Additionally, NISTIR 8401 may provide resources as well since it was developed to focus on ground-based security for space systems (https://csrc.nist.gov/pubs/ir/8401/final). Furthermore, the MITRE ATT&CK framework provides IT focused TTPs and their mitigations https://attack.mitre.org/mitigations/enterprise/. Several recommended NIST 800-53 Rev5 controls are provided for reference when designing ground systems/networks. | AC-1 AC-10 AC-11 AC-11(1) AC-12 AC-12(1) AC-14 AC-16 AC-16(6) AC-17 AC-17(1) AC-17(10) AC-17(2) AC-17(3) AC-17(4) AC-17(6) AC-17(9) AC-18 AC-18(1) AC-18(3) AC-18(4) AC-18(5) AC-19 AC-19(5) AC-2 AC-2(1) AC-2(11) AC-2(12) AC-2(13) AC-2(2) AC-2(3) AC-2(9) AC-20 AC-20(1) AC-20(2) AC-20(3) AC-20(5) AC-21 AC-22 AC-3 AC-3(11) AC-3(13) AC-3(15) AC-3(4) AC-4 AC-4(23) AC-4(24) AC-4(25) AC-4(26) AC-4(31) AC-4(32) AC-6 AC-6(1) AC-6(10) AC-6(2) AC-6(3) AC-6(5) AC-6(8) AC-6(9) AC-7 AC-8 AT-2(4) AT-2(5) AT-2(6) AT-3 AT-3(2) AT-4 AU-10 AU-11 AU-12 AU-12(1) AU-12(3) AU-14 AU-14(1) AU-14(3) AU-2 AU-3 AU-3(1) AU-4 AU-4(1) AU-5 AU-5(1) AU-5(2) AU-5(5) AU-6 AU-6(1) AU-6(3) AU-6(4) AU-6(5) AU-6(6) AU-7 AU-7(1) AU-8 AU-9 AU-9(2) AU-9(3) AU-9(4) CA-3 CA-3(6) CA-3(7) CA-7 CA-7(1) CA-7(6) CA-8 CA-8(1) CA-9 CM-10(1) CM-11 CM-11(2) CM-11(3) CM-12 CM-12(1) CM-14 CM-2 CM-2(2) CM-2(3) CM-2(7) CM-3 CM-3(1) CM-3(2) CM-3(4) CM-3(5) CM-3(6) CM-3(7) CM-3(8) CM-4 CM-5(1) CM-5(5) CM-6 CM-6(1) CM-6(2) CM-7 CM-7(1) CM-7(2) CM-7(3) CM-7(5) CM-7(8) CM-7(9) CM-8 CM-8(1) CM-8(2) CM-8(3) CM-8(4) CM-9 CP-10 CP-10(2) CP-10(4) CP-2 CP-2(2) CP-2(5) CP-2(8) CP-3(1) CP-4(1) CP-4(2) CP-4(5) CP-8 CP-8(1) CP-8(2) CP-8(3) CP-8(4) CP-8(5) CP-9 CP-9(1) CP-9(2) CP-9(3) IA-11 IA-12 IA-12(1) IA-12(2) IA-12(3) IA-12(4) IA-12(5) IA-12(6) IA-2 IA-2(1) IA-2(12) IA-2(2) IA-2(5) IA-2(6) IA-2(8) IA-3 IA-3(1) IA-4 IA-4(9) IA-5 IA-5(1) IA-5(13) IA-5(14) IA-5(2) IA-5(7) IA-5(8) IA-6 IA-7 IA-8 IR-2 IR-2(2) IR-2(3) IR-3 IR-3(1) IR-3(2) IR-3(3) IR-4 IR-4(1) IR-4(10) IR-4(11) IR-4(12) IR-4(13) IR-4(14) IR-4(3) IR-4(4) IR-4(5) IR-4(6) IR-4(7) IR-4(8) IR-5 IR-5(1) IR-6 IR-6(1) IR-6(2) IR-7 IR-7(1) IR-8 MA-2 MA-3 MA-3(1) MA-3(2) MA-3(3) MA-4 MA-4(1) MA-4(3) MA-4(6) MA-4(7) MA-5(1) MA-6 MA-7 MP-2 MP-3 MP-4 MP-5 MP-6 MP-6(3) MP-7 PE-3(7) PL-10 PL-11 PL-8 PL-8(1) PL-8(2) PL-9 PM-11 PM-16(1) PM-17 PM-30 PM-30(1) PM-31 PM-32 RA-10 RA-3(1) RA-3(2) RA-3(3) RA-3(4) RA-5 RA-5(10) RA-5(11) RA-5(2) RA-5(4) RA-5(5) RA-7 RA-9 SA-10 SA-10(1) SA-10(2) SA-10(7) SA-11 SA-11(2) SA-11(4) SA-11(7) SA-11(9) SA-15 SA-15(3) SA-15(7) SA-17 SA-2 SA-22 SA-3 SA-3(1) SA-3(2) SA-4 SA-4(1) SA-4(10) SA-4(12) SA-4(2) SA-4(3) SA-4(5) SA-4(7) SA-4(9) SA-5 SA-8 SA-8(14) SA-8(15) SA-8(18) SA-8(21) SA-8(22) SA-8(23) SA-8(24) SA-8(29) SA-8(9) SA-9 SA-9(1) SA-9(2) SA-9(6) SA-9(7) SC-10 SC-12 SC-12(1) SC-12(6) SC-13 SC-15 SC-16(2) SC-16(3) SC-18(1) SC-18(2) SC-18(3) SC-18(4) SC-2 SC-2(2) SC-20 SC-21 SC-22 SC-23 SC-23(1) SC-23(3) SC-23(5) SC-24 SC-28 SC-28(1) SC-28(3) SC-3 SC-38 SC-39 SC-4 SC-45 SC-45(1) SC-45(2) SC-49 SC-5 SC-5(1) SC-5(2) SC-5(3) SC-50 SC-51 SC-7 SC-7(10) SC-7(11) SC-7(12) SC-7(13) SC-7(14) SC-7(18) SC-7(21) SC-7(25) SC-7(29) SC-7(3) SC-7(4) SC-7(5) SC-7(7) SC-7(8) SC-7(9) SC-8 SC-8(1) SC-8(2) SC-8(5) SI-10 SI-10(3) SI-10(6) SI-11 SI-12 SI-14(3) SI-16 SI-19(4) SI-2 SI-2(2) SI-2(3) SI-2(6) SI-21 SI-3 SI-3(10) SI-4 SI-4(1) SI-4(10) SI-4(11) SI-4(12) SI-4(13) SI-4(14) SI-4(15) SI-4(16) SI-4(17) SI-4(2) SI-4(20) SI-4(22) SI-4(23) SI-4(24) SI-4(25) SI-4(4) SI-4(5) SI-5 SI-5(1) SI-6 SI-7 SI-7(1) SI-7(17) SI-7(2) SI-7(5) SI-7(7) SI-7(8) SR-1 SR-10 SR-11 SR-11(1) SR-11(2) SR-11(3) SR-12 SR-2 SR-2(1) SR-3 SR-3(1) SR-3(2) SR-3(3) SR-4 SR-4(1) SR-4(2) SR-4(3) SR-4(4) SR-5 SR-5(1) SR-5(2) SR-6 SR-6(1) SR-7 SR-8 SR-9 SR-9(1) | Nearly all D3FEND Techniques apply to Ground | 5.2 5.3 7.5.1 7.5.2 7.5.3 A.5.1 A.5.2 A.5.4 A.5.15 A.5.31 A.5.36 A.5.37 A.5.16 A.5.18 A.8.2 A.8.16 A.5.15 A.5.33 A.8.3 A.8.4 A.8.18 A.8.20 A.8.2 A.8.4 A.5.14 A.8.22 A.8.23 A.8.11 A.8.10 A.5.15 A.8.2 A.8.18 A.8.5 A.8.5 A.7.7 A.8.1 A.5.14 A.6.7 A.8.1 A.8.16 A.5.14 A.8.1 A.8.20 A.5.14 A.7.9 A.8.1 A.5.14 A.7.9 A.8.20 A.6.3 A.8.15 A.8.15 A.8.6 A.5.25 A.6.8 A.8.15 A.7.4 A.8.17 A.5.33 A.8.15 A.5.28 A.8.15 A.8.15 A.8.15 A.5.14 A.8.21 9.1 9.3.2 9.3.3 A.5.36 9.2.2 A.8.9 A.8.9 8.1 9.3.3 A.8.9 A.8.32 A.8.9 A.8.9 A.8.9 A.8.9 A.8.19 A.8.19 A.5.9 A.8.9 A.5.2 A.8.9 A.8.19 7.5.1 7.5.2 7.5.3 A.5.2 A.5.29 A.8.1 A.8.6 A.5.30 A.5.30 A.5.29 A.7.11 A.5.29 A.5.33 A.8.13 A.5.29 A.5.16 A.5.16 A.5.16 A.5.17 A.8.5 A.5.16 A.6.3 A.5.25 A.5.26 A.5.27 A.8.16 A.5.5 A.6.8 7.5.1 7.5.2 7.5.3 A.5.24 A.7.10 A.7.13 A.8.10 A.8.10 A.8.16 A.8.10 A.7.13 A.5.10 A.7.7 A.7.10 A.5.13 A.5.10 A.7.7 A.7.10 A.8.10 A.5.10 A.7.9 A.7.10 A.5.10 A.7.10 A.7.14 A.8.10 A.5.10 A.7.10 A.5.8 A.5.7 4.4 6.2 7.5.1 7.5.2 7.5.3 10.2 4.4 6.2 7.4 7.5.1 7.5.2 7.5.3 9.1 9.2.2 10.1 10.2 A.8.8 6.1.3 8.3 10.2 A.5.22 A.5.7 A.5.2 A.5.8 A.8.25 A.8.31 A.8.33 8.1 A.5.8 A.5.20 A.5.23 A.8.29 A.8.30 A.8.28 7.5.1 7.5.2 7.5.3 A.5.37 A.8.27 A.8.28 A.5.2 A.5.4 A.5.8 A.5.14 A.5.22 A.5.23 A.8.21 A.8.9 A.8.28 A.8.30 A.8.32 A.8.29 A.8.30 A.5.8 A.8.25 A.8.25 A.8.27 A.8.6 A.5.14 A.8.16 A.8.20 A.8.22 A.8.23 A.8.26 A.8.23 A.8.12 A.5.10 A.5.14 A.8.20 A.8.26 A.5.33 A.8.20 A.8.24 A.8.24 A.8.26 A.5.31 A.5.14 A.5.10 A.5.33 A.6.8 A.8.8 A.8.32 A.8.7 A.8.16 A.8.16 A.8.16 A.8.16 A.5.6 A.8.11 A.8.10 5.2 5.3 7.5.1 7.5.2 7.5.3 A.5.1 A.5.2 A.5.4 A.5.19 A.5.31 A.5.36 A.5.37 A.5.19 A.5.20 A.5.21 A.8.30 A.5.20 A.5.21 A.5.21 A.8.30 A.5.20 A.5.21 A.5.23 A.8.29 A.5.22 A.5.22 | |
| CM0034 | Monitor Critical Telemetry Points | Monitor defined telemetry points for malicious activities (i.e., jamming attempts, commanding attempts (e.g., command modes, counters, etc.)). This would include valid/processed commands as well as commands that were rejected. Telemetry monitoring should synchronize with ground-based Defensive Cyber Operations (i.e., SIEM/auditing) to create a full space system situation awareness from a cybersecurity perspective. | AC-17(1) AU-3(1) CA-7(6) IR-4(14) PL-8 PL-8(1) SA-8(13) SC-16 SC-16(1) SC-7 SI-3(8) SI-4(7) | D3-NTA D3-PM D3-PMAD D3-RTSD | A.8.16 A.5.8 A.5.14 A.8.16 A.8.20 A.8.22 A.8.23 A.8.26 | |
| CM0035 | Protect Authenticators | Protect authenticator content from unauthorized disclosure and modification. | AC-17(6) AC-3(11) CM-3(6) IA-4(9) IA-5 IA-5(6) PL-8 PL-8(1) SA-3 SA-4(5) SA-8 SA-8(13) SA-8(19) SC-16 SC-16(1) SC-8(1) | D3-CE D3-ANCI D3-CA D3-ACA D3-PCA D3-CRO D3-CTS D3-SPP | A.8.4 A.5.16 A.5.17 A.5.8 A.5.2 A.5.8 A.8.25 A.8.31 A.8.27 A.8.28 A.5.33 | |
| CM0042 | Robust Fault Management | Ensure fault management system cannot be used against the spacecraft. Examples include: safe mode with crypto bypass, orbit correction maneuvers, affecting integrity of telemetry to cause action from ground, or some sort of proximity operation to cause spacecraft to go into safe mode. Understanding the safing procedures and ensuring they do not put the spacecraft in a more vulnerable state is key to building a resilient spacecraft. | CP-2 CP-4(5) IR-3 IR-3(1) IR-3(2) PE-10 PE-11 PE-11(1) PE-14 PL-8 PL-8(1) SA-3 SA-4(5) SA-8 SA-8(13) SA-8(24) SA-8(26) SA-8(3) SA-8(30) SA-8(4) SC-16(2) SC-24 SC-5 SI-13 SI-13(4) SI-17 SI-4(13) SI-4(7) SI-7(5) | D3-AH D3-EHPV D3-PSEP D3-PH D3-SCP | 7.5.1 7.5.2 7.5.3 A.5.2 A.5.29 A.8.1 A.7.11 A.7.11 A.7.5 A.7.8 A.7.11 A.5.8 A.5.2 A.5.8 A.8.25 A.8.31 A.8.27 A.8.28 A.8.16 | |
| CM0044 | Cyber-safe Mode | Provide the capability to enter the spacecraft into a configuration-controlled and integrity-protected state representing a known, operational cyber-safe state (e.g., cyber-safe mode). Spacecraft should enter a cyber-safe mode when conditions that threaten the platform are detected. Cyber-safe mode is an operating mode of a spacecraft during which all nonessential systems are shut down and the spacecraft is placed in a known good state using validated software and configuration settings. Within cyber-safe mode, authentication and encryption should still be enabled. The spacecraft should be capable of reconstituting firmware and software functions to pre-attack levels to allow for the recovery of functional capabilities. This can be performed by self-healing, or the healing can be aided from the ground. However, the spacecraft needs to have the capability to replan, based on equipment still available after a cyber-attack. The goal is for the spacecraft to resume full mission operations. If not possible, a reduced level of mission capability should be achieved. Cyber-safe mode software/configuration should be stored onboard the spacecraft in memory with hardware-based controls and should not be modifiable. | CP-10 CP-10(4) CP-12 CP-2 CP-2(5) IR-3 IR-3(1) IR-3(2) IR-4 IR-4(12) IR-4(3) PE-10 PE10 PL-8 PL-8(1) SA-3 SA-8 SA-8(10) SA-8(12) SA-8(13) SA-8(19) SA-8(21) SA-8(23) SA-8(24) SA-8(26) SA-8(3) SA-8(4) SC-16(2) SC-24 SC-5 SI-11 SI-17 SI-4(7) SI-7(17) SI-7(5) | D3-PH D3-EI D3-NI D3-BA | 7.5.1 7.5.2 7.5.3 A.5.2 A.5.29 A.8.1 A.5.29 A.5.25 A.5.26 A.5.27 A.7.11 A.5.8 A.5.2 A.5.8 A.8.25 A.8.31 A.8.27 A.8.28 | |
| CM0057 | Tamper Resistant Body | Using a tamper resistant body can increase the one-time cost of the sensor node but will allow the node to conserve the power usage when compared with other countermeasures. | PE-19 PE-19(1) PL-8 PL-8(1) SA-3 SA-4(5) SA-4(9) SA-8 SC-51 | D3-PH D3-RFS | A.7.5 A.7.8 A.8.12 A.5.8 A.5.2 A.5.8 A.8.25 A.8.31 A.8.27 A.8.28 | |
| CM0029 | TRANSEC | Utilize TRANSEC in order to prevent interception, disruption of reception, communications deception, and/or derivation of intelligence by analysis of transmission characteristics such as signal parameters or message externals. For example, jam-resistant waveforms can be utilized to improve the resistance of radio frequency signals to jamming and spoofing. Note: TRANSEC is that field of COMSEC which deals with the security of communication transmissions, rather than that of the information being communicated. | AC-17 AC-18 AC-18(5) CA-3 CP-8 PL-8 PL-8(1) SA-8(19) SC-16 SC-16(1) SC-40 SC-40(1) SC-40(3) SC-40(4) SC-5 SC-8(1) SC-8(3) SC-8(4) | D3-MH D3-MAN D3-MENCR D3-NTA D3-DNSTA D3-ISVA D3-NTCD D3-RTA D3-PMAD D3-FC D3-CSPP D3-ANAA D3-RPA D3-IPCTA D3-NTCD D3-NTPM D3-TAAN | A.5.14 A.6.7 A.8.1 A.5.14 A.8.1 A.8.20 A.5.14 A.8.21 A.5.29 A.7.11 A.5.8 A.5.33 | |