Threats by DiD Layer

Space

Data

Compromise Cryptographic Mechanism

Eavesdropping

Data Modification/Corruption

Propulsion EMI

S/C Software

Scheduling Table Attack

Time Synchronized Execution

Critical Subsystem Attack

FSW Code Exploitation

Malicious Software

3rd Party Software

On-Orbit Software Update

SBC

Proximity Operations

Exploit Lack of Bus Segregation

Malicious Use Of Hardware Commands

Timing Disruption

Watchdog Timer Attack

Clock Synchronization Attack

Boot Memory Compromise

Single Event Upset

Power Drain

Software Defined Radio

Operating System Attack

IDS/IPS

Fault Management Exploitation

Compromise/Corrupt Running State

Undetected Attack

Cyber Incident Recovery

Crypto

Unauthorized Access

Replay

Tapping of Communications Link

Safe Mode Inidications

Spoofing

Comms Link

Weak Communication Protocols

Jamming

Ground

Compromise Ground System

Prevention

Masquerading/Insider Threat

TT&C Hardware Failure

Critical Design Details Leaked

Space Debris

Unidentified/Exposed Critical Assets

Inadequate Security Planning/Design

Development Environment Compromise

Insufficient Testing

Supply Chain Attack

ASIC/FPGA Compromise

Ground

Data

Automated Collection

Cloud Storage Object Discovery

Data Destruction

Data Encrypted for Impact

Data Manipulation

Data Manipulation: Runtime Data Manipulation

Data Manipulation: Stored Data Manipulation

Data from Cloud Storage Object

Data from Information Repositories: Code Repositories

Data from Information Repositories: Confluence

Data from Information Repositories: Sharepoint

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Defacement

Defacement: External Defacement

Disk Wipe

Disk Wipe: Disk Content Wipe

Disk Wipe: Disk Structure Wipe

Dynamic Resolution: Fast Flux DNS

Email Collection

Email Collection: Local Email Collection

Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Exfiltration Over C2 Channel

Exfiltration Over Web Service

File and Directory Discovery

File and Directory Permissions Modification

File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Group Policy Discovery

Permission Groups Discovery

Ground Software

Compromise Client Software Binary

Exploit Public-Facing Application

Exploitation for Credential Access

Exploitation for Defense Evasion

Exploitation for Privilege Escalation

Exploitation of Remote Services

Forge Web Credentials: Web Cookies

Masquerading: Invalid Code Signature

Steal Web Session Cookie

Supply Chain Compromise: Compromise Software Dependencies and Development Tools

Supply Chain Compromise: Compromise Software Supply Chain

Template Injection

XSL Script Processing

Endpoint

Abuse Elevation Control Mechanism

Abuse Elevation Control Mechanism: Bypass User Account Control

Abuse Elevation Control Mechanism: Elevated Execution with Prompt

Abuse Elevation Control Mechanism: Setuid and Setgid

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Access Token Manipulation

Access Token Manipulation: Create Process with Token

Access Token Manipulation: Make and Impersonate Token

Access Token Manipulation: Parent PID Spoofing

Access Token Manipulation: SID-History Injection

Access Token Manipulation: Token Impersonation/Theft

Account Access Removal

Account Discovery

Account Discovery: Cloud Account

Account Discovery: Domain Account

Account Discovery: Email Account

Account Discovery: Local Account

Account Manipulation

Account Manipulation: Additional Cloud Credentials

Account Manipulation: Additional Cloud Roles

Account Manipulation: Additional Email Delegate Permissions

Account Manipulation: Device Registration

Account Manipulation: SSH Authorized Keys

Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Application Window Discovery

Archive Collected Data

Archive Collected Data: Archive via Custom Method

Archive Collected Data: Archive via Library

Archive Collected Data: Archive via Utility

Audio Capture

Automated Exfiltration

BITS Jobs

Boot or Logon Autostart Execution

Boot or Logon Autostart Execution: Active Setup

Boot or Logon Autostart Execution: Authentication Package

Boot or Logon Autostart Execution: Kernel Modules and Extensions

Boot or Logon Autostart Execution: LSASS Driver

Boot or Logon Autostart Execution: Login Items

Boot or Logon Autostart Execution: Port Monitors

Boot or Logon Autostart Execution: Print Processors

Boot or Logon Autostart Execution: Re-opened Applications

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Boot or Logon Autostart Execution: Security Support Provider

Boot or Logon Autostart Execution: Shortcut Modification

Boot or Logon Autostart Execution: Time Providers

Boot or Logon Autostart Execution: Winlogon Helper DLL

Boot or Logon Autostart Execution: XDG Autostart Entries

Boot or Logon Initialization Scripts

Boot or Logon Initialization Scripts: Login Hook

Boot or Logon Initialization Scripts: Logon Script (Windows)

Boot or Logon Initialization Scripts: Network Logon Script

Boot or Logon Initialization Scripts: RC Scripts

Boot or Logon Initialization Scripts: Startup Items

Browser Bookmark Discovery

Browser Extensions

Browser Session Hijacking

Brute Force

Brute Force: Credential Stuffing

Brute Force: Password Guessing

Brute Force: Password Spraying

Build Image on Host

Clipboard Data

Command and Scripting Interpreter

Command and Scripting Interpreter: AppleScript

Command and Scripting Interpreter: JavaScript

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: Python

Command and Scripting Interpreter: Unix Shell

Command and Scripting Interpreter: Visual Basic

Command and Scripting Interpreter: Windows Command Shell

Communication Through Removable Media

Container Administration Command

Create Account

Create Account: Domain Account

Create Account: Local Account

Create or Modify System Process

Create or Modify System Process: Launch Agent

Create or Modify System Process: Launch Daemon

Create or Modify System Process: Systemd Service

Create or Modify System Process: Windows Service

Credentials from Password Stores

Credentials from Password Stores: Credentials from Web Browsers

Credentials from Password Stores: Keychain

Credentials from Password Stores: Password Managers

Credentials from Password Stores: Securityd Memory

Credentials from Password Stores: Windows Credential Manager

Data Staged

Data Staged: Local Data Staging

Data Staged: Remote Data Staging

Debugger Evasion

Deobfuscate/Decode Files or Information

Direct Volume Access

Domain Policy Modification

Domain Policy Modification: Domain Trust Modification

Domain Policy Modification: Group Policy Modification

Domain Trust Discovery

Dynamic Resolution

Endpoint Denial of Service

Endpoint Denial of Service: Application Exhaustion Flood

Endpoint Denial of Service: Application or System Exploitation

Endpoint Denial of Service: OS Exhaustion Flood

Endpoint Denial of Service: Service Exhaustion Flood

Escape to Host

Event Triggered Execution

Event Triggered Execution: Accessibility Features

Event Triggered Execution: AppCert DLLs

Event Triggered Execution: AppInit DLLs

Event Triggered Execution: Application Shimming

Event Triggered Execution: Change Default File Association

Event Triggered Execution: Component Object Model Hijacking

Event Triggered Execution: Emond

Event Triggered Execution: Image File Execution Options Injection

Event Triggered Execution: LC_LOAD_DYLIB Addition

Event Triggered Execution: Netsh Helper DLL

Event Triggered Execution: PowerShell Profile

Event Triggered Execution: Screensaver

Event Triggered Execution: Trap

Event Triggered Execution: Unix Shell Configuration Modification

Event Triggered Execution: Windows Management Instrumentation Event Subscription

Execution Guardrails

Execution Guardrails: Environmental Keying

Exfiltration Over Other Network Medium

Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth

Exploitation for Client Execution

Firmware Corruption

Forced Authentication

Gather Victim Host Information

Gather Victim Host Information: Client Configurations

Gather Victim Host Information: Firmware

Gather Victim Host Information: Hardware

Gather Victim Host Information: Software

Hide Artifacts

Hide Artifacts: Email Hiding Rules

Hide Artifacts: Hidden File System

Hide Artifacts: Hidden Files and Directories

Hide Artifacts: Hidden Users

Hide Artifacts: Hidden Window

Hide Artifacts: NTFS File Attributes

Hide Artifacts: Process Argument Spoofing

Hide Artifacts: Resource Forking

Hide Artifacts: Run Virtual Instance

Hide Artifacts: VBA Stomping

Hijack Execution Flow

Hijack Execution Flow: COR_PROFILER

Hijack Execution Flow: DLL Search Order Hijacking

Hijack Execution Flow: DLL Side-Loading

Hijack Execution Flow: Dylib Hijacking

Hijack Execution Flow: Dynamic Linker Hijacking

Hijack Execution Flow: Executable Installer File Permissions Weakness

Hijack Execution Flow: KernelCallbackTable

Hijack Execution Flow: Path Interception by PATH Environment Variable

Hijack Execution Flow: Path Interception by Search Order Hijacking

Hijack Execution Flow: Path Interception by Unquoted Path

Hijack Execution Flow: Services File Permissions Weakness

Hijack Execution Flow: Services Registry Permissions Weakness

Impair Defenses

Impair Defenses: Disable Windows Event Logging

Impair Defenses: Disable or Modify System Firewall

Impair Defenses: Disable or Modify Tools

Impair Defenses: Downgrade Attack

Impair Defenses: Impair Command History Logging

Impair Defenses: Safe Mode Boot

Implant Internal Image

Indicator Removal on Host

Indicator Removal on Host: Clear Command History

Indicator Removal on Host: Clear Linux or Mac System Logs

Indicator Removal on Host: Clear Windows Event Logs

Indicator Removal on Host: File Deletion

Indicator Removal on Host: Network Share Connection Removal

Indicator Removal on Host: Timestomp

Indirect Command Execution

Inhibit System Recovery

Input Capture

Input Capture: Credential API Hooking

Input Capture: GUI Input Capture

Input Capture: Keylogging

Input Capture: Web Portal Capture

Inter-Process Communication

Inter-Process Communication: Component Object Model

Inter-Process Communication: Dynamic Data Exchange

Inter-Process Communication: XPC Services

Masquerading

Masquerading: Double File Extension

Masquerading: Masquerade Task or Service

Masquerading: Match Legitimate Name or Location

Masquerading: Rename System Utilities

Masquerading: Right-to-Left Override

Masquerading: Space after Filename

Modify Authentication Process

Modify Authentication Process: Domain Controller Authentication

Modify Authentication Process: Network Device Authentication

Modify Authentication Process: Password Filter DLL

Modify Authentication Process: Pluggable Authentication Modules

Modify Authentication Process: Reversible Encryption

Modify Registry

Multi-Factor Authentication Interception

Native API

Network Service Discovery

Network Share Discovery

OS Credential Dumping

OS Credential Dumping: /etc/passwd and /etc/shadow

OS Credential Dumping: Cached Domain Credentials

OS Credential Dumping: DCSync

OS Credential Dumping: LSA Secrets

OS Credential Dumping: LSASS Memory

OS Credential Dumping: NTDS

OS Credential Dumping: Proc Filesystem

OS Credential Dumping: Security Account Manager

Obfuscated Files or Information

Obfuscated Files or Information: Binary Padding

Obfuscated Files or Information: Compile After Delivery

Obfuscated Files or Information: Indicator Removal from Tools

Obfuscated Files or Information: Software Packing

Obfuscated Files or Information: Steganography

Office Application Startup

Office Application Startup: Add-ins

Office Application Startup: Office Template Macros

Office Application Startup: Office Test

Office Application Startup: Outlook Forms

Office Application Startup: Outlook Home Page

Office Application Startup: Outlook Rules

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery: Domain Groups

Permission Groups Discovery: Local Groups

Plist File Modification

Pre-OS Boot

Pre-OS Boot: Bootkit

Pre-OS Boot: Component Firmware

Pre-OS Boot: ROMMONkit

Pre-OS Boot: System Firmware

Process Discovery

Process Injection

Process Injection: Asynchronous Procedure Call

Process Injection: Dynamic-link Library Injection

Process Injection: Extra Window Memory Injection

Process Injection: ListPlanting

Process Injection: Portable Executable Injection

Process Injection: Proc Memory

Process Injection: Process Doppelgänging

Process Injection: Process Hollowing

Process Injection: Ptrace System Calls

Process Injection: Thread Execution Hijacking

Process Injection: Thread Local Storage

Process Injection: VDSO Hijacking

Query Registry

Reflective Code Loading

Remote Service Session Hijacking

Remote Service Session Hijacking: RDP Hijacking

Remote Services: Distributed Component Object Model

Remote Services: Remote Desktop Protocol

Remote Services: SMB/Windows Admin Shares

Remote Services: SSH

Remote Services: Windows Remote Management

Remote System Discovery

Resource Hijacking

Rootkit

Scheduled Task/Job

Scheduled Task/Job: At

Scheduled Task/Job: Container Orchestration Job

Scheduled Task/Job: Cron

Scheduled Task/Job: Scheduled Task

Scheduled Task/Job: Systemd Timers

Screen Capture

Server Software Component

Server Software Component: IIS Components

Server Software Component: SQL Stored Procedures

Server Software Component: Terminal Services DLL

Server Software Component: Transport Agent

Server Software Component: Web Shell

Service Stop

Shared Modules

Software Discovery

Software Discovery: Security Software Discovery

Stage Capabilities: Install Digital Certificate

Steal Application Access Token

Steal or Forge Kerberos Tickets

Steal or Forge Kerberos Tickets: AS-REP Roasting

Steal or Forge Kerberos Tickets: Golden Ticket

Steal or Forge Kerberos Tickets: Kerberoasting

Steal or Forge Kerberos Tickets: Silver Ticket

Subvert Trust Controls

Subvert Trust Controls: Code Signing

Subvert Trust Controls: Code Signing Policy Modification

Subvert Trust Controls: Gatekeeper Bypass

Subvert Trust Controls: Install Root Certificate

Subvert Trust Controls: SIP and Trust Provider Hijacking

System Binary Proxy Execution

System Binary Proxy Execution: CMSTP

System Binary Proxy Execution: Compiled HTML File

System Binary Proxy Execution: Control Panel

System Binary Proxy Execution: InstallUtil

System Binary Proxy Execution: MMC

System Binary Proxy Execution: Mavinject

System Binary Proxy Execution: Mshta

System Binary Proxy Execution: Msiexec

System Binary Proxy Execution: Odbcconf

System Binary Proxy Execution: Regsvcs/Regasm

System Binary Proxy Execution: Regsvr32

System Binary Proxy Execution: Rundll32

System Binary Proxy Execution: Verclsid

System Information Discovery

System Location Discovery

System Location Discovery: System Language Discovery

System Network Configuration Discovery

System Network Configuration Discovery: Internet Connection Discovery

System Network Connections Discovery

System Owner/User Discovery

System Script Proxy Execution

System Script Proxy Execution: PubPrn

System Service Discovery

System Services

System Services: Launchctl

System Services: Service Execution

System Shutdown/Reboot

System Time Discovery

Taint Shared Content

Traffic Signaling: Port Knocking

Trusted Developer Utilities Proxy Execution

Trusted Developer Utilities Proxy Execution: MSBuild

Unsecured Credentials

Unsecured Credentials: Bash History

Unsecured Credentials: Credentials In Files

Unsecured Credentials: Group Policy Preferences

Unsecured Credentials: Private Keys

User Execution

User Execution: Malicious File

User Execution: Malicious Image

Valid Accounts

Valid Accounts: Default Accounts

Valid Accounts: Local Accounts

Video Capture

Virtualization/Sandbox Evasion

Virtualization/Sandbox Evasion: System Checks

Virtualization/Sandbox Evasion: Time Based Evasion

Virtualization/Sandbox Evasion: User Activity Based Checks

Windows Management Instrumentation

Network

Adversary-in-the-Middle

Adversary-in-the-Middle: ARP Cache Poisoning

Adversary-in-the-Middle: DHCP Spoofing

Command and Scripting Interpreter: Network Device CLI

Data from Configuration Repository

Data from Configuration Repository: Network Device Configuration Dump

Data from Configuration Repository: SNMP (MIB Dump)

Lateral Tool Transfer

Modify System Image

Modify System Image: Downgrade System Image

Modify System Image: Patch System Image

Network Boundary Bridging

Network Boundary Bridging: Network Address Translation Traversal

Network Denial of Service

Network Denial of Service: Direct Network Flood

Network Denial of Service: Reflection Amplification

Network Sniffing

Non-Application Layer Protocol

Pre-OS Boot: TFTP Boot

Protocol Tunneling

Proxy

Remote Services: VNC

Traffic Signaling

Transfer Data to Cloud Account

Trusted Relationship

Weaken Encryption

Weaken Encryption: Disable Crypto Hardware

Weaken Encryption: Reduce Key Space

CND/IR

Active Scanning

Active Scanning: Scanning IP Blocks

Active Scanning: Vulnerability Scanning

Active Scanning: Wordlist Scanning

Application Layer Protocol

Application Layer Protocol: DNS

Application Layer Protocol: File Transfer Protocols

Application Layer Protocol: Mail Protocols

Application Layer Protocol: Web Protocols

Automated Exfiltration: Traffic Duplication

Cloud Infrastructure Discovery

Cloud Service Dashboard

Cloud Service Discovery

Container and Resource Discovery

Create Account: Cloud Account

Data Encoding

Data Encoding: Non-Standard Encoding

Data Encoding: Standard Encoding

Data Manipulation: Transmitted Data Manipulation

Data Obfuscation

Data Obfuscation: Junk Data

Data Obfuscation: Protocol Impersonation

Data Obfuscation: Steganography

Data Transfer Size Limits

Defacement: Internal Defacement

Deploy Container

Dynamic Resolution: DNS Calculation

Email Collection: Email Forwarding Rule

Email Collection: Remote Email Collection

Encrypted Channel

Encrypted Channel: Asymmetric Cryptography

Encrypted Channel: Symmetric Cryptography

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration Over Web Service: Exfiltration to Code Repository

Fallback Channels

Forge Web Credentials

Forge Web Credentials: SAML Tokens

Impair Defenses: Disable Cloud Logs

Impair Defenses: Indicator Blocking

Ingress Tool Transfer

Internal Spearphishing

Modify Cloud Compute Infrastructure

Modify Cloud Compute Infrastructure: Create Cloud Instance

Modify Cloud Compute Infrastructure: Create Snapshot

Modify Cloud Compute Infrastructure: Delete Cloud Instance

Modify Cloud Compute Infrastructure: Revert Cloud Instance

Multi-Factor Authentication Request Generation

Multi-Stage Channels

Non-Standard Port

Obfuscated Files or Information: HTML Smuggling

Permission Groups Discovery: Cloud Groups

Proxy: Domain Fronting

Proxy: Internal Proxy

Proxy: Multi-hop Proxy

Remote Access Software

Remote Service Session Hijacking: SSH Hijacking

Remote Services

Rogue Domain Controller

Scheduled Transfer

Stage Capabilities: Drive-by Target

Stage Capabilities: Link Target

Stage Capabilities: Upload Malware

Stage Capabilities: Upload Tool

Subvert Trust Controls: Mark-of-the-Web Bypass

Unsecured Credentials: Cloud Instance Metadata API

Unsecured Credentials: Container API

Unsecured Credentials: Credentials in Registry

Unused/Unsupported Cloud Regions

Use Alternate Authentication Material

Use Alternate Authentication Material: Application Access Token

Use Alternate Authentication Material: Pass the Hash

Use Alternate Authentication Material: Pass the Ticket

Use Alternate Authentication Material: Web Session Cookie

Valid Accounts: Cloud Accounts

Valid Accounts: Domain Accounts

Web Service

Web Service: Bidirectional Communication

Web Service: One-Way Communication

Perimeter

Drive-by Compromise

Dynamic Resolution: Domain Generation Algorithms

External Remote Services

Impair Defenses: Disable or Modify Cloud Firewall

Phishing

Phishing: Spearphishing Attachment

Phishing: Spearphishing Link

Phishing: Spearphishing via Service

Proxy: External Proxy

User Execution: Malicious Link

Web Service: Dead Drop Resolver

Physical

Exfiltration Over Physical Medium

Exfiltration Over Physical Medium: Exfiltration over USB

Hardware Additions

Replication Through Removable Media

Prevention

Acquire Infrastructure

Acquire Infrastructure: Botnet

Acquire Infrastructure: DNS Server

Acquire Infrastructure: Domains

Acquire Infrastructure: Server

Acquire Infrastructure: Virtual Private Server

Acquire Infrastructure: Web Services

Brute Force: Password Cracking

Compromise Accounts

Compromise Accounts: Email Accounts

Compromise Accounts: Social Media Accounts

Compromise Infrastructure

Compromise Infrastructure: Botnet

Compromise Infrastructure: DNS Server

Compromise Infrastructure: Domains

Compromise Infrastructure: Server

Compromise Infrastructure: Virtual Private Server

Compromise Infrastructure: Web Services

Data from Information Repositories

Develop Capabilities

Develop Capabilities: Code Signing Certificates

Develop Capabilities: Digital Certificates

Develop Capabilities: Exploits

Develop Capabilities: Malware

Establish Accounts

Establish Accounts: Email Accounts

Establish Accounts: Social Media Accounts

Gather Victim Identity Information

Gather Victim Identity Information: Credentials

Gather Victim Identity Information: Email Addresses

Gather Victim Identity Information: Employee Names

Gather Victim Network Information

Gather Victim Network Information: DNS

Gather Victim Network Information: Domain Properties

Gather Victim Network Information: IP Addresses

Gather Victim Network Information: Network Security Appliances

Gather Victim Network Information: Network Topology

Gather Victim Network Information: Network Trust Dependencies

Gather Victim Org Information

Gather Victim Org Information: Business Relationships

Gather Victim Org Information: Determine Physical Locations

Gather Victim Org Information: Identify Business Tempo

Gather Victim Org Information: Identify Roles

Obtain Capabilities

Obtain Capabilities: Code Signing Certificates

Obtain Capabilities: Digital Certificates

Obtain Capabilities: Exploits

Obtain Capabilities: Malware

Obtain Capabilities: Tool

Obtain Capabilities: Vulnerabilities

Phishing for Information

Phishing for Information: Spearphishing Attachment

Phishing for Information: Spearphishing Link

Phishing for Information: Spearphishing Service

Search Closed Sources

Search Closed Sources: Purchase Technical Data

Search Closed Sources: Threat Intel Vendors

Search Open Technical Databases

Search Open Technical Databases: CDNs

Search Open Technical Databases: DNS/Passive DNS

Search Open Technical Databases: Digital Certificates

Search Open Technical Databases: Scan Databases

Search Open Technical Databases: WHOIS

Search Open Websites/Domains

Search Open Websites/Domains: Search Engines

Search Open Websites/Domains: Social Media

Search Victim-Owned Websites

Software Deployment Tools

Stage Capabilities

Supply Chain Compromise

Supply Chain Compromise: Compromise Hardware Supply Chain

SV-IT-5 - Time Synchronized Execution

Onboard control procedures (i.e., ATS/RTS) that execute a scripts/sets of commands

Informational References

CENTRA Volume I - Cyber Content of Satellites

ID: SV-IT-5

DiD Layer: S/C Software

CAPEC #: 186 | 533

NIST Rev5 Control Tag Mapping: AC-3(2)

Lowest Threat Tier to
Create Threat Event: IV

Notional Risk Rank Score: 14

High-Level Requirements

The spacecraft shall ensure any update to on-board stored procedures has met high assurance standards before execution.

Low-Level Requirements

Requirement	Rationale/Additional Guidance/Notes
The spacecraft shall require multi-factor authorization for new and updates to on-board stored command sequences. {SV-IT-5} {AC-3(2)}

Related SPARTA Techniques and Sub-Techniques

ID		Name	Description
IA-0007		Compromise Ground System	Threat actors may initially compromise the ground system in order to access the target spacecraft. Once compromised, the threat actor can perform a multitude of initial access techniques, including replay, compromising FSW deployment, compromising encryption keys, and compromising authentication schemes. Threat actors may also perform further reconnaissance within the system to enumerate mission networks and gather information related to ground station logical topology, missions ran out of said ground station, birds that are in-band of targeted ground stations, and other mission system capabilities.
	IA-0007.01	Compromise On-Orbit Update	Threat actors may manipulate and modify on-orbit updates before they are sent to the target spacecraft. This attack can be done in a number of ways, including manipulation of source code, manipulating environment variables, on-board table/memory values, or replacing compiled versions with a malicious one.
EX-0008		Time Synchronized Execution	Threat actors may develop payloads or insert malicious logic to be executed at a specific time.
	EX-0008.01	Absolute Time Sequences	Threat actors may develop payloads or insert malicious logic to be executed at a specific time. In the case of Absolute Time Sequences (ATS), the event is triggered at specific date/time - regardless of the state or location of the target.
	EX-0008.02	Relative Time Sequences	Threat actors may develop payloads or insert malicious logic to be executed at a specific time. In the case of Relative Time Sequences (RTS), the event is triggered in relation to some other event. For example, a specific amount of time after boot.
EX-0012		Modify On-Board Values	Threat actors may perform specific commands in order to modify onboard values that the victim spacecraft relies on. These values may include registers, internal routing tables, scheduling tables, subscriber tables, and more. Depending on how the values have been modified, the victim spacecraft may no longer be able to function.
	EX-0012.01	Registers	Threat actors may target the internal registers of the victim spacecraft in order to modify specific values as the FSW is functioning or prevent certain subsystems from working. Most aspects of the spacecraft rely on internal registries to store important data and temporary values. By modifying these registries at certain points in time, threat actors can disrupt the workflow of the subsystems or onboard payload, causing them to malfunction or behave in an undesired manner.
	EX-0012.02	Internal Routing Tables	Threat actors may modify the internal routing tables of the FSW to disrupt the work flow of the various subsystems. Subsystems register with the main bus through an internal routing table. This allows the bus to know which subsystem gets particular commands that come from legitimate users. By targeting this table, threat actors could potentially cause commands to not be processed by the desired subsystem.
	EX-0012.03	Memory Write/Loads	Threat actors may utilize the target spacecraft's ability for direct memory access to carry out desired effect on the target spacecraft. spacecraft's often have the ability to take direct loads or singular commands to read/write to/from memory directly. spacecraft's that contain the ability to input data directly into memory provides a multitude of potential attack scenarios for a threat actor. Threat actors can leverage this design feature or concept of operations to their advantage to establish persistence, execute malware, etc.
	EX-0012.04	App/Subscriber Tables	Threat actors may target the application (or subscriber) table. Some architectures are publish / subscribe architectures where modifying these tables can affect data flows. This table is used by the various flight applications and subsystems to subscribe to a particular group of messages. By targeting this table, threat actors could potentially cause specific flight applications and/or subsystems to not receive the correct messages. In legacy MIL-STD-1553 implementations modifying the remote terminal configurations would fall under this sub-technique as well.
	EX-0012.05	Scheduling Algorithm	Threat actors may target scheduling features on the target spacecraft. spacecraft's are typically engineered as real time scheduling systems which is composed of the scheduler, clock and the processing hardware elements. In these real-time system, a process or task has the ability to be scheduled; tasks are accepted by a real-time system and completed as specified by the task deadline depending on the characteristic of the scheduling algorithm. Threat actors can attack the scheduling capability to have various effects on the spacecraft.
	EX-0012.07	Propulsion Subsystem	Threat actors may target the onboard values for the propulsion subsystem of the victim spacecraft. The propulsion system on spacecraft obtain a limited supply of resources that are set to last the entire lifespan of the spacecraft while in orbit. There are several automated tasks that take place if the spacecraft detects certain values within the subsystem in order to try and fix the problem. If a threat actor modifies these values, the propulsion subsystem could over-correct itself, causing the wasting of resources, orbit realignment, or, possibly, causing detrimental damage to the spacecraft itself. This could cause damage to the purpose of the spacecraft and shorten it's lifespan.
	EX-0012.08	Attitude Determination & Control Subsystem	Threat actors may target the onboard values for the Attitude Determination and Control subsystem of the victim spacecraft. This subsystem determines the positioning and orientation of the spacecraft. Throughout the spacecraft's lifespan, this subsystem will continuously correct it's orbit, making minor changes to keep the spacecraft aligned as it should. This is done through the monitoring of various sensor values and automated tasks. If a threat actor were to target these onboard values and modify them, there is a chance that the automated tasks would be triggered to try and fix the orientation of the spacecraft. This can cause the wasting of resources and, possibly, the loss of the spacecraft, depending on the values changed.
	EX-0012.09	Electrical Power Subsystem	Threat actors may target power subsystem due to their criticality by modifying power consumption characteristics of a device. Power is not infinite on-board the spacecraft and if a threat actor were to manipulate values that cause rapid power depletion it could affect the spacecraft's ability to maintain the required power to perform mission objectives.
	EX-0012.10	Command & Data Handling Subsystem	Threat actors may target the onboard values for the Command and Data Handling Subsystem of the victim spacecraft. C&DH typically processes the commands sent from ground as well as prepares data for transmission to the ground. Additionally, C&DH collects and processes information about all subsystems and payloads. Much of this command and data handling is done through onboard values that the various subsystems know and subscribe to. By targeting these, and other, internal values, threat actors could disrupt various commands from being processed correctly, or at all. Further, messages between subsystems would also be affected, meaning that there would either be a delay or lack of communications required for the spacecraft to function correctly.

Related SPARTA Countermeasures

ID	Name	Description
CM0001	Protect Sensitive Information	Organizations should look to identify and properly classify mission sensitive design/operations information (e.g., fault management approach) and apply access control accordingly. Any location (ground system, contractor networks, etc.) storing design information needs to ensure design info is protected from exposure, exfiltration, etc. Space system sensitive information may be classified as Controlled Unclassified Information (CUI) or Company Proprietary. Space system sensitive information can typically include a wide range of candidate material: the functional and performance specifications, any ICDs (like radio frequency, ground-to-space, etc.), command and telemetry databases, scripts, simulation and rehearsal results/reports, descriptions of uplink protection including any disabling/bypass features, failure/anomaly resolution, and any other sensitive information related to architecture, software, and flight/ground /mission operations. This could all need protection at the appropriate level (e.g., unclassified, CUI, proprietary, classified, etc.) to mitigate levels of cyber intrusions that may be conducted against the project’s networks. Stand-alone systems and/or separate database encryption may be needed with controlled access and on-going Configuration Management to ensure changes in command procedures and critical database areas are tracked, controlled, and fully tested to avoid loss of science or the entire mission. Sensitive documentation should only be accessed by personnel with defined roles and a need to know. Well established access controls (roles, encryption at rest and transit, etc.) and data loss prevention (DLP) technology are key countermeasures. The DLP should be configured for the specific data types in question.
CM0052	Insider Threat Protection	Establish policy and procedures to prevent individuals (i.e., insiders) from masquerading as individuals with valid access to areas where commanding of the spacecraft is possible. Establish an Insider Threat Program to aid in the prevention of people with authorized access performing malicious activities.
CM0054	Two-Person Rule	Utilize a two-person system to achieve a high level of security for systems with command level access to the spacecraft. Under this rule all access and actions require the presence of two authorized people at all times.
CM0033	Relay Protection	Implement relay and replay-resistant authentication mechanisms for establishing a remote connection or connections on the spacecraft bus.
CM0049	Machine Learning Data Integrity	When AI/ML is being used for mission critical operations, the integrity of the training data set is imperative. Data poisoning against the training data set can have detrimental effects on the functionality of the AI/ML. Fixing poisoned models is very difficult so model developers need to focus on countermeasures that could either block attack attempts or detect malicious inputs before the training cycle occurs. Regression testing over time, validity checking on data sets, manual analysis, as well as using statistical analysis to find potential injects can help detect anomalies.
CM0004	Development Environment Security	In order to secure the development environment, the first step is understanding all the devices and people who interact with it. Maintain an accurate inventory of all people and assets that touch the development environment. Ensure strong multi-factor authentication is used across the development environment, especially for code repositories, as threat actors may attempt to sneak malicious code into software that's being built without being detected. Use zero-trust access controls to the code repositories where possible. For example, ensure the main branches in repositories are protected from injecting malicious code. A secure development environment requires change management, privilege management, auditing and in-depth monitoring across the environment.
CM0011	Vulnerability Scanning	Vulnerability scanning is used to identify known software vulnerabilities (excluding custom-developed software - ex: COTS and Open-Source). Utilize scanning tools to identify vulnerabilities in dependencies and outdated software (i.e., software composition analysis). Ensure that vulnerability scanning tools and techniques are employed that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: (1) Enumerating platforms, custom software flaws, and improper configurations; (2) Formatting checklists and test procedures; and (3) Measuring vulnerability impact.
CM0012	Software Bill of Materials	Generate Software Bill of Materials (SBOM) against the entire software supply chain and cross correlate with known vulnerabilities (e.g., Common Vulnerabilities and Exposures) to mitigate known vulnerabilities. Protect the SBOM according to countermeasures in CM0001.
CM0013	Dependency Confusion	Ensure proper protections are in place for ensuring dependency confusion is mitigated like ensuring that internal dependencies be pulled from private repositories vice public repositories, ensuring that your CI/CD/development environment is secure as defined in CM0004 and validate dependency integrity by ensuring checksums match official packages.
CM0015	Software Source Control	Prohibit the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code.
CM0016	CWE List	Create prioritized list of software weakness classes (e.g., Common Weakness Enumerations), based on system-specific considerations, to be used during static code analysis for prioritization of static analysis results.
CM0017	Coding Standard	Define acceptable coding standards to be used by the software developer. The mission should have automated means to evaluate adherence to coding standards. The coding standard should include the acceptable software development language types as well. The language should consider the security requirements, scalability of the application, the complexity of the application, development budget, development time limit, application security, available resources, etc. The coding standard and language choice must ensure proper security constructs are in place.
CM0018	Dynamic Analysis	Employ dynamic analysis (e.g., using simulation, penetration testing, fuzzing, etc.) to identify software/firmware weaknesses and vulnerabilities in developed and incorporated code (open source, commercial, or third-party developed code). Testing should occur (1) on potential system elements before acceptance; (2) as a realistic simulation of known adversary tactics, techniques, procedures (TTPs), and tools; and (3) throughout the lifecycle on physical and logical systems, elements, and processes. FLATSATs as well as digital twins can be used to perform the dynamic analysis depending on the TTPs being executed. Digital twins via instruction set simulation (i.e., emulation) can provide robust environment for dynamic analysis and TTP execution.
CM0019	Static Analysis	Perform static source code analysis for all available source code looking for system-relevant weaknesses (see CM0016) using no less than two static code analysis tools.
CM0021	Software Digital Signature	Prevent the installation of Flight Software without verification that the component has been digitally signed using a certificate that is recognized and approved by the mission.
CM0023	Configuration Management	Use automated mechanisms to maintain and validate baseline configuration to ensure the spacecraft's is up-to-date, complete, accurate, and readily available.
CM0039	Least Privilege	Employ the principle of least privilege, allowing only authorized processes which are necessary to accomplish assigned tasks in accordance with system functions. Ideally maintain a separate execution domain for each executing process.
CM0046	Long Duration Testing	Perform testing using hardware or simulation/emulation where the test executes over a long period of time (30+ days). This testing will attempt to flesh out race conditions or time-based attacks.
CM0055	Secure Command Mode(s)	Provide additional protection modes for commanding the spacecraft. These can be where the spacecraft will restrict command lock based on geographic location of ground stations, special operational modes within the flight software, or even temporal controls where the spacecraft will only accept commands during certain times.
CM0069	Process White Listing	Simple process ID whitelisting on the firmware level could impede attackers from instigating unnecessary processes which could impact the spacecraft
CM0005	Ground-based Countermeasures	This countermeasure is focused on the protection of terrestrial assets like ground networks and development environments/contractor networks, etc. Traditional detection technologies and capabilities would be applicable here. Utilizing resources from NIST CSF to properly secure these environments using identify, protect, detect, recover, and respond is likely warranted. Additionally, NISTIR 8401 may provide resources as well since it was developed to focus on ground-based security for space systems (https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8401.ipd.pdf). Furthermore, the MITRE ATT&CK framework provides IT focused TTPs and their mitigations https://attack.mitre.org/mitigations/enterprise/. Several recommended NIST 800-53 Rev5 controls are provided for reference when designing ground systems/networks.
CM0034	Monitor Critical Telemetry Points	Monitor defined telemetry points for malicious activities (i.e., jamming attempts, commanding attempts (e.g., command modes, counters, etc.)). This would include valid/processed commands as well as commands that were rejected. Telemetry monitoring should synchronize with ground-based Defensive Cyber Operations (i.e., SIEM/auditing) to create a full space system situation awareness from a cybersecurity perspective.
CM0035	Protect Authenticators	Protect authenticator content from unauthorized disclosure and modification.
CM0053	Physical Security Controls	Employ physical security controls (badge with pins, guards, gates, etc.) to prevent unauthorized access to the systems that have the ability to command the spacecraft.
CM0056	Data Backup	Implement disaster recovery plans that contain procedures for taking regular data backups that can be used to restore critical data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.
CM0070	Alternate Communications Paths	Establish alternate communications paths to reduce the risk of all communications paths being affected by the same incident.
CM0032	On-board Intrusion Detection & Prevention	Utilize on-board intrusion detection/prevention system that monitors the mission critical components or systems and audit/logs actions. The IDS/IPS should have the capability to respond to threats (initial access, execution, persistence, evasion, exfiltration, etc.) and it should address signature-based attacks along with dynamic never-before seen attacks using machine learning/adaptive technologies. The IDS/IPS must integrate with traditional fault management to provide a wholistic approach to faults on-board the spacecraft. Spacecraft should select and execute safe countermeasures against cyber-attacks. These countermeasures are a ready supply of options to triage against the specific types of attack and mission priorities. Minimally, the response should ensure vehicle safety and continued operations. Ideally, the goal is to trap the threat, convince the threat that it is successful, and trace and track the attacker — with or without ground support. This would support successful attribution and evolving countermeasures to mitigate the threat in the future. “Safe countermeasures” are those that are compatible with the system’s fault management system to avoid unintended effects or fratricide on the system.
CM0042	Robust Fault Management	Ensure fault management system cannot be used against the spacecraft. Examples include: safe mode with crypto bypass, orbit correction maneuvers, affecting integrity of telemetry to cause action from ground, or some sort of proximity operation to cause spacecraft to go into safe mode. Understanding the safing procedures and ensuring they do not put the spacecraft in a more vulnerable state is key to building a resilient spacecraft.
CM0044	Cyber-safe Mode	Provide the capability to enter the spacecraft into a configuration-controlled and integrity-protected state representing a known, operational cyber-safe state (e.g., cyber-safe mode). Spacecraft should enter a cyber-safe mode when conditions that threaten the platform are detected. Cyber-safe mode is an operating mode of a spacecraft during which all nonessential systems are shut down and the spacecraft is placed in a known good state using validated software and configuration settings. Within cyber-safe mode, authentication and encryption should still be enabled. The spacecraft should be capable of reconstituting firmware and software functions to pre-attack levels to allow for the recovery of functional capabilities. This can be performed by self-healing, or the healing can be aided from the ground. However, the spacecraft needs to have the capability to replan, based on equipment still available after a cyber-attack. The goal is for the spacecraft to resume full mission operations. If not possible, a reduced level of mission capability should be achieved. Cyber-safe mode software/configuration should be stored onboard the spacecraft in memory with hardware-based controls and should not be modifiable.
CM0066	Model-based System Verification	Real-time physics model-based system verification of state could help to verify data input and control sequence changes
CM0014	Secure boot	Software/Firmware must verify a trust chain that extends through the hardware root of trust, boot loader, boot configuration file, and operating system image, in that order. The trusted boot/RoT computing module should be implemented on radiation tolerant burn-in (non-programmable) equipment.
CM0038	Segmentation	Identify the key system components or capabilities that require isolation through physical or logical means. Information should not be allowed to flow between partitioned applications unless explicitly permitted by security policy. Isolate mission critical functionality from non-mission critical functionality by means of an isolation boundary (implemented via partitions) that controls access to and protects the integrity of, the hardware, software, and firmware that provides that functionality. Enforce approved authorizations for controlling the flow of information within the spacecraft and between interconnected systems based on the defined security policy that information does not leave the spacecraft boundary unless it is encrypted. Implement boundary protections to separate bus, communications, and payload components supporting their respective functions.
CM0048	Resilient Position, Navigation, and Timing	If available, use an authentication mechanism that allows GNSS receivers to verify the authenticity of the GNSS information and of the entity transmitting it, to ensure that it comes from a trusted source. Have fault-tolerant authoritative time sourcing for the spacecraft's clock. The spacecraft should synchronize the internal system clocks for each processor to the authoritative time source when the time difference is greater than the FSW-defined interval. If Spacewire is utilized, then the spacecraft should adhere to mission-defined time synchronization standard/protocol to synchronize time across a Spacewire network with an accuracy around 1 microsecond.