Threats by DiD Layer

Space

Data

SV-AC-3

SV-CF-2

SV-IT-2

SV-MA-2

S/C Software

SV-AV-4

SV-IT-5

SV-MA-3

SV-SP-1

SV-SP-3

SV-SP-6

SV-SP-9

SBC

SV-AC-5

SV-AC-6

SV-AC-8

SV-AV-2

SV-AV-3

SV-AV-8

SV-IT-3

SV-IT-4

SV-MA-8

SV-SP-11

SV-SP-7

IDS/IPS

SV-AV-5

SV-AV-6

SV-DCO-1

SV-MA-5

Crypto

SV-AC-1

SV-AC-2

SV-CF-1

SV-CF-4

SV-IT-1

Comms Link

SV-AC-7

SV-AV-1

Ground

SV-MA-7

Prevention

SV-AC-4

SV-AV-7

SV-CF-3

SV-MA-1

SV-MA-4

SV-MA-6

SV-SP-10

SV-SP-2

SV-SP-4

SV-SP-5

Ground

Data

Automated Collection

Cloud Storage Object Discovery

Data Destruction

Data Encrypted for Impact

Data Manipulation

Data Manipulation: Runtime Data Manipulation

Data Manipulation: Stored Data Manipulation

Data from Cloud Storage Object

Data from Information Repositories: Code Repositories

Data from Information Repositories: Confluence

Data from Information Repositories: Sharepoint

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Defacement

Defacement: External Defacement

Disk Wipe

Disk Wipe: Disk Content Wipe

Disk Wipe: Disk Structure Wipe

Dynamic Resolution: Fast Flux DNS

Email Collection

Email Collection: Local Email Collection

Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Exfiltration Over C2 Channel

Exfiltration Over Web Service

File and Directory Discovery

File and Directory Permissions Modification

File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Group Policy Discovery

Permission Groups Discovery

Ground Software

Compromise Client Software Binary

Exploit Public-Facing Application

Exploitation for Credential Access

Exploitation for Defense Evasion

Exploitation for Privilege Escalation

Exploitation of Remote Services

Forge Web Credentials: Web Cookies

Masquerading: Invalid Code Signature

Steal Web Session Cookie

Supply Chain Compromise: Compromise Software Dependencies and Development Tools

Supply Chain Compromise: Compromise Software Supply Chain

Template Injection

XSL Script Processing

Endpoint

Abuse Elevation Control Mechanism

Abuse Elevation Control Mechanism: Bypass User Account Control

Abuse Elevation Control Mechanism: Elevated Execution with Prompt

Abuse Elevation Control Mechanism: Setuid and Setgid

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Access Token Manipulation

Access Token Manipulation: Create Process with Token

Access Token Manipulation: Make and Impersonate Token

Access Token Manipulation: Parent PID Spoofing

Access Token Manipulation: SID-History Injection

Access Token Manipulation: Token Impersonation/Theft

Account Access Removal

Account Discovery

Account Discovery: Cloud Account

Account Discovery: Domain Account

Account Discovery: Email Account

Account Discovery: Local Account

Account Manipulation

Account Manipulation: Additional Cloud Credentials

Account Manipulation: Additional Cloud Roles

Account Manipulation: Additional Email Delegate Permissions

Account Manipulation: Device Registration

Account Manipulation: SSH Authorized Keys

Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Application Window Discovery

Archive Collected Data

Archive Collected Data: Archive via Custom Method

Archive Collected Data: Archive via Library

Archive Collected Data: Archive via Utility

Audio Capture

Automated Exfiltration

BITS Jobs

Boot or Logon Autostart Execution

Boot or Logon Autostart Execution: Active Setup

Boot or Logon Autostart Execution: Authentication Package

Boot or Logon Autostart Execution: Kernel Modules and Extensions

Boot or Logon Autostart Execution: LSASS Driver

Boot or Logon Autostart Execution: Login Items

Boot or Logon Autostart Execution: Port Monitors

Boot or Logon Autostart Execution: Print Processors

Boot or Logon Autostart Execution: Re-opened Applications

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Boot or Logon Autostart Execution: Security Support Provider

Boot or Logon Autostart Execution: Shortcut Modification

Boot or Logon Autostart Execution: Time Providers

Boot or Logon Autostart Execution: Winlogon Helper DLL

Boot or Logon Autostart Execution: XDG Autostart Entries

Boot or Logon Initialization Scripts

Boot or Logon Initialization Scripts: Login Hook

Boot or Logon Initialization Scripts: Logon Script (Windows)

Boot or Logon Initialization Scripts: Network Logon Script

Boot or Logon Initialization Scripts: RC Scripts

Boot or Logon Initialization Scripts: Startup Items

Browser Bookmark Discovery

Browser Extensions

Browser Session Hijacking

Brute Force

Brute Force: Credential Stuffing

Brute Force: Password Guessing

Brute Force: Password Spraying

Build Image on Host

Clipboard Data

Command and Scripting Interpreter

Command and Scripting Interpreter: AppleScript

Command and Scripting Interpreter: JavaScript

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: Python

Command and Scripting Interpreter: Unix Shell

Command and Scripting Interpreter: Visual Basic

Command and Scripting Interpreter: Windows Command Shell

Communication Through Removable Media

Container Administration Command

Create Account

Create Account: Domain Account

Create Account: Local Account

Create or Modify System Process

Create or Modify System Process: Launch Agent

Create or Modify System Process: Launch Daemon

Create or Modify System Process: Systemd Service

Create or Modify System Process: Windows Service

Credentials from Password Stores

Credentials from Password Stores: Credentials from Web Browsers

Credentials from Password Stores: Keychain

Credentials from Password Stores: Password Managers

Credentials from Password Stores: Securityd Memory

Credentials from Password Stores: Windows Credential Manager

Data Staged

Data Staged: Local Data Staging

Data Staged: Remote Data Staging

Debugger Evasion

Deobfuscate/Decode Files or Information

Direct Volume Access

Domain Policy Modification

Domain Policy Modification: Domain Trust Modification

Domain Policy Modification: Group Policy Modification

Domain Trust Discovery

Dynamic Resolution

Endpoint Denial of Service

Endpoint Denial of Service: Application Exhaustion Flood

Endpoint Denial of Service: Application or System Exploitation

Endpoint Denial of Service: OS Exhaustion Flood

Endpoint Denial of Service: Service Exhaustion Flood

Escape to Host

Event Triggered Execution

Event Triggered Execution: Accessibility Features

Event Triggered Execution: AppCert DLLs

Event Triggered Execution: AppInit DLLs

Event Triggered Execution: Application Shimming

Event Triggered Execution: Change Default File Association

Event Triggered Execution: Component Object Model Hijacking

Event Triggered Execution: Emond

Event Triggered Execution: Image File Execution Options Injection

Event Triggered Execution: LC_LOAD_DYLIB Addition

Event Triggered Execution: Netsh Helper DLL

Event Triggered Execution: PowerShell Profile

Event Triggered Execution: Screensaver

Event Triggered Execution: Trap

Event Triggered Execution: Unix Shell Configuration Modification

Event Triggered Execution: Windows Management Instrumentation Event Subscription

Execution Guardrails

Execution Guardrails: Environmental Keying

Exfiltration Over Other Network Medium

Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth

Exploitation for Client Execution

Firmware Corruption

Forced Authentication

Gather Victim Host Information

Gather Victim Host Information: Client Configurations

Gather Victim Host Information: Firmware

Gather Victim Host Information: Hardware

Gather Victim Host Information: Software

Hide Artifacts

Hide Artifacts: Email Hiding Rules

Hide Artifacts: Hidden File System

Hide Artifacts: Hidden Files and Directories

Hide Artifacts: Hidden Users

Hide Artifacts: Hidden Window

Hide Artifacts: NTFS File Attributes

Hide Artifacts: Process Argument Spoofing

Hide Artifacts: Resource Forking

Hide Artifacts: Run Virtual Instance

Hide Artifacts: VBA Stomping

Hijack Execution Flow

Hijack Execution Flow: COR_PROFILER

Hijack Execution Flow: DLL Search Order Hijacking

Hijack Execution Flow: DLL Side-Loading

Hijack Execution Flow: Dylib Hijacking

Hijack Execution Flow: Dynamic Linker Hijacking

Hijack Execution Flow: Executable Installer File Permissions Weakness

Hijack Execution Flow: KernelCallbackTable

Hijack Execution Flow: Path Interception by PATH Environment Variable

Hijack Execution Flow: Path Interception by Search Order Hijacking

Hijack Execution Flow: Path Interception by Unquoted Path

Hijack Execution Flow: Services File Permissions Weakness

Hijack Execution Flow: Services Registry Permissions Weakness

Impair Defenses

Impair Defenses: Disable Windows Event Logging

Impair Defenses: Disable or Modify System Firewall

Impair Defenses: Disable or Modify Tools

Impair Defenses: Downgrade Attack

Impair Defenses: Impair Command History Logging

Impair Defenses: Safe Mode Boot

Implant Internal Image

Indicator Removal on Host

Indicator Removal on Host: Clear Command History

Indicator Removal on Host: Clear Linux or Mac System Logs

Indicator Removal on Host: Clear Windows Event Logs

Indicator Removal on Host: File Deletion

Indicator Removal on Host: Network Share Connection Removal

Indicator Removal on Host: Timestomp

Indirect Command Execution

Inhibit System Recovery

Input Capture

Input Capture: Credential API Hooking

Input Capture: GUI Input Capture

Input Capture: Keylogging

Input Capture: Web Portal Capture

Inter-Process Communication

Inter-Process Communication: Component Object Model

Inter-Process Communication: Dynamic Data Exchange

Inter-Process Communication: XPC Services

Masquerading

Masquerading: Double File Extension

Masquerading: Masquerade Task or Service

Masquerading: Match Legitimate Name or Location

Masquerading: Rename System Utilities

Masquerading: Right-to-Left Override

Masquerading: Space after Filename

Modify Authentication Process

Modify Authentication Process: Domain Controller Authentication

Modify Authentication Process: Network Device Authentication

Modify Authentication Process: Password Filter DLL

Modify Authentication Process: Pluggable Authentication Modules

Modify Authentication Process: Reversible Encryption

Modify Registry

Multi-Factor Authentication Interception

Native API

Network Service Discovery

Network Share Discovery

OS Credential Dumping

OS Credential Dumping: /etc/passwd and /etc/shadow

OS Credential Dumping: Cached Domain Credentials

OS Credential Dumping: DCSync

OS Credential Dumping: LSA Secrets

OS Credential Dumping: LSASS Memory

OS Credential Dumping: NTDS

OS Credential Dumping: Proc Filesystem

OS Credential Dumping: Security Account Manager

Obfuscated Files or Information

Obfuscated Files or Information: Binary Padding

Obfuscated Files or Information: Compile After Delivery

Obfuscated Files or Information: Indicator Removal from Tools

Obfuscated Files or Information: Software Packing

Obfuscated Files or Information: Steganography

Office Application Startup

Office Application Startup: Add-ins

Office Application Startup: Office Template Macros

Office Application Startup: Office Test

Office Application Startup: Outlook Forms

Office Application Startup: Outlook Home Page

Office Application Startup: Outlook Rules

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery: Domain Groups

Permission Groups Discovery: Local Groups

Plist File Modification

Pre-OS Boot

Pre-OS Boot: Bootkit

Pre-OS Boot: Component Firmware

Pre-OS Boot: ROMMONkit

Pre-OS Boot: System Firmware

Process Discovery

Process Injection

Process Injection: Asynchronous Procedure Call

Process Injection: Dynamic-link Library Injection

Process Injection: Extra Window Memory Injection

Process Injection: ListPlanting

Process Injection: Portable Executable Injection

Process Injection: Proc Memory

Process Injection: Process Doppelgänging

Process Injection: Process Hollowing

Process Injection: Ptrace System Calls

Process Injection: Thread Execution Hijacking

Process Injection: Thread Local Storage

Process Injection: VDSO Hijacking

Query Registry

Reflective Code Loading

Remote Service Session Hijacking

Remote Service Session Hijacking: RDP Hijacking

Remote Services: Distributed Component Object Model

Remote Services: Remote Desktop Protocol

Remote Services: SMB/Windows Admin Shares

Remote Services: SSH

Remote Services: Windows Remote Management

Remote System Discovery

Resource Hijacking

Rootkit

Scheduled Task/Job

Scheduled Task/Job: At

Scheduled Task/Job: Container Orchestration Job

Scheduled Task/Job: Cron

Scheduled Task/Job: Scheduled Task

Scheduled Task/Job: Systemd Timers

Screen Capture

Server Software Component

Server Software Component: IIS Components

Server Software Component: SQL Stored Procedures

Server Software Component: Terminal Services DLL

Server Software Component: Transport Agent

Server Software Component: Web Shell

Service Stop

Shared Modules

Software Discovery

Software Discovery: Security Software Discovery

Stage Capabilities: Install Digital Certificate

Steal Application Access Token

Steal or Forge Kerberos Tickets

Steal or Forge Kerberos Tickets: AS-REP Roasting

Steal or Forge Kerberos Tickets: Golden Ticket

Steal or Forge Kerberos Tickets: Kerberoasting

Steal or Forge Kerberos Tickets: Silver Ticket

Subvert Trust Controls

Subvert Trust Controls: Code Signing

Subvert Trust Controls: Code Signing Policy Modification

Subvert Trust Controls: Gatekeeper Bypass

Subvert Trust Controls: Install Root Certificate

Subvert Trust Controls: SIP and Trust Provider Hijacking

System Binary Proxy Execution

System Binary Proxy Execution: CMSTP

System Binary Proxy Execution: Compiled HTML File

System Binary Proxy Execution: Control Panel

System Binary Proxy Execution: InstallUtil

System Binary Proxy Execution: MMC

System Binary Proxy Execution: Mavinject

System Binary Proxy Execution: Mshta

System Binary Proxy Execution: Msiexec

System Binary Proxy Execution: Odbcconf

System Binary Proxy Execution: Regsvcs/Regasm

System Binary Proxy Execution: Regsvr32

System Binary Proxy Execution: Rundll32

System Binary Proxy Execution: Verclsid

System Information Discovery

System Location Discovery

System Location Discovery: System Language Discovery

System Network Configuration Discovery

System Network Configuration Discovery: Internet Connection Discovery

System Network Connections Discovery

System Owner/User Discovery

System Script Proxy Execution

System Script Proxy Execution: PubPrn

System Service Discovery

System Services

System Services: Launchctl

System Services: Service Execution

System Shutdown/Reboot

System Time Discovery

Taint Shared Content

Traffic Signaling: Port Knocking

Trusted Developer Utilities Proxy Execution

Trusted Developer Utilities Proxy Execution: MSBuild

Unsecured Credentials

Unsecured Credentials: Bash History

Unsecured Credentials: Credentials In Files

Unsecured Credentials: Group Policy Preferences

Unsecured Credentials: Private Keys

User Execution

User Execution: Malicious File

User Execution: Malicious Image

Valid Accounts

Valid Accounts: Default Accounts

Valid Accounts: Local Accounts

Video Capture

Virtualization/Sandbox Evasion

Virtualization/Sandbox Evasion: System Checks

Virtualization/Sandbox Evasion: Time Based Evasion

Virtualization/Sandbox Evasion: User Activity Based Checks

Windows Management Instrumentation

Network

Adversary-in-the-Middle

Adversary-in-the-Middle: ARP Cache Poisoning

Adversary-in-the-Middle: DHCP Spoofing

Command and Scripting Interpreter: Network Device CLI

Data from Configuration Repository

Data from Configuration Repository: Network Device Configuration Dump

Data from Configuration Repository: SNMP (MIB Dump)

Lateral Tool Transfer

Modify System Image

Modify System Image: Downgrade System Image

Modify System Image: Patch System Image

Network Boundary Bridging

Network Boundary Bridging: Network Address Translation Traversal

Network Denial of Service

Network Denial of Service: Direct Network Flood

Network Denial of Service: Reflection Amplification

Network Sniffing

Non-Application Layer Protocol

Pre-OS Boot: TFTP Boot

Protocol Tunneling

Proxy

Remote Services: VNC

Traffic Signaling

Transfer Data to Cloud Account

Trusted Relationship

Weaken Encryption

Weaken Encryption: Disable Crypto Hardware

Weaken Encryption: Reduce Key Space

CND/IR

Active Scanning

Active Scanning: Scanning IP Blocks

Active Scanning: Vulnerability Scanning

Active Scanning: Wordlist Scanning

Application Layer Protocol

Application Layer Protocol: DNS

Application Layer Protocol: File Transfer Protocols

Application Layer Protocol: Mail Protocols

Application Layer Protocol: Web Protocols

Automated Exfiltration: Traffic Duplication

Cloud Infrastructure Discovery

Cloud Service Dashboard

Cloud Service Discovery

Container and Resource Discovery

Create Account: Cloud Account

Data Encoding

Data Encoding: Non-Standard Encoding

Data Encoding: Standard Encoding

Data Manipulation: Transmitted Data Manipulation

Data Obfuscation

Data Obfuscation: Junk Data

Data Obfuscation: Protocol Impersonation

Data Obfuscation: Steganography

Data Transfer Size Limits

Defacement: Internal Defacement

Deploy Container

Dynamic Resolution: DNS Calculation

Email Collection: Email Forwarding Rule

Email Collection: Remote Email Collection

Encrypted Channel

Encrypted Channel: Asymmetric Cryptography

Encrypted Channel: Symmetric Cryptography

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration Over Web Service: Exfiltration to Code Repository

Fallback Channels

Forge Web Credentials

Forge Web Credentials: SAML Tokens

Impair Defenses: Disable Cloud Logs

Impair Defenses: Indicator Blocking

Ingress Tool Transfer

Internal Spearphishing

Modify Cloud Compute Infrastructure

Modify Cloud Compute Infrastructure: Create Cloud Instance

Modify Cloud Compute Infrastructure: Create Snapshot

Modify Cloud Compute Infrastructure: Delete Cloud Instance

Modify Cloud Compute Infrastructure: Revert Cloud Instance

Multi-Factor Authentication Request Generation

Multi-Stage Channels

Non-Standard Port

Obfuscated Files or Information: HTML Smuggling

Permission Groups Discovery: Cloud Groups

Proxy: Domain Fronting

Proxy: Internal Proxy

Proxy: Multi-hop Proxy

Remote Access Software

Remote Service Session Hijacking: SSH Hijacking

Remote Services

Rogue Domain Controller

Scheduled Transfer

Stage Capabilities: Drive-by Target

Stage Capabilities: Link Target

Stage Capabilities: Upload Malware

Stage Capabilities: Upload Tool

Subvert Trust Controls: Mark-of-the-Web Bypass

Unsecured Credentials: Cloud Instance Metadata API

Unsecured Credentials: Container API

Unsecured Credentials: Credentials in Registry

Unused/Unsupported Cloud Regions

Use Alternate Authentication Material

Use Alternate Authentication Material: Application Access Token

Use Alternate Authentication Material: Pass the Hash

Use Alternate Authentication Material: Pass the Ticket

Use Alternate Authentication Material: Web Session Cookie

Valid Accounts: Cloud Accounts

Valid Accounts: Domain Accounts

Web Service

Web Service: Bidirectional Communication

Web Service: One-Way Communication

Perimeter

Drive-by Compromise

Dynamic Resolution: Domain Generation Algorithms

External Remote Services

Impair Defenses: Disable or Modify Cloud Firewall

Phishing

Phishing: Spearphishing Attachment

Phishing: Spearphishing Link

Phishing: Spearphishing via Service

Proxy: External Proxy

User Execution: Malicious Link

Web Service: Dead Drop Resolver

Physical

Exfiltration Over Physical Medium

Exfiltration Over Physical Medium: Exfiltration over USB

Hardware Additions

Replication Through Removable Media

Prevention

Acquire Infrastructure

Acquire Infrastructure: Botnet

Acquire Infrastructure: DNS Server

Acquire Infrastructure: Domains

Acquire Infrastructure: Server

Acquire Infrastructure: Virtual Private Server

Acquire Infrastructure: Web Services

Brute Force: Password Cracking

Compromise Accounts

Compromise Accounts: Email Accounts

Compromise Accounts: Social Media Accounts

Compromise Infrastructure

Compromise Infrastructure: Botnet

Compromise Infrastructure: DNS Server

Compromise Infrastructure: Domains

Compromise Infrastructure: Server

Compromise Infrastructure: Virtual Private Server

Compromise Infrastructure: Web Services

Data from Information Repositories

Develop Capabilities

Develop Capabilities: Code Signing Certificates

Develop Capabilities: Digital Certificates

Develop Capabilities: Exploits

Develop Capabilities: Malware

Establish Accounts

Establish Accounts: Email Accounts

Establish Accounts: Social Media Accounts

Gather Victim Identity Information

Gather Victim Identity Information: Credentials

Gather Victim Identity Information: Email Addresses

Gather Victim Identity Information: Employee Names

Gather Victim Network Information

Gather Victim Network Information: DNS

Gather Victim Network Information: Domain Properties

Gather Victim Network Information: IP Addresses

Gather Victim Network Information: Network Security Appliances

Gather Victim Network Information: Network Topology

Gather Victim Network Information: Network Trust Dependencies

Gather Victim Org Information

Gather Victim Org Information: Business Relationships

Gather Victim Org Information: Determine Physical Locations

Gather Victim Org Information: Identify Business Tempo

Gather Victim Org Information: Identify Roles

Obtain Capabilities

Obtain Capabilities: Code Signing Certificates

Obtain Capabilities: Digital Certificates

Obtain Capabilities: Exploits

Obtain Capabilities: Malware

Obtain Capabilities: Tool

Obtain Capabilities: Vulnerabilities

Phishing for Information

Phishing for Information: Spearphishing Attachment

Phishing for Information: Spearphishing Link

Phishing for Information: Spearphishing Service

Search Closed Sources

Search Closed Sources: Purchase Technical Data

Search Closed Sources: Threat Intel Vendors

Search Open Technical Databases

Search Open Technical Databases: CDNs

Search Open Technical Databases: DNS/Passive DNS

Search Open Technical Databases: Digital Certificates

Search Open Technical Databases: Scan Databases

Search Open Technical Databases: WHOIS

Search Open Websites/Domains

Search Open Websites/Domains: Search Engines

Search Open Websites/Domains: Social Media

Search Victim-Owned Websites

Software Deployment Tools

Stage Capabilities

Supply Chain Compromise

Supply Chain Compromise: Compromise Hardware Supply Chain

CM0001

Using fault management system against you. Understanding the fault response could be leveraged to get satellite in vulnerable state. Example, safe mode with crypto bypass, orbit correction maneuvers, affecting integrity of TLM to cause action from ground, or some sort of RPO to cause S/C to go into safe mode;

Informational References

CENTRA - Chinese Research into Cyber Vulnerabilities of Satellite Bus Standards
Orbital Security Alliance - Commercial Space System Security Guidelines

ID: CM0001

DiD Layer: IDS/IPS

CAPEC #: 74 | 166 | 578 | 581 | 620

NIST Rev5 Control Tag Mapping: AC-3 | AC-3(11) | AC-4 | AC-4(23) | AU-5 | AU-5(5) | CA-7 | CA-7(6) | CM-12 | CM-12(1) | CP-4 | CP-4(5) | CP-10 | CP-10(4) | CP-12 | IR-4 | IR-4(3) | RA-3 | RA-3(1) | RA-9 | RA-10 | SA-3 | SA-3(1) | SA-5 | SA-8 | SA-8(21) | SA-8(23) | SA-8(24) | SA-11 | SA-11(9) | SC-24 | SC-47 | SI-11 | SI-17

Lowest Threat Tier to
Create Threat Event: V

Notional Risk Rank Score:

High-Level Requirements

The Program shall protect all fault management documents (i.e., FMEA/FMECA artifacts) from inadvertent and inappropriate disclosure.

Low-Level Requirements

Requirement	Rationale/Additional Guidance/Notes
This is not a cyber control for the spacecraft, but these controls would apply to ground system, contractor networks, etc. where design sensitive information would reside. NIST 800-171 is insufficient to properly protect this information from exposure, exfiltration, etc. Should require contractors to be CMMC 2.0 Level 3 certified (https://www.acq.osd.mil/cmmc/about-us.html). The Program shall identify and properly classify mission sensitive design/operations information and access control shall be applied in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. {SV-CF-3,SV-AV-5} {SA-5}	Essential Elements of Information (EEI):
The Program shall protect documentation and Essential Elements of Information (EEI) as required, in accordance with the risk management strategy. {SV-CF-3,SV-AV-5} {SA-5}	Least privilege and need to know should be employed with the protection of all documentation. Documentation can contain sensitive information that can aid in vulnerability discovery, detection, and exploitation. For example, command dictionaries for ground and space systems should be handles with extreme care. Additionally, design documents for missions contain many key elements that if compromised could aid in an attacker successfully exploiting the system.
The Program shall distribute documentation to only personnel with defined roles and a need to know. {SV-CF-3,SV-AV-5} {SA-5}
See threat ID SV-CF-3 to help with protecting design specific information, in this case the FMEA/FMECA artifacts so that particular fault responses are not disclosed via documentation. {SV-AV-5}
The spacecraft shall provide or support the capability for recovery and reconstitution to a known state after a disruption, compromise, or failure. {SV-AV-5,SV-AV-6,SV-AV-7} {CP-10,CP-10(4),IR-4}	Cyber-safe mode is an operating mode of a spacecraft during which all nonessential systems are shut down and the spacecraft is placed in a known good state using validated software and configuration settings. Within cyber-safe mode authentication and encryption should still be enabled. The spacecraft should be capable of reconstituting firmware and SW functions to preattack levels to allow for the recovery of functional capabilities. This can be performed by self-healing, or the healing can be aided from the ground. However, the spacecraft needs to have the capability to replan, based on available equipment still available after a cyberattack. The goal is for the vehicle to resume full mission operations. If not possible, a reduced level of mission capability should be achieved.
The spacecraft shall provide the capability to enter the spacecraft into a configuration-controlled and integrity-protected state representing a known, operational cyber-safe state (e.g., cyber-safe mode). {SV-AV-5,SV-AV-6,SV-AV-7} {CP-12,SI-17,IR-4(3)}
The spacecraft shall enter a cyber-safe mode when conditions that threaten the spacecraft are detected with restrictions as defined based on the cyber-safe mode. {SV-AV-5,SV-AV-6,SV-AV-7} {CP-12,SI-17,IR-4(3)}	Cyber-safe mode is using a fail-secure mentality where if there is a malfunction that the spacecraft goes into a fail-secure state where cyber protections like authentication and encryption are still employed (instead of bypassed) and the spacecraft can be restored by authorized commands. The cyber-safe mode should be stored in a high integrity location of the on-board SV so that it cannot be modified by attackers.
The spacecraft's cyber-safe mode software/configuration should be stored onboard the spacecraft in memory with hardware-based controls and should not be modifiable. {SV-AV-5,SV-AV-6,SV-AV-7} {SI-17}
The spacecraft shall fail to a known secure state for all types of failures preserving information necessary to determine cause of failure and to return to operations with least disruption to mission operations. {SV-AV-5,SV-AV-6,SV-AV-7} {SC-24,SI-17}
The spacecraft shall generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. {SV-AV-5,SV-AV-6,SV-AV-7} {SI-11}
The spacecraft shall reveal error messages only to operations personnel monitoring the telemetry. {SV-AV-5,SV-AV-6,SV-AV-7} {SI-11}

Related SPARTA Techniques and Sub-Techniques

ID		Name	Description
REC-0001		Gather Spacecraft Design Information	Threat actors may gather information about the victim SV's design that can be used for future campaigns or to help perpetuate other techniques. Information about the SV can include software, firmware, encryption type, purpose, as well as various makes and models of subsystems.
	REC-0001.09	Fault Management	Threat actors may gather information about any fault management that may be present on the victim SV. This information can help threat actors construct specific attacks that may put the SV into a fault condition and potentially a more vulnerable state depending on the fault response.
REC-0004		Gather Launch Information	Threat actors may gather the launch date and time, location of the launch (country & specific site), organizations involved, launch vehicle, etc. This information can provide insight into protocols, regulations, and provide further targets for the threat actor, including specific vulnerabilities with the launch vehicle itself.
	REC-0004.01	Flight Termination	Threat actor may obtain information regarding the vehicle's flight termination system. Threat actors may use this information to perform later attacks and target the vehicle's termination system to have desired impact on mission.
REC-0007		Monitor for Safe-Mode Indicators	Threat actors may gather information regarding safe-mode indicators on the victim SV. Safe-mode is when all non-essential systems are shut down and only essential functions within the SV are active. During this mode, several commands are available to be processed that are not normally processed. Further, many protections may be disabled at this time.
IA-0010		Exploit Reduced Protections During Safe-Mode	Threat actors may take advantage of the victim SV being in safe mode and send malicious commands that may not otherwise be processed. Safe-mode is when all non-essential systems are shut down and only essential functions within the SV are active. During this mode, several commands are available to be processed that are not normally processed. Further, many protections may be disabled at this time.
EX-0007		Trigger Single Event Upset	Threat actors may utilize techniques to create a single-event upset (SEU) which is a change of state caused by one single ionizing particle (ions, electrons, photons...) striking a sensitive node in a SV (i.e., microprocessor, semiconductor memory, or power transistors). The state change is a result of the free charge created by ionization in or close to an important node of a logic element (e.g. memory "bit"). This can cause unstable conditions on the SV depending on which component experiences the SEU. SEU is a known phenomenon for SV due to high radiation in space, but threat actors may attempt to utilize items like microwaves to create a SEU.
EX-0013		Flooding	Threat actors use jamming and flooding attacks to disrupt communications by injecting unexpected noise or messages into a transmission channel. There are several types of attacks that are consistent with this method of exploitation, and they can produce various outcomes. Although, the most prominent of the impacts are denial of service or data corruption. Several elements of the space vehicle may be targeted by jamming and flooding attacks, and depending on the time of the attack, it can have devastating results to the availability of the system.
	EX-0013.02	Erroneous Data	Threat actors inject noise into the target channel so that legitimate messages cannot be correctly processed due to data integrity impacts. Additionally, while this technique does not utilize valid commands, the target SV still must consume computing resources to process and discard the signal.
	EX-0013.01	Valid Commands	Threat actors may utilize valid commanding as a mechanism for flooding as the processing of these valid commands could expend valuable resources like processing power and battery usage. Flooding the spacecraft bus, sub-systems or link layer with valid commands can create temporary denial of service conditions for the space vehicle while the SV is consumed with processing these valid commands.
EX-0006		Disable/Bypass Encryption	Threat actors may perform specific techniques in order to bypass or disable the encryption mechanism onboard the victim SV. By bypassing or disabling this particular mechanism, further tactics can be performed, such as Exfiltration, that may have not been possible with the internal encryption process in place.
EX-0011		Exploit Reduced Protections During Safe-Mode	Threat actors may take advantage of the victim SV being in safe mode and send malicious commands that may not otherwise be processed. Safe-mode is when all non-essential systems are shut down and only essential functions within the SV are active. During this mode, several commands are available to be processed that are not normally processed. Further, many protections may be disabled at this time.
DE-0001		Disable Fault Management	Threat actors may disable fault management within the victim SV during the attack campaign. During the development process, many fault management mechanisms are added to the various parts of the SV in order to protect it from a variety of bad/corrupted commands, invalid sensor data, and more. By disabling these mechanisms, threat actors may be able to have commands processed that would not normally be allowed.
DE-0005		Exploit Reduced Protections During Safe-Mode	Threat actors may take advantage of the victim SV being in safe mode and send malicious commands that may not otherwise be processed. Safe-mode is when all non-essential systems are shut down and only essential functions within the SV are active. During this mode, several commands are available to be processed that are not normally processed. Further, many protections (i.e. security features) may be disabled at this time which would ensure the threat actor achieves evasion.
IMP-0001		Deception (or Misdirection)	Threat actors may seek to deceive mission stakeholders (or even military decision makers) for a multitude of reasons. Telemetry values could be modified, attacks could be designed to intentionally mimic another threat actor's TTPs, and even allied ground infrastructure could be compromised and used as the source of communications to the SV.
IMP-0002		Disruption	Threat actors may seek to disrupt communications from the victim SV to the ground controllers or other interested parties. By disrupting communications during critical times, there is the potential impact of data being lost or critical actions not being performed. This could cause the SV's purpose to be put into jeopardy depending on what communications were lost during the disruption. This behavior is different than Denial as this attack can also attempt to modify the data and messages as they are passed as a way to disrupt communications.
IMP-0003		Denial	Threat actors may seek to deny ground controllers and other interested parties access to the victim SV. This would be done exhausting system resource, degrading subsystems, or blocking communications entirely. This behavior is different from Disruption as this seeks to deny communications entirely, rather than stop them for a length of time.
IMP-0004		Degradation	Threat actors may target various subsystems or the hosted payload in such a way in order to rapidly increase it's degradation. This could potentially shorten the lifespan of the victim SV.

Related SPARTA Countermeasures

ID	Name	Description	NIST Rev5	D3FEND	ISO 27001
CM0000	Countermeasure Not Identified	This technique is a result of utilizing TTPs to create an impact and the applicable countermeasures are associated with the TTPs leveraged to achieve the impact	None		None
CM0001	Protect Sensitive Information	Organizations should look to identify and properly classify mission sensitive design/operations information (e.g., fault management approach) and apply access control accordingly. Any location (ground system, contractor networks, etc.) storing design information needs to ensure design info is protected from exposure, exfiltration, etc. Space system sensitive information may be classified as Controlled Unclassified Information (CUI) or Company Proprietary. Space system sensitive information can typically include a wide range of candidate material: the functional and performance specifications, any ICDs (like radio frequency, ground-to-space, etc.), command and telemetry databases, scripts, simulation and rehearsal results/reports, descriptions of uplink protection including any disabling/bypass features, failure/anomaly resolution, and any other sensitive information related to architecture, software, and flight/ground /mission operations. This could all need protection at the appropriate level (e.g., unclassified, CUI, proprietary, classified, etc.) to mitigate levels of cyber intrusions that may be conducted against the project’s networks. Stand-alone systems and/or separate database encryption may be needed with controlled access and on-going Configuration Management to ensure changes in command procedures and critical database areas are tracked, controlled, and fully tested to avoid loss of science or the entire mission. Sensitive documentation should only be accessed by personnel with defined roles and a need to know. Well established access controls (roles, encryption at rest and transit, etc.) and data loss prevention (DLP) technology are key countermeasures. The DLP should be configured for the specific data types in question.	AC-3(11) \| AC-4(23) \| AC-4(25) \| CM-12 \| CM-12(1) \| PM-11 \| PM-17 \| SA-3(1) \| SA-3(2) \| SA-4(12) \| SA-5 \| SA-9(7) \| SI-21 \| SI-23 \| SR-12 \| SR-7		A.8.4 \| A.8.11 \| A.8.10 \| A.8.33 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.37 \| A.8.10 \| A.5.22