SV-IT-5

Onboard control procedures (i.e., ATS/RTS) that execute a scripts/sets of commands


Informational References

  • CENTRA Volume I - Cyber Content of Satellites
ID: SV-IT-5
DiD Layer: S/C Software
CAPEC #:  186 | 533
NIST Rev5 Control Tag Mapping:  AC-3 | AC-3(2) | CA-7 | CA-7(6) | RA-10 | SA-8 | SA-8(24) | SC-45 | SC-45(1) | SC-45(2)
Lowest Threat Tier to
Create Threat Event:  
IV
Notional Risk Rank Score: 

High-Level Requirements

The spacecraft shall ensure any update to on-board stored procedures has met high assurance standards before execution.

Low-Level Requirements

Requirement Rationale/Additional Guidance/Notes
The [spacecraft] shall require multi-factor authorization for new and updates to on-board stored command sequences.{SV-IT-5}{AC-3(2)} Multi-factor authorization could be the "two-man rule" where procedures are in place to prevent a successful attack by a single actor (note: development activities that are subsequently subject to review or verification activities may already require collaborating attackers such that a "two-man rule" is not appropriate).

Related SPARTA Techniques and Sub-Techniques

ID Name Description
IA-0007 Compromise Ground Station Threat actors may initially compromise the ground station in order to access the target SV. Once compromised, the threat actor can perform a multitude of initial access techniques, including replay, compromising FSW deployment, compromising encryption keys, and compromising authentication schemes.
IA-0007.01 Compromise On-Orbit Update Threat actors may manipulate and modify on-orbit updates before they are sent to the target SV. This attack can be done in a number of ways, including manipulation of source code, manipulating environment variables, on-board table/memory values, or replacing compiled versions with a malicious one.
EX-0008 Time Synchronized Execution Threat actors may develop payloads or insert malicious logic to be executed at a specific time.
EX-0008.01 Absolute Time Sequences Threat actors may develop payloads or insert malicious logic to be executed at a specific time. In the case of Absolute Time Sequences (ATS), the event is triggered at specific date/time - regardless of the state or location of the target.
EX-0008.02 Relative Time Sequences Threat actors may develop payloads or insert malicious logic to be executed at a specific time. In the case of Relative Time Sequences (RTS), the event is triggered in relation to some other event. For example, a specific amount of time after boot.
EX-0012 Modify On-Board Values Threat actors may perform specific commands in order to modify onboard values that the victim SV relies on. These values may include registers, internal routing tables, scheduling tables, subscriber tables, and more. Depending on how the values have been modified, the victim SV may no longer be able to function.
EX-0012.01 Registers Threat actors may target the internal registers of the victim SV in order to modify specific values as the FSW is functioning or prevent certain subsystems from working. Most aspects of the SV rely on internal registries to store important data and temporary values. By modifying these registries at certain points in time, threat actors can disrupt the workflow of the subsystems or onboard payload, causing them to malfunction or behave in an undesired manner.
EX-0012.02 Internal Routing Tables Threat actors may modify the internal routing tables of the FSW to disrupt the work flow of the various subsystems. Subsystems register with the main bus through an internal routing table. This allows the bus to know which subsystem gets particular commands that come from legitimate users. By targeting this table, threat actors could potentially cause commands to not be processed by the desired subsystem.
EX-0012.03 Memory Write/Loads Threat actors may utilize the target SV's ability for direct memory access to carry out desired effect on the target SV. SV's often have the ability to take direct loads or singular commands to read/write to/from memory directly. SV's that contain the ability to input data directly into memory provides a multitude of potential attack scenarios for a threat actor. Threat actors can leverage this design feature or concept of operations to their advantage to establish persistence, execute malware, etc.
EX-0012.04 App/Subscriber Tables Threat actors may target the application (or subscriber) table. Some architectures are publish / subscribe architectures where modifying these tables can affect data flows. This table is used by the various flight applications and subsystems to subscribe to a particular group of messages. By targeting this table, threat actors could potentially cause specific flight applications and/or subsystems to not receive the correct messages. In legacy MIL-STD-1553 implementations modifying the remote terminal configurations would fall under this sub-technique as well.
EX-0012.05 Scheduling Algorithm Threat actors may target scheduling features on the target SV. SV's are typically engineered as real time scheduling systems which is composed of the scheduler, clock and the processing hardware elements. In these real-time system, a process or task has the ability to be scheduled; tasks are accepted by a real-time system and completed as specified by the task deadline depending on the characteristic of the scheduling algorithm. Threat actors can attack the scheduling capability to have various effects on the SV.
EX-0012.07 Propulsion Subsystem Threat actors may target the onboard values for the propulsion subsystem of the victim SV. The propulsion system on SVs obtain a limited supply of resources that are set to last the entire lifespan of the SV while in orbit. There are several automated tasks that take place if the SV detects certain values within the subsystem in order to try and fix the problem. If a threat actor modifies these values, the propulsion subsystem could over-correct itself, causing the wasting of resources, orbit realignment, or, possibly, causing detrimental damage to the SV itself. This could cause damage to the purpose of the SV and shorten it's lifespan.
EX-0012.08 Attitude Determination & Control Subsystem Threat actors may target the onboard values for the Attitude Determination and Control subsystem of the victim SV. This subsystem determines the positioning and orientation of the SV. Throughout the SV's lifespan, this subsystem will continuously correct it's orbit, making minor changes to keep the SV aligned as it should. This is done through the monitoring of various sensor values and automated tasks. If a threat actor were to target these onboard values and modify them, there is a chance that the automated tasks would be triggered to try and fix the orientation of the SV. This can cause the wasting of resources and, possibly, the loss of the SV, depending on the values changed.
EX-0012.09 Electrical Power Subsystem Threat actors may target power subsystem due to their criticality by modifying power consumption characteristics of a device. Power is not infinite on-board the SV and if a threat actor were to manipulate values that cause rapid power depletion it could affect the SV's ability to maintain the required power to perform mission objectives.
EX-0012.10 Command & Data Handling Subsystem Threat actors may target the onboard values for the Command and Data Handling Subsystem of the victim SV. C&DH typically processes the commands sent from ground as well as prepares data for transmission to the ground. Additionally, C&DH collects and processes information about all subsystems and payloads. Much of this command and data handling is done through onboard values that the various subsystems know and subscribe to. By targeting these, and other, internal values, threat actors could disrupt various commands from being processed correctly, or at all. Further, messages between subsystems would also be affected, meaning that there would either be a delay or lack of communications required for the SV to function correctly.

Related SPARTA Countermeasures

ID Name Description NIST Rev5 D3FEND ISO 27001