Threat actors may attempt to exfiltrate data via the out-of-band communication channels. While performing eavesdropping on the primary/second uplinks and downlinks is a method for exfiltration, some space vehicles leverage out-of-band communication links to perform actions on the space vehicle (i.e., re-keying). These out-of-band links would occur on completely different channels/frequencies and often operate on separate hardware on the space vehicle. Typically these out-of-band links have limited built-for-purpose functionality and likely do not present an initial access vector but they do provide ample exfiltration opportunity.
| ID | Name | Description | NIST Rev5 | D3FEND | ISO 27001 | |
| CM0002 | COMSEC | Utilizing secure communication protocols with strong cryptographic mechanisms to prevent unauthorized disclosure of, and detect changes to, information during transmission. Systems should also maintain the confidentiality and integrity of information during preparation for transmission and during reception. Spacecraft should not employ a mode of operations where cryptography on the TT&C link can be disabled (i.e., crypto-bypass mode). The cryptographic mechanisms should identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters. | AC-17(1) AC-17(10) AC-17(10) AC-17(2) AC-18(1) AC-2(11) AC-3(10) IA-4(9) IA-5 IA-5(7) IA-7 SA-8(18) SA-9(6) SC-10 SC-12 SC-12(1) SC-12(2) SC-12(3) SC-12(6) SC-13 SC-16(3) SC-28(1) SC-28(3) SC-7 SC-7(11) SC-7(18) SI-10 SI-10(3) SI-10(5) SI-10(6) SI-19(4) | A.8.16 A.5.16 A.5.17 A.5.14 A.8.16 A.8.20 A.8.22 A.8.23 A.8.26 A.8.20 A.8.24 A.8.24 A.8.26 A.5.31 A.5.33 A.8.11 | ||
| CM0030 | Crypto Key Management | Leverage best practices for crypto key management as defined by organization like NIST or the National Security Agency. Leverage only approved cryptographic algorithms, cryptographic key generation algorithms or key distribution techniques, authentication techniques, or evaluation criteria. Encryption key handling should be performed outside of the onboard software and protected using cryptography. Encryption keys should be restricted so that they cannot be read via any telecommands. | SA-9(6) SC-12 SC-12(1) SC-12(2) SC-12(3) SC-12(6) SC-28(3) | A.8.24 | ||
| CM0031 | Authentication | Authenticate all communication sessions (crosslink and ground stations) for all commands before establishing remote connections using bidirectional authentication that is cryptographically based. Adding authentication on the spacecraft bus and communications on-board the spacecraft is also recommended. | AC-17(10) AC-17(10) AC-17(2) AC-18(1) IA-3(1) IA-4 IA-4(9) IA-7 SA-8(15) SA-8(9) SC-16(2) SC-32(1) SC-7(11) SI-14(3) | A.5.16 | ||
| CM0036 | Session Termination | Terminate the connection associated with a communications session at the end of the session or after an acceptable amount of inactivity which is established via the concept of operations. | AC-12 SC-10 SI-14(3) | A.8.20 | ||
| CM0029 | TRANSEC | Utilize TRANSEC to secure data transmissions from being infiltrated, exploited, or intercepted. | AC-18(5) CP-8 SC-40 SC-40(1) SC-40(3) SC-40(4) SC-8(4) | A.5.29 A.7.11 | ||
| ID | Name | Description | STIX Pattern |
| CSNE-10 | Transmission to Unauthorized Ground Station Detected | Monitors all downlink channels for traffic directed towards unauthorized ground stations, potentially indicating unauthorized data exfiltration attempts. This approach remains agnostic to the specific hardware used for transmission, ensuring broad applicability across communication systems. | [network-traffic:dst_ref.value != 'authorized_ground_station'] |
| CSNE-22 | Traffic Volume Spike on Out-of-Band Link | Monitors traffic volume or bandwidth usage on the out-of-band communication link to detect spikes that exceed normal operational thresholds, which may indicate malicious activity. | [network-traffic:src_ref.value = 'out_of_band_channel' AND network-traffic:traffic_volume > 'baseline_threshold'] |
| CSNE-37 | Out-of-Band Activity Outside Scheduled Time Windows | Monitors for out-of-band communication link activity at times that do not align with predefined operational schedules, signaling potential exploitation or unauthorized usage. | [network-traffic:src_ref.value = 'out_of_band_channel' AND network-traffic:timestamp != 'scheduled_window'] |
| CSNE-38 | Use of Unexpected Protocol on Out-of-Band Link | Monitors for protocol deviations on the out-of-band link, which could indicate exploitation attempts. | [network-traffic:protocols != 'expected_protocol' AND network-traffic:src_ref.channel = 'out_of_band'] |
| CSNE-39 | Unauthorized Frequency Usage on Out-of-Band Link | Tracks unauthorized frequency usage on the out-of-band communication link. | [x-opencti-rf-sensor:frequency_band = 'out_of_band_channel' AND x-opencti-rf-sensor:usage != 'baseline_usage'] |