CM0000

Replay of recorded authentic communications traffic at a later time with the hope that the authorized communications will provide data or some other system reaction


Informational References

ID: CM0000
DiD Layer: Crypto
CAPEC #:  60 | 195
NIST Rev5 Control Tag Mapping:  AC-17 | AC-17(1) | AC-17(2) | AC-17(10) | AU-3 | AU-3(1) | CA-7 | CA-7(6) | IA-2 | IA-2(8) | IA-3 | IA-3(1) | IA-4 | IA-7 | SA-8 | SA-8(15) | SA-8(18) | SA-9 | SA-9(6) | SC-7 | SC-7(11) | SC-7(18) | SC-13 | SC-23 | SI-10 | SI-10(5) | SI-10(6)
Lowest Threat Tier to
Create Threat Event:  
III
Notional Risk Rank Score: 

High-Level Requirements

The spacecraft shall prevent previously issued commands from reuse within the systems (i.e., replay attacks).

Low-Level Requirements

Requirement Rationale/Additional Guidance/Notes
The spacecraft shall implement relay and replay-resistant authentication mechanisms for establishing a remote connection. {SV-AC-1,SV-AC-2} {IA-2(8)}
The spacecraft shall uniquely identify and authenticate the ground station and other SVs before establishing a remote connection. {SV-AC-1,SV-AC-2} {IA-3,IA-4,AC-17(10)} Authorization can include embedding opcodes in command strings, using trusted authentication protocols, identifying proper link characteristics such as emitter location, expected range of receive power, expected modulation, data rates, communication protocols, beamwidth, etc.; and tracking command counter increments against expected values.
The spacecraft shall authenticate the ground station (and all commands) and other SVs before establishing remote connections using bidirectional authentication that is cryptographically based. {SV-AC-1,SV-AC-2} {IA-3(1),IA-4,IA-7,AC-17(10),AC-17(2),SC-7(11),AC-18(1)}
The spacecraft shall fail securely to a secondary device in the event of an operational failure of a primary boundary protection device (i.e., crypto solution). {SV-AC-1,SV-AC-2,SV-CF-1,SV-CF-2} {SC-7(18)}
The spacecraft shall restrict the use of information inputs to SVs and designated ground stations as defined in the applicable ICDs. {SV-AC-1,SV-AC-2} {SC-23,SI-10,SI-10(5)}
The spacecraft shall implement cryptography for the indicated uses using the indicated protocols, algorithms, and mechanisms, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards: [NSA- certified or approved cryptography for protection of classified information, FIPS-validated cryptography for the provision of hashing]. {SV-AC-1,SV-AC-2,SV-CF-1,SV-CF-2,SV-AC-3} {IA-7,SC-13} The mission critical components or systems could be GNC/Attitude Control, C&DH, TT&C, Fault Management.
The spacecraft shall have on-board intrusion detection/prevention system that monitors the mission critical components or systems. {SV-AC-1,SV-AC-2,SV-MA-4} {SC-7} Source from AEROSPACE REPORT NO. TOR-2019-02178 Vehicle Command Counter (VCC) - Counts received valid commands Rejected Command Counter - Counts received invalid commands Command Receiver On/Off Mode - Indicates times command receiver is accepting commands Command Receivers Received Signal Strength - Analog measure of the amount of received RF energy at the receive frequency Command Receiver Lock Modes - Indicates when command receiver has achieved lock on command signal Telemetry Downlink Modes - Indicates when the satellite’s telemetry was transmitting Cryptographic Modes - Indicates the operating modes of the various encrypted links Received Commands - Log of all commands received and executed by the satellite System Clock - Master onboard clock GPS Ephemeris - Indicates satellite location derived from GPS Signals
The spacecraft shall monitor [Program defined telemetry points] for malicious commanding attempts. {SV-AC-1,SV-AC-2} {SC-7,AU-3(1),AC-17(1)}

Related SPARTA Techniques and Sub-Techniques

ID Name Description
IA-0008 Rogue External Entity Threat actors may gain access to a victim SV through the use of a rogue external entity. With this technique, the threat actor does not need access to a legitimate ground station or communication site.
IA-0008.01 Rogue Ground Station Threat actors may gain access to a victim SV through the use of a rogue ground system. With this technique, the threat actor does not need access to a legitimate ground station or communication site.
EX-0001 Replay Replay attacks involve threat actors recording previously data streams and then resending them at a later time. This attack can be used to fingerprint systems, gain elevated privileges, or even cause a denial of service.
EX-0001.01 Command Packets Threat actors may interact with the victim SV by replaying captured commands to the SV. While not necessarily malicious in nature, replayed commands can be used to overload the target SV and cause it's onboard systems to crash, perform a DoS attack, or monitor various responses by the SV. If critical commands are captured and replayed, thruster fires, then the impact could impact the SV's attitude control/orbit.
EX-0001.02 Bus Traffic Threat actors may abuse internal commanding to replay bus traffic within the victim SV. On-board resources within the SV are very limited due to the number of subsystems, payloads, and sensors running at a single time. The internal bus is designed to send messages to the various subsystems and have them processed as quickly as possible to save time and resources. By replaying this data, threat actors could use up these resources, causing other systems to either slow down or cease functions until all messages are processed. Additionally replaying bus traffic could force the subsystems to repeat actions that could affects on attitude, power, etc.
EXF-0001 Replay Threat actors may exfiltrate data by replaying commands and capturing the telemetry or payload data as it is sent down. One scenario would be the threat actor replays commands to downlink payload data once SV is within certain location so the data can be intercepted on the downlink by threat actor ground terminals.
IMP-0001 Deception (or Misdirection) Threat actors may seek to deceive mission stakeholders (or even military decision makers) for a multitude of reasons. Telemetry values could be modified, attacks could be designed to intentionally mimic another threat actor's TTPs, and even allied ground infrastructure could be compromised and used as the source of communications to the SV.

Related SPARTA Countermeasures

ID Name Description NIST Rev5 D3FEND ISO 27001
CM0000 Countermeasure Not Identified This technique is a result of utilizing TTPs to create an impact and the applicable countermeasures are associated with the TTPs leveraged to achieve the impact None None