Threats by DiD Layer

Space

Data

SV-AC-3

SV-CF-2

SV-IT-2

SV-MA-2

S/C Software

SV-AV-4

SV-IT-5

SV-MA-3

SV-SP-1

SV-SP-3

SV-SP-6

SV-SP-9

SBC

SV-AC-5

SV-AC-6

SV-AC-8

SV-AV-2

SV-AV-3

SV-AV-8

SV-IT-3

SV-IT-4

SV-MA-8

SV-SP-11

SV-SP-7

IDS/IPS

SV-AV-5

SV-AV-6

SV-DCO-1

SV-MA-5

Crypto

SV-AC-1

SV-AC-2

SV-CF-1

SV-CF-4

SV-IT-1

Comms Link

SV-AC-7

SV-AV-1

Ground

SV-MA-7

Prevention

SV-AC-4

SV-AV-7

SV-CF-3

SV-MA-1

SV-MA-4

SV-MA-6

SV-SP-10

SV-SP-2

SV-SP-4

SV-SP-5

Ground

Data

Automated Collection

Cloud Storage Object Discovery

Data Destruction

Data Encrypted for Impact

Data Manipulation

Data Manipulation: Runtime Data Manipulation

Data Manipulation: Stored Data Manipulation

Data from Cloud Storage Object

Data from Information Repositories: Code Repositories

Data from Information Repositories: Confluence

Data from Information Repositories: Sharepoint

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Defacement

Defacement: External Defacement

Disk Wipe

Disk Wipe: Disk Content Wipe

Disk Wipe: Disk Structure Wipe

Dynamic Resolution: Fast Flux DNS

Email Collection

Email Collection: Local Email Collection

Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Exfiltration Over C2 Channel

Exfiltration Over Web Service

File and Directory Discovery

File and Directory Permissions Modification

File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Group Policy Discovery

Permission Groups Discovery

Ground Software

Compromise Client Software Binary

Exploit Public-Facing Application

Exploitation for Credential Access

Exploitation for Defense Evasion

Exploitation for Privilege Escalation

Exploitation of Remote Services

Forge Web Credentials: Web Cookies

Masquerading: Invalid Code Signature

Steal Web Session Cookie

Supply Chain Compromise: Compromise Software Dependencies and Development Tools

Supply Chain Compromise: Compromise Software Supply Chain

Template Injection

XSL Script Processing

Endpoint

Abuse Elevation Control Mechanism

Abuse Elevation Control Mechanism: Bypass User Account Control

Abuse Elevation Control Mechanism: Elevated Execution with Prompt

Abuse Elevation Control Mechanism: Setuid and Setgid

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Access Token Manipulation

Access Token Manipulation: Create Process with Token

Access Token Manipulation: Make and Impersonate Token

Access Token Manipulation: Parent PID Spoofing

Access Token Manipulation: SID-History Injection

Access Token Manipulation: Token Impersonation/Theft

Account Access Removal

Account Discovery

Account Discovery: Cloud Account

Account Discovery: Domain Account

Account Discovery: Email Account

Account Discovery: Local Account

Account Manipulation

Account Manipulation: Additional Cloud Credentials

Account Manipulation: Additional Cloud Roles

Account Manipulation: Additional Email Delegate Permissions

Account Manipulation: Device Registration

Account Manipulation: SSH Authorized Keys

Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Application Window Discovery

Archive Collected Data

Archive Collected Data: Archive via Custom Method

Archive Collected Data: Archive via Library

Archive Collected Data: Archive via Utility

Audio Capture

Automated Exfiltration

BITS Jobs

Boot or Logon Autostart Execution

Boot or Logon Autostart Execution: Active Setup

Boot or Logon Autostart Execution: Authentication Package

Boot or Logon Autostart Execution: Kernel Modules and Extensions

Boot or Logon Autostart Execution: LSASS Driver

Boot or Logon Autostart Execution: Login Items

Boot or Logon Autostart Execution: Port Monitors

Boot or Logon Autostart Execution: Print Processors

Boot or Logon Autostart Execution: Re-opened Applications

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Boot or Logon Autostart Execution: Security Support Provider

Boot or Logon Autostart Execution: Shortcut Modification

Boot or Logon Autostart Execution: Time Providers

Boot or Logon Autostart Execution: Winlogon Helper DLL

Boot or Logon Autostart Execution: XDG Autostart Entries

Boot or Logon Initialization Scripts

Boot or Logon Initialization Scripts: Login Hook

Boot or Logon Initialization Scripts: Logon Script (Windows)

Boot or Logon Initialization Scripts: Network Logon Script

Boot or Logon Initialization Scripts: RC Scripts

Boot or Logon Initialization Scripts: Startup Items

Browser Bookmark Discovery

Browser Extensions

Browser Session Hijacking

Brute Force

Brute Force: Credential Stuffing

Brute Force: Password Guessing

Brute Force: Password Spraying

Build Image on Host

Clipboard Data

Command and Scripting Interpreter

Command and Scripting Interpreter: AppleScript

Command and Scripting Interpreter: JavaScript

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: Python

Command and Scripting Interpreter: Unix Shell

Command and Scripting Interpreter: Visual Basic

Command and Scripting Interpreter: Windows Command Shell

Communication Through Removable Media

Container Administration Command

Create Account

Create Account: Domain Account

Create Account: Local Account

Create or Modify System Process

Create or Modify System Process: Launch Agent

Create or Modify System Process: Launch Daemon

Create or Modify System Process: Systemd Service

Create or Modify System Process: Windows Service

Credentials from Password Stores

Credentials from Password Stores: Credentials from Web Browsers

Credentials from Password Stores: Keychain

Credentials from Password Stores: Password Managers

Credentials from Password Stores: Securityd Memory

Credentials from Password Stores: Windows Credential Manager

Data Staged

Data Staged: Local Data Staging

Data Staged: Remote Data Staging

Debugger Evasion

Deobfuscate/Decode Files or Information

Direct Volume Access

Domain Policy Modification

Domain Policy Modification: Domain Trust Modification

Domain Policy Modification: Group Policy Modification

Domain Trust Discovery

Dynamic Resolution

Endpoint Denial of Service

Endpoint Denial of Service: Application Exhaustion Flood

Endpoint Denial of Service: Application or System Exploitation

Endpoint Denial of Service: OS Exhaustion Flood

Endpoint Denial of Service: Service Exhaustion Flood

Escape to Host

Event Triggered Execution

Event Triggered Execution: Accessibility Features

Event Triggered Execution: AppCert DLLs

Event Triggered Execution: AppInit DLLs

Event Triggered Execution: Application Shimming

Event Triggered Execution: Change Default File Association

Event Triggered Execution: Component Object Model Hijacking

Event Triggered Execution: Emond

Event Triggered Execution: Image File Execution Options Injection

Event Triggered Execution: LC_LOAD_DYLIB Addition

Event Triggered Execution: Netsh Helper DLL

Event Triggered Execution: PowerShell Profile

Event Triggered Execution: Screensaver

Event Triggered Execution: Trap

Event Triggered Execution: Unix Shell Configuration Modification

Event Triggered Execution: Windows Management Instrumentation Event Subscription

Execution Guardrails

Execution Guardrails: Environmental Keying

Exfiltration Over Other Network Medium

Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth

Exploitation for Client Execution

Firmware Corruption

Forced Authentication

Gather Victim Host Information

Gather Victim Host Information: Client Configurations

Gather Victim Host Information: Firmware

Gather Victim Host Information: Hardware

Gather Victim Host Information: Software

Hide Artifacts

Hide Artifacts: Email Hiding Rules

Hide Artifacts: Hidden File System

Hide Artifacts: Hidden Files and Directories

Hide Artifacts: Hidden Users

Hide Artifacts: Hidden Window

Hide Artifacts: NTFS File Attributes

Hide Artifacts: Process Argument Spoofing

Hide Artifacts: Resource Forking

Hide Artifacts: Run Virtual Instance

Hide Artifacts: VBA Stomping

Hijack Execution Flow

Hijack Execution Flow: COR_PROFILER

Hijack Execution Flow: DLL Search Order Hijacking

Hijack Execution Flow: DLL Side-Loading

Hijack Execution Flow: Dylib Hijacking

Hijack Execution Flow: Dynamic Linker Hijacking

Hijack Execution Flow: Executable Installer File Permissions Weakness

Hijack Execution Flow: KernelCallbackTable

Hijack Execution Flow: Path Interception by PATH Environment Variable

Hijack Execution Flow: Path Interception by Search Order Hijacking

Hijack Execution Flow: Path Interception by Unquoted Path

Hijack Execution Flow: Services File Permissions Weakness

Hijack Execution Flow: Services Registry Permissions Weakness

Impair Defenses

Impair Defenses: Disable Windows Event Logging

Impair Defenses: Disable or Modify System Firewall

Impair Defenses: Disable or Modify Tools

Impair Defenses: Downgrade Attack

Impair Defenses: Impair Command History Logging

Impair Defenses: Safe Mode Boot

Implant Internal Image

Indicator Removal on Host

Indicator Removal on Host: Clear Command History

Indicator Removal on Host: Clear Linux or Mac System Logs

Indicator Removal on Host: Clear Windows Event Logs

Indicator Removal on Host: File Deletion

Indicator Removal on Host: Network Share Connection Removal

Indicator Removal on Host: Timestomp

Indirect Command Execution

Inhibit System Recovery

Input Capture

Input Capture: Credential API Hooking

Input Capture: GUI Input Capture

Input Capture: Keylogging

Input Capture: Web Portal Capture

Inter-Process Communication

Inter-Process Communication: Component Object Model

Inter-Process Communication: Dynamic Data Exchange

Inter-Process Communication: XPC Services

Masquerading

Masquerading: Double File Extension

Masquerading: Masquerade Task or Service

Masquerading: Match Legitimate Name or Location

Masquerading: Rename System Utilities

Masquerading: Right-to-Left Override

Masquerading: Space after Filename

Modify Authentication Process

Modify Authentication Process: Domain Controller Authentication

Modify Authentication Process: Network Device Authentication

Modify Authentication Process: Password Filter DLL

Modify Authentication Process: Pluggable Authentication Modules

Modify Authentication Process: Reversible Encryption

Modify Registry

Multi-Factor Authentication Interception

Native API

Network Service Discovery

Network Share Discovery

OS Credential Dumping

OS Credential Dumping: /etc/passwd and /etc/shadow

OS Credential Dumping: Cached Domain Credentials

OS Credential Dumping: DCSync

OS Credential Dumping: LSA Secrets

OS Credential Dumping: LSASS Memory

OS Credential Dumping: NTDS

OS Credential Dumping: Proc Filesystem

OS Credential Dumping: Security Account Manager

Obfuscated Files or Information

Obfuscated Files or Information: Binary Padding

Obfuscated Files or Information: Compile After Delivery

Obfuscated Files or Information: Indicator Removal from Tools

Obfuscated Files or Information: Software Packing

Obfuscated Files or Information: Steganography

Office Application Startup

Office Application Startup: Add-ins

Office Application Startup: Office Template Macros

Office Application Startup: Office Test

Office Application Startup: Outlook Forms

Office Application Startup: Outlook Home Page

Office Application Startup: Outlook Rules

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery: Domain Groups

Permission Groups Discovery: Local Groups

Plist File Modification

Pre-OS Boot

Pre-OS Boot: Bootkit

Pre-OS Boot: Component Firmware

Pre-OS Boot: ROMMONkit

Pre-OS Boot: System Firmware

Process Discovery

Process Injection

Process Injection: Asynchronous Procedure Call

Process Injection: Dynamic-link Library Injection

Process Injection: Extra Window Memory Injection

Process Injection: ListPlanting

Process Injection: Portable Executable Injection

Process Injection: Proc Memory

Process Injection: Process Doppelgänging

Process Injection: Process Hollowing

Process Injection: Ptrace System Calls

Process Injection: Thread Execution Hijacking

Process Injection: Thread Local Storage

Process Injection: VDSO Hijacking

Query Registry

Reflective Code Loading

Remote Service Session Hijacking

Remote Service Session Hijacking: RDP Hijacking

Remote Services: Distributed Component Object Model

Remote Services: Remote Desktop Protocol

Remote Services: SMB/Windows Admin Shares

Remote Services: SSH

Remote Services: Windows Remote Management

Remote System Discovery

Resource Hijacking

Rootkit

Scheduled Task/Job

Scheduled Task/Job: At

Scheduled Task/Job: Container Orchestration Job

Scheduled Task/Job: Cron

Scheduled Task/Job: Scheduled Task

Scheduled Task/Job: Systemd Timers

Screen Capture

Server Software Component

Server Software Component: IIS Components

Server Software Component: SQL Stored Procedures

Server Software Component: Terminal Services DLL

Server Software Component: Transport Agent

Server Software Component: Web Shell

Service Stop

Shared Modules

Software Discovery

Software Discovery: Security Software Discovery

Stage Capabilities: Install Digital Certificate

Steal Application Access Token

Steal or Forge Kerberos Tickets

Steal or Forge Kerberos Tickets: AS-REP Roasting

Steal or Forge Kerberos Tickets: Golden Ticket

Steal or Forge Kerberos Tickets: Kerberoasting

Steal or Forge Kerberos Tickets: Silver Ticket

Subvert Trust Controls

Subvert Trust Controls: Code Signing

Subvert Trust Controls: Code Signing Policy Modification

Subvert Trust Controls: Gatekeeper Bypass

Subvert Trust Controls: Install Root Certificate

Subvert Trust Controls: SIP and Trust Provider Hijacking

System Binary Proxy Execution

System Binary Proxy Execution: CMSTP

System Binary Proxy Execution: Compiled HTML File

System Binary Proxy Execution: Control Panel

System Binary Proxy Execution: InstallUtil

System Binary Proxy Execution: MMC

System Binary Proxy Execution: Mavinject

System Binary Proxy Execution: Mshta

System Binary Proxy Execution: Msiexec

System Binary Proxy Execution: Odbcconf

System Binary Proxy Execution: Regsvcs/Regasm

System Binary Proxy Execution: Regsvr32

System Binary Proxy Execution: Rundll32

System Binary Proxy Execution: Verclsid

System Information Discovery

System Location Discovery

System Location Discovery: System Language Discovery

System Network Configuration Discovery

System Network Configuration Discovery: Internet Connection Discovery

System Network Connections Discovery

System Owner/User Discovery

System Script Proxy Execution

System Script Proxy Execution: PubPrn

System Service Discovery

System Services

System Services: Launchctl

System Services: Service Execution

System Shutdown/Reboot

System Time Discovery

Taint Shared Content

Traffic Signaling: Port Knocking

Trusted Developer Utilities Proxy Execution

Trusted Developer Utilities Proxy Execution: MSBuild

Unsecured Credentials

Unsecured Credentials: Bash History

Unsecured Credentials: Credentials In Files

Unsecured Credentials: Group Policy Preferences

Unsecured Credentials: Private Keys

User Execution

User Execution: Malicious File

User Execution: Malicious Image

Valid Accounts

Valid Accounts: Default Accounts

Valid Accounts: Local Accounts

Video Capture

Virtualization/Sandbox Evasion

Virtualization/Sandbox Evasion: System Checks

Virtualization/Sandbox Evasion: Time Based Evasion

Virtualization/Sandbox Evasion: User Activity Based Checks

Windows Management Instrumentation

Network

Adversary-in-the-Middle

Adversary-in-the-Middle: ARP Cache Poisoning

Adversary-in-the-Middle: DHCP Spoofing

Command and Scripting Interpreter: Network Device CLI

Data from Configuration Repository

Data from Configuration Repository: Network Device Configuration Dump

Data from Configuration Repository: SNMP (MIB Dump)

Lateral Tool Transfer

Modify System Image

Modify System Image: Downgrade System Image

Modify System Image: Patch System Image

Network Boundary Bridging

Network Boundary Bridging: Network Address Translation Traversal

Network Denial of Service

Network Denial of Service: Direct Network Flood

Network Denial of Service: Reflection Amplification

Network Sniffing

Non-Application Layer Protocol

Pre-OS Boot: TFTP Boot

Protocol Tunneling

Proxy

Remote Services: VNC

Traffic Signaling

Transfer Data to Cloud Account

Trusted Relationship

Weaken Encryption

Weaken Encryption: Disable Crypto Hardware

Weaken Encryption: Reduce Key Space

CND/IR

Active Scanning

Active Scanning: Scanning IP Blocks

Active Scanning: Vulnerability Scanning

Active Scanning: Wordlist Scanning

Application Layer Protocol

Application Layer Protocol: DNS

Application Layer Protocol: File Transfer Protocols

Application Layer Protocol: Mail Protocols

Application Layer Protocol: Web Protocols

Automated Exfiltration: Traffic Duplication

Cloud Infrastructure Discovery

Cloud Service Dashboard

Cloud Service Discovery

Container and Resource Discovery

Create Account: Cloud Account

Data Encoding

Data Encoding: Non-Standard Encoding

Data Encoding: Standard Encoding

Data Manipulation: Transmitted Data Manipulation

Data Obfuscation

Data Obfuscation: Junk Data

Data Obfuscation: Protocol Impersonation

Data Obfuscation: Steganography

Data Transfer Size Limits

Defacement: Internal Defacement

Deploy Container

Dynamic Resolution: DNS Calculation

Email Collection: Email Forwarding Rule

Email Collection: Remote Email Collection

Encrypted Channel

Encrypted Channel: Asymmetric Cryptography

Encrypted Channel: Symmetric Cryptography

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration Over Web Service: Exfiltration to Code Repository

Fallback Channels

Forge Web Credentials

Forge Web Credentials: SAML Tokens

Impair Defenses: Disable Cloud Logs

Impair Defenses: Indicator Blocking

Ingress Tool Transfer

Internal Spearphishing

Modify Cloud Compute Infrastructure

Modify Cloud Compute Infrastructure: Create Cloud Instance

Modify Cloud Compute Infrastructure: Create Snapshot

Modify Cloud Compute Infrastructure: Delete Cloud Instance

Modify Cloud Compute Infrastructure: Revert Cloud Instance

Multi-Factor Authentication Request Generation

Multi-Stage Channels

Non-Standard Port

Obfuscated Files or Information: HTML Smuggling

Permission Groups Discovery: Cloud Groups

Proxy: Domain Fronting

Proxy: Internal Proxy

Proxy: Multi-hop Proxy

Remote Access Software

Remote Service Session Hijacking: SSH Hijacking

Remote Services

Rogue Domain Controller

Scheduled Transfer

Stage Capabilities: Drive-by Target

Stage Capabilities: Link Target

Stage Capabilities: Upload Malware

Stage Capabilities: Upload Tool

Subvert Trust Controls: Mark-of-the-Web Bypass

Unsecured Credentials: Cloud Instance Metadata API

Unsecured Credentials: Container API

Unsecured Credentials: Credentials in Registry

Unused/Unsupported Cloud Regions

Use Alternate Authentication Material

Use Alternate Authentication Material: Application Access Token

Use Alternate Authentication Material: Pass the Hash

Use Alternate Authentication Material: Pass the Ticket

Use Alternate Authentication Material: Web Session Cookie

Valid Accounts: Cloud Accounts

Valid Accounts: Domain Accounts

Web Service

Web Service: Bidirectional Communication

Web Service: One-Way Communication

Perimeter

Drive-by Compromise

Dynamic Resolution: Domain Generation Algorithms

External Remote Services

Impair Defenses: Disable or Modify Cloud Firewall

Phishing

Phishing: Spearphishing Attachment

Phishing: Spearphishing Link

Phishing: Spearphishing via Service

Proxy: External Proxy

User Execution: Malicious Link

Web Service: Dead Drop Resolver

Physical

Exfiltration Over Physical Medium

Exfiltration Over Physical Medium: Exfiltration over USB

Hardware Additions

Replication Through Removable Media

Prevention

Acquire Infrastructure

Acquire Infrastructure: Botnet

Acquire Infrastructure: DNS Server

Acquire Infrastructure: Domains

Acquire Infrastructure: Server

Acquire Infrastructure: Virtual Private Server

Acquire Infrastructure: Web Services

Brute Force: Password Cracking

Compromise Accounts

Compromise Accounts: Email Accounts

Compromise Accounts: Social Media Accounts

Compromise Infrastructure

Compromise Infrastructure: Botnet

Compromise Infrastructure: DNS Server

Compromise Infrastructure: Domains

Compromise Infrastructure: Server

Compromise Infrastructure: Virtual Private Server

Compromise Infrastructure: Web Services

Data from Information Repositories

Develop Capabilities

Develop Capabilities: Code Signing Certificates

Develop Capabilities: Digital Certificates

Develop Capabilities: Exploits

Develop Capabilities: Malware

Establish Accounts

Establish Accounts: Email Accounts

Establish Accounts: Social Media Accounts

Gather Victim Identity Information

Gather Victim Identity Information: Credentials

Gather Victim Identity Information: Email Addresses

Gather Victim Identity Information: Employee Names

Gather Victim Network Information

Gather Victim Network Information: DNS

Gather Victim Network Information: Domain Properties

Gather Victim Network Information: IP Addresses

Gather Victim Network Information: Network Security Appliances

Gather Victim Network Information: Network Topology

Gather Victim Network Information: Network Trust Dependencies

Gather Victim Org Information

Gather Victim Org Information: Business Relationships

Gather Victim Org Information: Determine Physical Locations

Gather Victim Org Information: Identify Business Tempo

Gather Victim Org Information: Identify Roles

Obtain Capabilities

Obtain Capabilities: Code Signing Certificates

Obtain Capabilities: Digital Certificates

Obtain Capabilities: Exploits

Obtain Capabilities: Malware

Obtain Capabilities: Tool

Obtain Capabilities: Vulnerabilities

Phishing for Information

Phishing for Information: Spearphishing Attachment

Phishing for Information: Spearphishing Link

Phishing for Information: Spearphishing Service

Search Closed Sources

Search Closed Sources: Purchase Technical Data

Search Closed Sources: Threat Intel Vendors

Search Open Technical Databases

Search Open Technical Databases: CDNs

Search Open Technical Databases: DNS/Passive DNS

Search Open Technical Databases: Digital Certificates

Search Open Technical Databases: Scan Databases

Search Open Technical Databases: WHOIS

Search Open Websites/Domains

Search Open Websites/Domains: Search Engines

Search Open Websites/Domains: Social Media

Search Victim-Owned Websites

Software Deployment Tools

Stage Capabilities

Supply Chain Compromise

Supply Chain Compromise: Compromise Hardware Supply Chain

SV-MA-4

Not knowing what your crown jewels are and how to protect them now and in the future.

Informational References

Orbital Security Alliance - Commercial Space System Security Guidelines

ID: SV-MA-4

DiD Layer: Prevention

CAPEC #: 30 | 69

NIST Rev5 Control Tag Mapping: AC-3 | AC-3(11) | CA-2(2) | CA-8 | CM-12 | CM-12(1) | CP-2 | CP-2(8) | PM-30 | PM-30(1) | RA-3 | RA-3(1) | RA-3(2) | RA-3(3) | RA-9 | SA-3 | SA-3(1) | SA-15 | SA-15(3) | SC-7 | SR-1 | SR-7 | SR-12

Lowest Threat Tier to
Create Threat Event: III

Notional Risk Rank Score:

High-Level Requirements

The Program shall ensure all mission critical elements (hardware and software) comply with high levels of assurance for confidentiality, integrity, and availability to meet mission objectives.

Low-Level Requirements

Requirement	Rationale/Additional Guidance/Notes
The spacecraft shall have on-board intrusion detection/prevention system that monitors the mission critical components or systems. {SV-AC-1,SV-AC-2,SV-MA-4} {SC-7}	During SCRM, criticality analysis will aid in determining supply chain risk. For mission critical functions/components, extra scrutiny must be applied to ensure supply chain is secured.
The Program shall conduct a criticality analysis to identify mission critical functions and critical components and reduce the vulnerability of such functions and components through secure system design. {SV-SP-3,SV-SP-4,SV-AV-7,SV-MA-4} {SR-1,RA-9,SA-15(3),CP-2(8)}
The Program shall use all-source intelligence analysis on threats to mission critical capabilities and/or system components to inform risk management decisions. {SV-MA-4} {RA-3(2)}	Risk assessment is an iterative process. The first assessment occurs early in the process to assess the base design, select mitigating and program specific controls. Assessments continue as the design development continues in order to assess and mitigate new risks and/or threats. This continues throughout the lifecycle because new risks/threats can develop from new vulnerabilities.
The Program shall conduct an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the spacecraft and the information it processes, stores, or transmits. {SV-MA-4} {RA-3}
The Program's risk assessment shall include the full end to end communication pathway from the ground to the spacecraft. {SV-MA-4} {RA-3}
The Program shall document risk assessment results in [risk assessment report]. {SV-MA-4} {RA-3}
The Program shall review risk assessment results [At least annually if not otherwise defined in formal organizational policy]. {SV-MA-4} {RA-3}
The Program shall update the risk assessment [At least annually if not otherwise defined in formal institutional policy] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the spacecraft. {SV-MA-4} {RA-3}	Not all defects (i.e., buffer overflows, race conditions, and memory leaks) can be discovered statically and require execution of the system. This is where space-centric cyber testbeds (i.e., cyber ranges) are imperative as they provide an environment to maliciously attack components in a controlled environment to discover these undesirable conditions. Technology has improved to where digital twins for spacecraft are achievable, which provides an avenue for cyber testing that was often not performed due to perceived risk to the flight hardware.
The Program shall coordinate penetration testing on [program-defined mission critical SV components (hardware and/or software)]. {SV-MA-4} {CA-8}

Related SPARTA Techniques and Sub-Techniques

ID		Name	Description
REC-0001		Gather Spacecraft Design Information	Threat actors may gather information about the victim SV's design that can be used for future campaigns or to help perpetuate other techniques. Information about the SV can include software, firmware, encryption type, purpose, as well as various makes and models of subsystems.
	REC-0001.01	Software	Threat actors may gather information about the victim SV's internal software that can be used for future campaigns or to help perpetuate other techniques. Information (e.g. source code, binaries, etc.) about commercial, open-source, or custom developed software may include a variety of details such as types, versions, and memory maps. Leveraging this information threat actors may target vendors of operating systems, flight software, or open-source communities to embed backdoors or for performing reverse engineering research to support offensive cyber operations.
	REC-0001.02	Firmware	Threat actors may gather information about the victim SV's firmware that can be used for future campaigns or to help perpetuate other techniques. Information about the firmware may include a variety of details such as type and versions on specific devices, which may be used to infer more information (ex. configuration, purpose, age/patch level, etc.). Leveraging this information threat actors may target firmware vendors to embed backdoors or for performing reverse engineering research to support offensive cyber operations.
	REC-0001.03	Cryptographic Algorithms	Threat actors may gather information about any cryptographic algorithms used on the victim SV's that can be used for future campaigns or to help perpetuate other techniques. Information about the algorithms can include type and private keys. Threat actors may also obtain the authentication scheme (i.e., key/password/counter values) and leverage it to establish communications for commanding the target SV or any of its subsystems. Some SVs only require authentication vice authentication and encryption, therefore once obtained, threat actors may use any number of means to command the spacecraft without needing to go through a legitimate channel. The authentication information may be obtained through reconnaissance of the ground system or retrieved from the victim SV.
	REC-0001.04	Data Bus	Threat actors may gather information about the data bus used within the victim SV that can be used for future campaigns or to help perpetuate other techniques. Information about the data bus can include the make and model which could lead to more information (ex. protocol, purpose, controller, etc.), as well as locations/addresses of major subsystems residing on the bus. Threat actors may also gather information about the bus voltages of the victim SV. This information can include optimal power levels, connectors, range, and transfer rate.
	REC-0001.05	Thermal Control System	Threat actors may gather information about the thermal control system used with the victim SV that can be used for future campaigns or to help perpetuate other techniques. Information gathered can include type, make/model, and varies analysis programs that monitor it.
	REC-0001.06	Maneuver & Control	Threat actors may gather information about the station-keeping control systems within the victim SV that can be used for future campaigns or to help perpetuate other techniques. Information gathered can include thruster types, propulsion types, attitude sensors, and data flows associated with the relevant subsystems.
	REC-0001.07	Payload	Threat actors may gather information about the type(s) of payloads hosted on the victim SV. This information could include specific commands, make and model, and relevant software. Threat actors may also gather information about the location of the payload on the bus and internal routing as it pertains to commands within the payload itself.
	REC-0001.08	Power	Threat actors may gather information about the power system used within the victim SV. This information can include type, power intake, and internal algorithms. Threat actors may also gather information about the solar panel configurations such as positioning, automated tasks, and layout. Additionally, threat actors may gather information about the batteries used within the victim SV. This information can include the type, quantity, storage capacity, make and model, and location.
	REC-0001.09	Fault Management	Threat actors may gather information about any fault management that may be present on the victim SV. This information can help threat actors construct specific attacks that may put the SV into a fault condition and potentially a more vulnerable state depending on the fault response.
REC-0003		Gather Spacecraft Communications Information	Threat actors may obtain information on the victim SV's communication channels in order to determine specific commands, protocols, and types. Information gathered can include commanding patterns, antenna shape and location, beacon frequency and polarization, and various transponder information.
	REC-0003.01	Communications Equipment	Threat actors may gather information regarding the communications equipment and its configuration that will be used for communicating with the victim SV. This includes: Antenna Shape: This information can help determine the range in which it can communicate, the power of it's transmission, and the receiving patterns. Antenna Configuration/Location: This information can include positioning, transmission frequency, wavelength, and timing. Telemetry Signal Type: Information can include timing, radio frequency wavelengths, and other information that can provide insight into the spacecraft's telemetry system. Beacon Frequency: This information can provide insight into where the SV is located, what it's orbit is, and how long it can take to communicate with a ground station. Beacon Polarization: This information can help triangulate the SV as it orbits the earth and determine how a satellite must be oriented in order to communicate with the victim SV. Transponder: This could include the number of transponders per band, transponder translation factor, transponder mappings, power utilization, and/or saturation point.
	REC-0003.02	Commanding Details	Threat actors may gather information regarding the commanding approach that will be used for communicating with the victim SV. This includes: Commanding Signal Type: This can include timing, radio frequency wavelengths, and other information that can provide insight into the spacecraft's commanding system. Valid Commanding Patterns: Most commonly, this comes in the form of a command database, but can also include other means that provide information on valid commands and the communication protocols used by the victim SV. Valid Commanding Periods: This information can provide insight into when a command will be accepted by the SV and help the threat actor construct a viable attack campaign.
REC-0004		Gather Launch Information	Threat actors may gather the launch date and time, location of the launch (country & specific site), organizations involved, launch vehicle, etc. This information can provide insight into protocols, regulations, and provide further targets for the threat actor, including specific vulnerabilities with the launch vehicle itself.
	REC-0004.01	Flight Termination	Threat actor may obtain information regarding the vehicle's flight termination system. Threat actors may use this information to perform later attacks and target the vehicle's termination system to have desired impact on mission.
REC-0009		Gather Mission Information	Threat actors may initially seek to gain an understanding of a target mission by gathering information commonly captured in a Concept of Operations (or similar) document and related artifacts. Information of interest includes, but is not limited to: - the needs, goals, and objectives of the system - system overview and key elements/instruments - modes of operations (including operational constraints) - proposed capabilities and the underlying science/technology used to provide capabilities (i.e., scientific papers, research studies, etc.) - physical and support environments

Related SPARTA Countermeasures

ID		Name	Description	NIST Rev5	D3FEND	ISO 27001