Threat actors may perform specific commands in order to modify onboard values that the victim spacecraft relies on. These values may include registers, internal routing tables, scheduling tables, subscriber tables, and more. Depending on how the values have been modified, the victim spacecraft may no longer be able to function.
| ID | Name | Description | NIST Rev5 | D3FEND | ISO 27001 | |
| CM0069 | Process White Listing | Simple process ID whitelisting on the firmware level could impede attackers from instigating unnecessary processes which could impact the spacecraft | CM-7(5) SI-10(5) | A.8.19 | ||
| CM0032 | On-board Intrusion Detection & Prevention | Utilize on-board intrusion detection/prevention system that monitors the mission critical components or systems and audit/logs actions. The IDS/IPS should have the capability to respond to threats (initial access, execution, persistence, evasion, exfiltration, etc.) and it should address signature-based attacks along with dynamic never-before seen attacks using machine learning/adaptive technologies. The IDS/IPS must integrate with traditional fault management to provide a wholistic approach to faults on-board the spacecraft. Spacecraft should select and execute safe countermeasures against cyber-attacks. These countermeasures are a ready supply of options to triage against the specific types of attack and mission priorities. Minimally, the response should ensure vehicle safety and continued operations. Ideally, the goal is to trap the threat, convince the threat that it is successful, and trace and track the attacker — with or without ground support. This would support successful attribution and evolving countermeasures to mitigate the threat in the future. “Safe countermeasures” are those that are compatible with the system’s fault management system to avoid unintended effects or fratricide on the system. | AU-14 AU-2 AU-3 AU-3(1) AU-4 AU-4(1) AU-5 AU-5(2) AU-5(5) AU-6(1) AU-6(4) AU-8 AU-9 AU-9(2) AU-9(3) CA-7(6) CM-11(3) CP-10 CP-10(4) IR-4 IR-4(11) IR-4(12) IR-4(14) IR-4(5) IR-5 IR-5(1) RA-10 RA-3(4) SA-8(21) SA-8(22) SA-8(23) SC-16(2) SC-32(1) SC-5 SC-5(3) SC-7(10) SC-7(9) SI-10(6) SI-16 SI-17 SI-3 SI-3(8) SI-4 SI-4(1) SI-4(10) SI-4(11) SI-4(13) SI-4(16) SI-4(17) SI-4(2) SI-4(23) SI-4(24) SI-4(25) SI-4(4) SI-4(5) SI-6 SI-7(17) SI-7(8) | A.8.15 A.8.15 A.8.6 A.8.17 A.5.33 A.8.15 A.8.15 A.5.29 A.5.25 A.5.26 A.5.27 A.5.7 A.8.12 A.8.7 A.8.16 A.8.16 A.8.16 A.8.16 | ||
| CM0042 | Robust Fault Management | Ensure fault management system cannot be used against the spacecraft. Examples include: safe mode with crypto bypass, orbit correction maneuvers, affecting integrity of telemetry to cause action from ground, or some sort of proximity operation to cause spacecraft to go into safe mode. Understanding the safing procedures and ensuring they do not put the spacecraft in a more vulnerable state is key to building a resilient spacecraft. | CP-4(5) SA-8(24) SC-16(2) SC-24 SC-5 SI-13 SI-17 | |||
| CM0044 | Cyber-safe Mode | Provide the capability to enter the spacecraft into a configuration-controlled and integrity-protected state representing a known, operational cyber-safe state (e.g., cyber-safe mode). Spacecraft should enter a cyber-safe mode when conditions that threaten the platform are detected. Cyber-safe mode is an operating mode of a spacecraft during which all nonessential systems are shut down and the spacecraft is placed in a known good state using validated software and configuration settings. Within cyber-safe mode, authentication and encryption should still be enabled. The spacecraft should be capable of reconstituting firmware and software functions to pre-attack levels to allow for the recovery of functional capabilities. This can be performed by self-healing, or the healing can be aided from the ground. However, the spacecraft needs to have the capability to replan, based on equipment still available after a cyber-attack. The goal is for the spacecraft to resume full mission operations. If not possible, a reduced level of mission capability should be achieved. Cyber-safe mode software/configuration should be stored onboard the spacecraft in memory with hardware-based controls and should not be modifiable. | CP-10 CP-10(4) CP-12 CP-2(5) IR-4 IR-4(12) IR-4(3) SA-8(21) SA-8(23) SA-8(24) SC-16(2) SC-24 SC-5 SI-11 SI-17 SI-7(17) | A.5.29 A.5.25 A.5.26 A.5.27 | ||
| ID | Name | Description | STIX Pattern |
| UACE-3 | Legitimate Command with Malicious Parameters Targeting Subsystems | A legitimate command is sent, but with parameters that exceed safe thresholds for a subsystem or component on the spacecraft. This could include commands that affect critical subsystems like power distribution, attitude control, or thermal regulation, potentially leading to damage, instability, or malfunction. The misuse of valid parameters across different subsystems can result in severe operational impact or hardware degradation. | [x-opencti-command-log:command_type = 'legitimate_command' AND x-opencti-command-log:target_subsystem != 'expected_subsystem' AND x-opencti-command-log:parameter_value > 'safe_threshold'] |
| UACE-16 | Irregular Orbit Maneuver Commands Detected on Attitude Control | Detection of unauthorized or irregular command executions within the Attitude Control System of a spacecraft, indicating possible attempts to manipulate the spacecraft's orientation and trajectory. These activities can suggest malicious intent to disrupt or take control of the spacecraft's operations. | [x-opencti-command:observable_type = 'adcs-command' AND x-opencti-command:value != 'expected_orbit_maneuver_commands'] |
| UACE-17 | Abnormal Burn Duration Detected in Propulsion Subsystem | Detection of an attack targeting the propulsion subsystem by altering the burn duration. Anomalous burn durations (either too long or too short) may indicate unauthorized modification of propulsion commands or control logic, potentially leading to orbital instability or resource wastage. | [x-opencti-propulsion-system:burn_duration > 'expected_max_duration' OR x-opencti-propulsion-system:burn_duration < 'expected_min_duration'] |
| UACE-18 | Suspicious Burn Sequence Executed Outside Planned Timeline | Detection of an unauthorized burn sequence executed outside the expected timeline. This could indicate a command injection or tampering with the control logic of the propulsion system to disrupt planned orbital adjustments. | [x-opencti-propulsion-system:burn_command_time != 'expected_burn_time'] |
| UACE-19 | Unexpected Thrust Direction Detected in Propulsion Subsystem | Detection of an attack where the thrust direction has been altered outside of the expected parameters. Unauthorized changes to the thrust direction can lead to misalignment of the spacecraft's trajectory and potential mission failure. | [x-opencti-propulsion-system:thrust_direction != 'expected_direction' AND x-opencti-propulsion-system:burn_command_issued = 'true'] |
| UACE-22 | Multiple Consecutive Burn Commands Exceeding Duration Limits | This IOC detects repeated burn commands where the duration exceeds safe operational limits. Multiple consecutive commands with long durations may indicate a deliberate attack aiming to destabilize the spacecraft's orbit or waste fuel resources. | [x-opencti-propulsion-system:burn_duration > 'expected_duration' AND x-opencti-propulsion-system:consecutive_burn_commands > 'threshold_value'] |
| CSNE-15 | Unexpected Communication Between Subsystems | Detection of unexpected communication between spacecraft subsystems that should not normally interact directly on the same bus, potentially indicating lateral movement by a threat actor across a flat architecture. For example, a subsystem could attempt to modify the watchdog timer or other onboard values. | [x-opencti-bus-traffic:src_ref.subsystem != 'expected_subsystem' AND x-opencti-bus-traffic:dst_ref.subsystem != 'authorized_subsystem'] |
| MIRE-6 | Unexpected Modification of Memory Location Associated with Telemetry Data | Detection of an unexpected modification in the memory block associated with telemetry data. The system identifies abnormal write operations in memory locations that store telemetry information before it is transmitted, suggesting manipulation by malware. Adversaries may change telemetry before downlink in order to prevent the ground from being aware of malware being on the spacecraft. | [x-opencti-memory:block = 'telemetry_memory_block' AND x-opencti-memory:write_operation = 'unexpected' AND x-opencti-memory:modification_time != 'authorized_time'] |
| SMSR-4 | ADCS Onboard Values Manipulation | Detection of suspicious modifications to the onboard values of the Attitude Determination and Control subsystem, such as sudden changes in quaternion values, unexpected gyro readings, or abnormal magnetometer values. Such anomalies could indicate unauthorized modifications by threat actors aiming to manipulate spacecraft orientation. The intent might be to force the automated control system to perform unnecessary corrective maneuvers, leading to resource depletion or potential mission failure. | [x-opencti-telemetry-data:telemetry_type = 'attitude-control' AND x-opencti-telemetry-data:parameter_name IN ('quaternion','gyro_reading','magnetometer_value') AND x-opencti-telemetry-data:value_change > 'threshold_value' AND x-opencti-telemetry-data:change_rate > 'expected_rate'] |
| SMSR-5 | Unexpected Spacecraft Telemetry or Movement Detected on Attitude | Detection of unexpected telemetry or movement data from the spacecraft's Attitude Control System that deviates from planned and expected orbital maneuvers. Such anomalies may indicate unauthorized control commands or manipulation, potentially pointing to a cyber attack aimed at altering the spacecraft's intended course or orientation. | [x-opencti-telemetry:movement_type = 'orbit-deviation' AND x-opencti-telemetry:deviation_value > 'threshold_value'] |
| SMSR-6 | Unauthorized Fault Management Configuration Change Detected Outside Expected Time | Monitors for fault management configuration modifications occurring at unauthorized times, which may indicate an attempt to disable critical protections during vulnerable operational states. | [x-opencti-fault-management:configuration != 'baseline_configuration' AND x-opencti-fault-management:modification_time != 'authorized_time_window'] |
| SMSR-7 | Unauthorized Star Map Changes in Star Trackers | Detection of unauthorized changes to star maps within star trackers. This can result in incorrect positional readings and severe degradation or mission loss. The pattern monitors for changes in the star map data using hash verification, with unexpected hashes indicating potential unauthorized modification. Integrity is paramount for Star Trackers to work properly. | [x-opencti-onboard-data:component = 'star_tracker' AND x-opencti-onboard-data:data_type = 'star_map' AND x-opencti-onboard-data:hashes != 'expected_star_map_hash'] |
| SMSR-8 | Sudden Orbit Correction Detected Outside of Planned Windows | Detection of an unplanned orbit adjustment executed by the Attitude Determination and Control subsystem. This indicates that the system may have been manipulated to trigger unnecessary orbit corrections, leading to resource wastage. | [x-opencti-orbit-adjustment:status = 'active' AND x-opencti-orbit-adjustment:scheduled != 'TRUE'] |
| SMSR-16 | Unexpected Fault Management Process Termination | Monitors the fault management service for unexpected termination, which could indicate a targeted attempt to disable protections. | [process:name = 'fault_management_service' AND process:status != 'running'] |
| DISE-3 | Multiple Failed Attempts to Access Encrypted Data | Multiple failed attempts to access files or data stored on the spacecraft, indicating that critical data has POTENTIALLY been rendered inaccessible due to ransomware activity. This pattern focuses on detecting repeated access failures. The data could be corrupted via just environmental issues but could also indicate malicious activity as well. | [file:status = 'unreadable' AND file:access_attempts > 'threshold'] |
| DISE-5 | Unusual File Encryption Activity Detected | Detection of files being encrypted with an unknown or unexpected encryption algorithm, potentially indicating ransomware activity on spacecraft systems. This can involve newly created or modified files with unusual extensions such as .encrypted or .locked. - if ransomware were to include those extenstions then you would att AND file:extension IN ('.encrypted', '.locked') to the pattern to become. [file:encryption_algorithm != 'none' AND file:extension IN ('.encrypted', '.locked') AND file:modified_time = 'recent'] | [file:x_encryption_algorithm != 'none' AND file:modified_time = 'recent'] |
| DISE-7 | Attitude Sensor Data and Actuator Behavior | Detection of sudden changes or spikes in sensor data that do not correlate with known physical conditions, indicating potential anomalies. Such behavior, when combined with unexpected actuator operations like unintended thruster firings or erratic reaction wheel speeds, suggests possible malicious interference or system faults. This can be detected through baselining/normalization of spacecraft speeds using machine learning algorithms to identify deviations from expected patterns. | [x-opencti-sensor-data:sensor_type = 'inertial-measurement-unit' AND x-opencti-sensor-data:anomaly_value > 'threshold_value']AND[x-opencti-actuator:actuator_type IN ('thruster','reaction-wheel') AND x-opencti-actuator:operation_status = 'unexpected'] |
| DISE-9 | Unexpected Change in Gyroscope Sensor Data | Detection of an unexpected, large deviation in gyroscope sensor data that exceeds normal operational thresholds, indicating potential tampering with the Attitude Determination and Control subsystem. This may lead to automated correction tasks being triggered unnecessarily. | [x-opencti-sensor-data:sensor_type = 'gyroscope' AND x-opencti-sensor-data:reading_delta > 'threshold'] |
| DISE-10 | Abnormal Data Flow in Attitude Control Telemetry | Detection of abnormal telemetry data rates in the Attitude Determination and Control subsystem, indicating potential manipulation of onboard values or interference with the control signals. This can trigger unnecessary corrective maneuvers or system malfunctions. An alternative pattern could be[x-opencti-telemetry-data:telemetry_type = 'attitude-control' AND (x-opencti-telemetry-data:parameter_name = 'quaternion' OR x-opencti-telemetry-data:parameter_name = 'gyro_reading' OR x-opencti-telemetry-data:parameter_name = 'magnetometer_value') AND x-opencti-telemetry-data:value_change > 'threshold_value' AND x-opencti-telemetry-data:change_rate > 'expected_rate'] | [x-opencti-telemetry:telemetry_type = 'attitude_control' AND x-opencti-telemetry:data_rate > 'expected_rate'] |
| DISE-17 | Unauthorized Modification of Critical Onboard Values | This monitors for the unauthorized modification of critical onboard data elements essential for spacecraft control, telemetry, and security functions. Changes detected in these values could indicate tampering, defensive evasion, or system compromise. The monitored data elements could include and are derived fromhttps://sparta.aerospace.org/technique/DE-0003/:Vehicle Command Counter (VCC) Rejected Command Counter Command Receiver On/Off Mode Command Receivers Received Signal Strength Command Receiver Lock Modes Telemetry Downlink Modes Cryptographic Modes Received Commands System Clock GPS Ephemeris Watchdog Timer (WDT) Poisoned AI/ML Training Data This is intentionally broad to ensure coverage of multiple subsystems where unauthorized modifications could disrupt normal spacecraft operations or create vulnerabilities for further exploitation. | [x-opencti-data-element:modification_detected = true AND x-opencti-data-element:modification_source != 'trusted_source'] |