Threat actors use flooding attacks to disrupt communications by injecting unexpected noise or messages into a transmission channel. There are several types of attacks that are consistent with this method of exploitation, and they can produce various outcomes. Although, the most prominent of the impacts are denial of service or data corruption. Several elements of the space vehicle may be targeted by jamming and flooding attacks, and depending on the time of the attack, it can have devastating results to the availability of the system.
| ID | Name | Description | NIST Rev5 | D3FEND | ISO 27001 | |
| CM0083 | Antenna Nulling and Adaptive Filtering | Satellites can be designed with antennas that “null” or minimize signals from a particular geographic region on the surface of the Earth or locations in space where jamming is detected. Nulling is useful when jamming is from a limited number of detectable locations, but one of the downsides is that it can also block transmissions from friendly users that fall within the nulled area. If a jammer is sufficiently close to friendly forces, the nulling antenna may not be able to block the jammer without also blocking legitimate users. Adaptive filtering, in contrast, is used to block specific frequency bands regardless of where these transmissions originate. Adaptive filtering is useful when jamming is consistently within a particular range of frequencies because these frequencies can be filtered out of the signal received on the satellite while transmissions can continue around them. However, a wideband jammer could interfere with a large enough portion of the spectrum being used that filtering out the jammed frequencies would degrade overall system performance. * *https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/210225_Harrison_Defense_Space.pdf?N2KWelzCz3hE3AaUUptSGMprDtBlBSQG | SC-40 SI-4(14) | |||
| CM0036 | Session Termination | Terminate the connection associated with a communications session at the end of the session or after an acceptable amount of inactivity which is established via the concept of operations. | AC-12 SC-10 SI-14(3) | A.8.20 | ||
| CM0034 | Monitor Critical Telemetry Points | Monitor defined telemetry points for malicious activities (i.e., jamming attempts, commanding attempts (e.g., command modes, counters, etc.)). This would include valid/processed commands as well as commands that were rejected. Telemetry monitoring should synchronize with ground-based Defensive Cyber Operations (i.e., SIEM/auditing) to create a full space system situation awareness from a cybersecurity perspective. | AC-17(1) AU-3(1) CA-7(6) IR-4(14) PL-8 PL-8(1) SA-8(13) SC-16 SC-7 SI-3(8) | A.8.16 A.5.8 A.5.14 A.8.16 A.8.20 A.8.22 A.8.23 A.8.26 | ||
| CM0070 | Alternate Communications Paths | Establish alternate communications paths to reduce the risk of all communications paths being affected by the same incident. | AC-17 CP-2 CP-8(3) PL-8 PL-8(1) SC-47 | A.5.14 A.6.7 A.8.1 7.5.1 7.5.2 7.5.3 A.5.2 A.5.29 A.8.1 A.5.8 | ||
| CM0032 | On-board Intrusion Detection & Prevention | Utilize on-board intrusion detection/prevention system that monitors the mission critical components or systems and audit/logs actions. The IDS/IPS should have the capability to respond to threats (initial access, execution, persistence, evasion, exfiltration, etc.) and it should address signature-based attacks along with dynamic never-before seen attacks using machine learning/adaptive technologies. The IDS/IPS must integrate with traditional fault management to provide a wholistic approach to faults on-board the spacecraft. Spacecraft should select and execute safe countermeasures against cyber-attacks. These countermeasures are a ready supply of options to triage against the specific types of attack and mission priorities. Minimally, the response should ensure vehicle safety and continued operations. Ideally, the goal is to trap the threat, convince the threat that it is successful, and trace and track the attacker — with or without ground support. This would support successful attribution and evolving countermeasures to mitigate the threat in the future. “Safe countermeasures” are those that are compatible with the system’s fault management system to avoid unintended effects or fratricide on the system. | AU-14 AU-2 AU-3 AU-3(1) AU-4 AU-4(1) AU-5 AU-5(2) AU-5(5) AU-6(1) AU-6(4) AU-8 AU-9 AU-9(2) AU-9(3) CA-7(6) CM-11(3) CP-10 CP-10(4) IR-4 IR-4(11) IR-4(12) IR-4(14) IR-4(5) IR-5 IR-5(1) PL-8 PL-8(1) RA-10 RA-3(4) SA-8(21) SA-8(22) SA-8(23) SC-16(2) SC-32(1) SC-5 SC-5(3) SC-7(10) SC-7(9) SI-10(6) SI-16 SI-17 SI-3 SI-3(8) SI-4 SI-4(1) SI-4(10) SI-4(11) SI-4(13) SI-4(16) SI-4(17) SI-4(2) SI-4(23) SI-4(24) SI-4(25) SI-4(4) SI-4(5) SI-6 SI-7(17) SI-7(8) | A.8.15 A.8.15 A.8.6 A.8.17 A.5.33 A.8.15 A.8.15 A.5.29 A.5.25 A.5.26 A.5.27 A.5.8 A.5.7 A.8.12 A.8.7 A.8.16 A.8.16 A.8.16 A.8.16 | ||
| CM0042 | Robust Fault Management | Ensure fault management system cannot be used against the spacecraft. Examples include: safe mode with crypto bypass, orbit correction maneuvers, affecting integrity of telemetry to cause action from ground, or some sort of proximity operation to cause spacecraft to go into safe mode. Understanding the safing procedures and ensuring they do not put the spacecraft in a more vulnerable state is key to building a resilient spacecraft. | CP-2 CP-4(5) PL-8 PL-8(1) SA-3 SA-4(5) SA-8 SA-8(13) SA-8(24) SA-8(3) SA-8(4) SC-16(2) SC-24 SC-5 SI-13 SI-17 | 7.5.1 7.5.2 7.5.3 A.5.2 A.5.29 A.8.1 A.5.8 A.5.2 A.5.8 A.8.25 A.8.31 A.8.27 A.8.28 | ||
| CM0044 | Cyber-safe Mode | Provide the capability to enter the spacecraft into a configuration-controlled and integrity-protected state representing a known, operational cyber-safe state (e.g., cyber-safe mode). Spacecraft should enter a cyber-safe mode when conditions that threaten the platform are detected. Cyber-safe mode is an operating mode of a spacecraft during which all nonessential systems are shut down and the spacecraft is placed in a known good state using validated software and configuration settings. Within cyber-safe mode, authentication and encryption should still be enabled. The spacecraft should be capable of reconstituting firmware and software functions to pre-attack levels to allow for the recovery of functional capabilities. This can be performed by self-healing, or the healing can be aided from the ground. However, the spacecraft needs to have the capability to replan, based on equipment still available after a cyber-attack. The goal is for the spacecraft to resume full mission operations. If not possible, a reduced level of mission capability should be achieved. Cyber-safe mode software/configuration should be stored onboard the spacecraft in memory with hardware-based controls and should not be modifiable. | CP-10 CP-10(4) CP-12 CP-2 CP-2(5) IR-4 IR-4(12) IR-4(3) PL-8 PL-8(1) SA-3 SA-8 SA-8(10) SA-8(12) SA-8(13) SA-8(21) SA-8(23) SA-8(24) SA-8(3) SA-8(4) SC-16(2) SC-24 SC-5 SI-11 SI-17 SI-7(17) | 7.5.1 7.5.2 7.5.3 A.5.2 A.5.29 A.8.1 A.5.29 A.5.25 A.5.26 A.5.27 A.5.8 A.5.2 A.5.8 A.8.25 A.8.31 A.8.27 A.8.28 | ||
| CM0068 | Reinforcement Learning | Institute a reinforcement learning agent that will detect anomalous events and redirect processes to proceed by ignoring malicious data/input. | IR-5 IR-5(1) SI-4 SI-4(2) | A.8.16 | ||
| CM0029 | TRANSEC | Utilize TRANSEC in order to prevent interception, disruption of reception, communications deception, and/or derivation of intelligence by analysis of transmission characteristics such as signal parameters or message externals. For example, jam-resistant waveforms can be utilized to improve the resistance of radio frequency signals to jamming and spoofing. Note: TRANSEC is that field of COMSEC which deals with the security of communication transmissions, rather than that of the information being communicated. | AC-17 AC-18 AC-18(5) CA-3 CP-8 PL-8 PL-8(1) SC-16 SC-40 SC-40(1) SC-40(3) SC-40(4) SC-5 SC-8(1) SC-8(3) SC-8(4) | A.5.14 A.6.7 A.8.1 A.5.14 A.8.1 A.8.20 A.5.14 A.8.21 A.5.29 A.7.11 A.5.8 A.5.33 | ||
| ID | Name | Description | STIX Pattern |
| UACE-5 | Unexpected counter increment (valid or invalid count) | Flight software command counter increments without corresponding legitimate ground station action, resulting in a failure of condition #2) below and subsequent 'unexpected' value 'expected' value achieved when the following conditions are met: 1) flight software command counter increments; 2) legitimate ground station action created increment. This could be from valid or invalid commands. Typically there are valid and malformed command counters on a spacecraft. | [x-opencti-command-counter:value = 'unexpected'] |
| UACE-10 | Logs of Processed Commands Flooding | Detection of an unusually high number of processed commands recorded in spacecraft logs, which may indicate a flooding attack using valid commands. Such a surge can overwhelm spacecraft processing capabilities, leading to resource exhaustion like CPU spikes, memory depletion, and increased battery usage. Monitoring log entries can reveal if the spacecraft is being flooded with valid but excessive commands, which could create denial of service conditions by saturating system processing resources. | [x-opencti-log-entry:log_type = 'command' AND x-opencti-log-entry:entry_count > 'expected_threshold' AND x-opencti-log-entry:entry_rate > 'normal_rate'] |
| CSNE-8 | Denial of Service Due to Saturated Bandwidth Detected | Detection of bandwidth usage that exceeds the maximum capacity of the communication channel, indicating a denial of service attack caused by flooding. This saturation prevents legitimate data from being transmitted, effectively disabling spacecraft communication. | [network-traffic:x_bandwidth_usage > 'maximum_capacity' AND network-traffic:protocols[*] = 'satellite_communication'] |
| CSNE-12 | Generic Flooding Attack | Detection of generic flooding attacks aimed at spacecraft communication channels, characterized by an overwhelming volume of unexpected noise or message injections. This can result in denial of service (DoS) or data corruption by saturating the communication link with excessive packets or signals, thereby disrupting normal spacecraft operations. Flooding attacks could target various communication elements, including uplink, downlink, and crosslink channels, potentially leading to significant degradation of system availability, especially during critical mission phases. | [network-traffic:protocols[*] = 'satellite_vehicle' AND network-traffic:src_port IN ('uplink_port','crosslink_port') AND network-traffic:packet_size > 'expected_max_size' AND network-traffic:packet_count > 'normal_packet_rate'] |
| CSNE-13 | Erroneous Input Flooding | Detection of erroneous input flooding attacks targeting spacecraft communication channels by injecting irrelevant noise, data, or signals. This flooding method disrupts the processing of legitimate messages by introducing a high volume of non-system-relevant or malformed packets. Even though these inputs are irrelevant, the spacecraft may still expend computing resources attempting to process or discard them, leading to resource exhaustion and potential degradation of communication integrity and availability. Such attacks aim to cause denial of service conditions by saturating the spacecraft's computational resources and communication bandwidth with useless data. | [network-traffic:protocols[*] = 'satellite_vehicle' AND network-traffic:data_size < 'minimum_valid_size' AND network-traffic:data_content = 'non-system-relevant' AND network-traffic:packet_count > 'expected_threshold'] |
| CSNE-42 | Multiple Failed Downlink Attempts from Spacecraft | Detection of repeated failed attempts by the spacecraft to send telemetry data via the downlink, indicating potential disruption or interference preventing successful transmission. | [x-opencti-telemetry-log:direction = 'downlink' AND x-opencti-telemetry-log:transmission_attempts > 'threshold' AND x-opencti-telemetry-log:status = 'failed'] |
| ARFS-6 | Abnormal Signal Strength | Detection of abnormal or excessive signal strength in communications, which could indicate the presence of a rogue device attempting to overpower legitimate signals and gain control of the spacecraft. | [network-traffic:signal_strength > 'expected_threshold' AND network-traffic:protocols[*] = 'satellite_communication'] |
| MIRE-8 | Resource Exhaustion Due to Handling Invalid Inputs | Detection of resource exhaustion on spacecraft systems due to attacks involving invalid inputs. This indicator focuses on identifying high memory and CPU utilization caused by the processing of numerous invalid inputs, which may lead to critical errors, safe mode transitions, or reboots of flight software (FSW) and applications. Such activity can be indicative of a deliberate attempt to exhaust spacecraft resources, resulting in a denial of service (DoS) condition or other operational impacts. Monitoring for these conditions is essential to maintaining spacecraft stability and ensuring mission success. | [x-opencti-system-log:memory_usage > 'threshold' AND x-opencti-system-log:cpu_usage > 'threshold' AND x-opencti-error-log:error_type = 'invalid_input_handling' AND x-opencti-system-log:event_count > 'threshold'] |
| SMSR-2 | High CPU Utilization Due to Anomalous/Malicious Activity | Detection of high CPU utilization on spacecraft systems, potentially caused by anomalous or unexpected activity. This indicator focuses on identifying when CPU load exceeds normal operational thresholds, especially due to the execution of processes that are not recognized as part of the normal spacecraft operations. Such activity could be indicative of a cyber attack, such as a resource exhaustion attack, where unauthorized processes or malware attempt to degrade system performance, leading to potential mission impacts or denial of service conditions. | [x-opencti-processor-usage:cpu_load > 'threshold' AND x-opencti-processor-usage:activity_type = 'unexpected' AND x-opencti-processor-usage:process_name NOT IN ('list_of_known_processes')] |
| DISE-14 | Unexpected Audit Log Rotation | Monitors for unauthorized or unexpected log rotation events that could lead to data loss or concealment of malicious activity. | [x-opencti-audit-log:rotation_event = 'triggered' AND x-opencti-audit-log:timestamp != 'expected_time'] |
| DISE-15 | High Volume of Audit Log Entries Detected | Monitors for excessive audit log activity, which could be indicative of log flooding or attempts to force log overflow to conceal malicious activity. | [x-opencti-audit-log:event_count > 'threshold' AND x-opencti-audit-log:timestamp = 'recent_period'] |
| DISE-16 | Audit Log Capacity Limit Reached | Monitors for instances where the flight software's, or overall system's, audit log has reached its maximum capacity, potentially preventing the logging of further events and concealing ongoing malicious activity. | [x-opencti-audit-log:capacity_used >= 'max_capacity'] |