Replace Cryptographic Keys

Threat actors may attempt to fully replace the cryptographic keys on the space vehicle which could lockout the mission operators and enable the threat actor's communication channel. Once the encryption key is changed on the space vehicle, the spacecraft is rendered inoperable from the operators perspective as they have lost commanding access. Threat actors may exploit weaknesses in the key management strategy. For example, the threat actor may exploit the over-the-air rekeying procedures to inject their own cryptographic keys.

ID: PER-0004

Sub-techniques: No sub-techniques

Related Aerospace Threat IDs: SV-AC-1 SV-AC-3

Related MITRE ATT&CK TTPs: T1531

ⓘ

Tactic: Persistence

Created: 2022/10/19

Last Modified: 2023/04/22

Countermeasures

ID	Name	Description	NIST Rev5	D3FEND	ISO 27001
CM0028	Tamper Protection	Perform physical inspection of hardware to look for potential tampering. Leverage tamper proof protection where possible when shipping/receiving equipment.	AC-14 \| CA-8(3) \| CM-7(9) \| MA-7 \| PL-8 \| PL-8(1) \| PL-8(2) \| PM-30 \| PM-30(1) \| RA-3(1) \| SA-10(3) \| SA-10(4) \| SA-11 \| SA-3 \| SA-4(5) \| SA-4(9) \| SA-8 \| SA-8(13) \| SA-9 \| SC-51 \| SR-1 \| SR-1 \| SR-10 \| SR-11 \| SR-11(3) \| SR-2 \| SR-2(1) \| SR-3 \| SR-4(3) \| SR-4(4) \| SR-5 \| SR-5 \| SR-5(2) \| SR-6(1) \| SR-9 \| SR-9(1)		A.5.8 \| 4.4 \| 6.2 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| 10.2 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.5.2 \| A.5.4 \| A.5.8 \| A.5.14 \| A.5.22 \| A.5.23 \| A.8.21 \| A.8.29 \| A.8.30 \| 5.2 \| 5.3 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.1 \| A.5.2 \| A.5.4 \| A.5.19 \| A.5.31 \| A.5.36 \| A.5.37 \| A.5.19 \| A.5.20 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.20 \| A.5.21 \| A.5.23 \| A.8.29
CM0002	COMSEC	A component of cybersecurity to deny unauthorized persons information derived from telecommunications and to ensure the authenticity of such telecommunications. COMSEC includes cryptographic security, transmission security, emissions security, and physical security of COMSEC material. It is imperative to utilize secure communication protocols with strong cryptographic mechanisms to prevent unauthorized disclosure of, and detect changes to, information during transmission. Systems should also maintain the confidentiality and integrity of information during preparation for transmission and during reception. Spacecraft should not employ a mode of operations where cryptography on the TT&C link can be disabled (i.e., crypto-bypass mode). The cryptographic mechanisms should identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.	AC-17 \| AC-17(1) \| AC-17(10) \| AC-17(10) \| AC-17(2) \| AC-18 \| AC-18(1) \| AC-2(11) \| AC-3(10) \| CA-3 \| IA-4(9) \| IA-5 \| IA-5(7) \| IA-7 \| PL-8 \| PL-8(1) \| SA-8(18) \| SA-9(6) \| SC-10 \| SC-12 \| SC-12(1) \| SC-12(2) \| SC-12(3) \| SC-12(6) \| SC-13 \| SC-16(3) \| SC-28(1) \| SC-28(3) \| SC-7 \| SC-7(10) \| SC-7(11) \| SC-7(18) \| SC-7(5) \| SC-8(1) \| SC-8(3) \| SI-10 \| SI-10(3) \| SI-10(5) \| SI-10(6) \| SI-19(4) \| SI-3(8)		A.5.14 \| A.6.7 \| A.8.1 \| A.8.16 \| A.5.14 \| A.8.1 \| A.8.20 \| A.5.14 \| A.8.21 \| A.5.16 \| A.5.17 \| A.5.8 \| A.5.14 \| A.8.16 \| A.8.20 \| A.8.22 \| A.8.23 \| A.8.26 \| A.8.12 \| A.5.33 \| A.8.20 \| A.8.24 \| A.8.24 \| A.8.26 \| A.5.31 \| A.5.33 \| A.8.11
CM0030	Crypto Key Management	Leverage best practices for crypto key management as defined by organization like NIST or the National Security Agency. Leverage only approved cryptographic algorithms, cryptographic key generation algorithms or key distribution techniques, authentication techniques, or evaluation criteria. Encryption key handling should be performed outside of the onboard software and protected using cryptography. Encryption keys should be restricted so that they cannot be read via any telecommands.	PL-8 \| PL-8(1) \| SA-3 \| SA-4(5) \| SA-8 \| SA-9(6) \| SC-12 \| SC-12(1) \| SC-12(2) \| SC-12(3) \| SC-12(6) \| SC-28(3) \| SC-8(1)		A.5.8 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.5.33 \| A.8.24
CM0032	On-board Intrusion Detection & Prevention	Utilize on-board intrusion detection/prevention system that monitors the mission critical components or systems and audit/logs actions. The IDS/IPS should have the capability to respond to threats (initial access, execution, persistence, evasion, exfiltration, etc.) and it should address signature-based attacks along with dynamic never-before seen attacks using machine learning/adaptive technologies. The IDS/IPS must integrate with traditional fault management to provide a wholistic approach to faults on-board the spacecraft. Spacecraft should select and execute safe countermeasures against cyber-attacks. These countermeasures are a ready supply of options to triage against the specific types of attack and mission priorities. Minimally, the response should ensure vehicle safety and continued operations. Ideally, the goal is to trap the threat, convince the threat that it is successful, and trace and track the attacker — with or without ground support. This would support successful attribution and evolving countermeasures to mitigate the threat in the future. “Safe countermeasures” are those that are compatible with the system’s fault management system to avoid unintended effects or fratricide on the system.	AU-14 \| AU-2 \| AU-3 \| AU-3(1) \| AU-4 \| AU-4(1) \| AU-5 \| AU-5(2) \| AU-5(5) \| AU-6(1) \| AU-6(4) \| AU-8 \| AU-9 \| AU-9(2) \| AU-9(3) \| CA-7(6) \| CM-11(3) \| CP-10 \| CP-10(4) \| IR-4 \| IR-4(11) \| IR-4(12) \| IR-4(14) \| IR-4(5) \| IR-5 \| IR-5(1) \| PL-8 \| PL-8(1) \| RA-10 \| RA-3(4) \| SA-8(21) \| SA-8(22) \| SA-8(23) \| SC-16(2) \| SC-32(1) \| SC-5 \| SC-5(3) \| SC-7(10) \| SC-7(9) \| SI-10(6) \| SI-16 \| SI-17 \| SI-3 \| SI-3(8) \| SI-4 \| SI-4(1) \| SI-4(10) \| SI-4(11) \| SI-4(13) \| SI-4(16) \| SI-4(17) \| SI-4(2) \| SI-4(23) \| SI-4(24) \| SI-4(25) \| SI-4(4) \| SI-4(5) \| SI-6 \| SI-7(17) \| SI-7(8)		A.8.15 \| A.8.15 \| A.8.6 \| A.8.17 \| A.5.33 \| A.8.15 \| A.8.15 \| A.5.29 \| A.5.25 \| A.5.26 \| A.5.27 \| A.5.8 \| A.5.7 \| A.8.12 \| A.8.7 \| A.8.16 \| A.8.16 \| A.8.16 \| A.8.16
CM0042	Robust Fault Management	Ensure fault management system cannot be used against the spacecraft. Examples include: safe mode with crypto bypass, orbit correction maneuvers, affecting integrity of telemetry to cause action from ground, or some sort of proximity operation to cause spacecraft to go into safe mode. Understanding the safing procedures and ensuring they do not put the spacecraft in a more vulnerable state is key to building a resilient spacecraft.	CP-2 \| CP-4(5) \| PL-8 \| PL-8(1) \| SA-3 \| SA-4(5) \| SA-8 \| SA-8(13) \| SA-8(24) \| SA-8(3) \| SA-8(4) \| SC-16(2) \| SC-24 \| SC-5 \| SI-13 \| SI-17		7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.2 \| A.5.29 \| A.8.1 \| A.5.8 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28

Related CWE Classes

Priority 1	Priority 2	Priority 3	Priority 4
CWE-1390: Weak Authentication	CWE-311: Missing Encryption of Sensitive Data	CWE-200: Information Exposure	CWE-514: Covert Channel
CWE-285: Improper Authorization	CWE-345: Insufficient Verification of Data Authenticity	CWE-666: Operation on Resource in Wrong Phase of Lifetime	CWE-602: Client-Side Enforcement of Server-Side Security
CWE-287: Improper Authentication	CWE-754: Improper Check for Unusual or Exceptional Conditions		CWE-642: External Control of Critical State Data
CWE-300: Channel Accessible by Non-Endpoint	CWE-755: Improper Handling of Exceptional Conditions		CWE-668: Exposure of Resource to Wrong Sphere
CWE-326: Inadequate Encryption Strength	CWE-863: Incorrect Authorization		CWE-913: Improper Control of Dynamically-Managed Code Resources
CWE-327: Use of a Broken or Risky Cryptographic Algorithm	CWE-923: Improper Restriction of Communication Channel to Intended Endpoints
CWE-330: Use of Insufficiently Random Values
CWE-346: Origin Validation Error
CWE-522: Insufficiently Protected Credentials
CWE-665: Improper Initialization
CWE-696: Incorrect Behavior Order
CWE-732: Incorrect Permission Assignment for Critical Resource
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

Indicators of Behavior

ID	Name	Description	STIX Pattern
UCEB-2	Use of Old or Rotated Cryptographic Keys for Authentication	Detection of authentication attempts using cryptographic keys that have already been rotated or marked as no longer valid. This may indicate that threat actors are using old or compromised keys to try to access to spacecraft or C2 systems.	[x-opencti-cryptographic-key:status = 'rotated or expired']
UCEB-3	Unexpected Access to Cryptographic Keys	Detection of unauthorized access to cryptographic keys used for decryption, suggesting that a threat actor may be attempting to disable or bypass the spacecraft's encryption mechanisms.	[x-opencti-cryptographic-key:access_time != 'authorized_access_time' AND x-opencti-cryptographic-key:usage = 'decryption']
UCEB-4	Unexpected Changes to Encryption Configuration Settings	Detection of unexpected changes to encryption settings, potentially indicating that the encryption mechanism on the spacecraft has been disabled or bypassed without authorization.	[x-opencti-encryption-config:status = 'disabled' AND x-opencti-encryption-config:change_time != 'authorized_change_time']
UCEB-7	Modification of Encryption Algorithms	Detection of unauthorized modifications to the spacecraft�s encryption algorithm, potentially indicating that a threat actor is attempting to weaken or disable the encryption mechanism to enable exfiltration or other attacks.	[x-opencti-encryption-algorithm:algorithm != 'expected_algorithm' AND x-opencti-encryption-algorithm:modification_time != 'authorized_time']
UCEB-11	Use of Account or Cryptographic Keys at Unexpected Times	Detection of a user account or cryptographic key being used outside of the expected operational time windows. This may indicate unauthorized or suspicious activity, such as a threat actor using valid credentials or cryptographic keys to gain or maintain persistent access to the spacecraft or related systems.	[user-account:last_login_time != 'expected_operational_hours' OR x-opencti-cryptographic-key:usage_time != 'expected_usage_time']
CSNE-16	Suspicious Network Traffic Without Expected Encryption	Detection of unencrypted telemetry data being transmitted to the ground station when encryption is expected, potentially indicating that encryption has been bypassed to enable unauthorized data exfiltration.	[network-traffic:encryption_status != 'encrypted' AND network-traffic:protocols[*] = 'satellite_communication' AND network-traffic:dst_ref.role = 'ground_station']
MIRE-12	Unexpected Modification to Encryption Memory/Table	Detection of an unauthorized modification to the encryption table, suggesting a potential malicious update affecting the telemetry, tracking, and control (TT&C) encryption settings. The change occurred in the memory range Value1 - Value999. The memory range will be different for each spacecraft.	[x-opencti-memory:table_ref.name = 'encryption_table' AND x-opencti-memory:checksum != 'expected_checksum' AND x-opencti-memory:range = 'Value1 - Value999']
DISE-1	File or Data Integrity Check Failure	Monitors the cryptographic integrity of data (files, payload data, configuration file, logs, etc.) to ensure it remains unmodified during data storage or transmission. It is important during engineering to determine the critical data items that need integrity protection. Some example are discussed in evasion technique https://sparta.aerospace.org/technique/DE-0003/	[file:hashes != 'expected_hash_value' AND file:name = 'data_file']

References

https://cromulence.com/blog/hack-a-sat-2022-finals-teams-on-the-attack