Mitigations represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed.
| ID | Name | Description |
|---|---|---|
| M2022 | Access control |
Access control systems authenticate users and enforce authorization, avoiding that attackers or unauthorized users reach unpermitted services and resources, modify system configurations, and take control of them. Access control is needed to identify actors who try to interact with the system, or take place in a network, and it defines if they are authorized or not. The installation of backdoors in the system, and the exfiltration of data from it can be prevented or at least made more difficult if an access control is implemented. Furthermore, it can protect from alteration of system settings, disablement of defenses, or from the deletion of logs. Without the access control, the attacker could take control of the asset, abusing the resources, misconfiguring OBCP to hijack or damage it, he can interrupt the provided services or also take possession of the spacecraft, changing the cryptographic keys. |
| M2026 | Accountability of actions | Every access or action shall be accounted to a user, entity, or organization, to keep track of roles or to attribute the responsibility in case of problems. |
| M2046 | Anti-replay protection mechanisms | Implement anti-replay protection mechanisms to prevent adversaries from intercepting and reusing previously transmitted messages. In the context of space systems, this involves using techniques like sequence numbers, timestamps, and unique message identifiers to ensure that every communication (such as telemetry, tracking, and command data) is valid and unique. |
| M2044 | Application of Least Privilege principle | TBD |
| M1047 | Audit | Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
| M2068 | Authenticated encryption | Authenticated encryption is a cryptographic technique that ensures both the confidentiality and authenticity of data. Authenticated encryption is crucial in preventing adversaries from intercepting and manipulating data, as it secures communication against both unauthorized access and tampering. |
| M2002 | Authentication | Authentication permits a secure access to the resource, verifying the actor's identity. It also protects a command or a message from spoofing or modifications. CCSDS SDLS protocol incorporates authentication through MAC. Authentication protects from attacks aiming to access unauthorized resources, to spoof legitimate users, or to manipulate data and communications. |
| M2067 | Authentication combined with means to ensure the identity of the other party using certificates or pre-shared keys | TBD |
| M2072 | Authentication mechanisms using approved cryptographic means | TBD |
| M2025 | Authorization |
Authorization mechanisms protect functionalities from being executed by unauthorized entities. Authorization can avoid the exploitation of Telecommands, API, CLI or other command methods to modify system configuration. Backdoor installation, data manipulation, and the use of Payload and Spacecraft's resource are limited if authorization is applied. |
| M2027 | Autonomy | Autonomy can help to protect against denial-of-service attacks, mainly targeting the TT&C link, maintaining the system at work during absence of commands. |
| M1046 | Boot Integrity | Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms. |
| M2032 | Bulk data link encryption | TBD |
| M2013 | CCSDS Coding & Synchronization sublayer | In case of congestion or disruption of the link, the Coding & Synchronization sublayer provides methods for frame re-synchronization for TC, TM, Proximity. |
| M2004 | CCSDS SDLS Sequence numbers | CCSDS SDLS protocol incorporates anti-replay protection through the use of sequence numbers. Increased sequence numbers can also permit the detection of unauthorized messages sent to the Resource. |
| M1045 | Code signing | Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing. |
| M1043 | Credential Access Protection | Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping. |
| M2015 | Cryptographic DSSS sequence | Spread Spectrum is a system to spread the signal power over a large frequency band, hiding the signal itself and protecting it. Reconstructing the original signal needs the knowledge of the spreading sequence. The resulting signal is more difficult to find and intercept, to jam or to spoof. If the DSSS sequence is protected by a cryptographic sequence, a cryptographic key is needed to predict the spreading sequence's behavior. |
| M2019 | Data integrity schemes | Use data integrity schemes to protect data from unauthorized modifications, or from unintentional corruptions due to noise or storage defects (hashing, check values, digital signatures). SDLS provides integrity protection on the transmitted data, with the computation of a MAC. |
| M2049 | Defense-in-depth measures | Implement multiple layers of protection, considering encryption, authentication, on-board isolation mechanisms, and anomaly detection, restricting the impact of an intrusion and enhancing the resilience of the spacecraft. |
| M2078 | Detection of abnormal behaviour at avionics bus / Prevention mechanisms | Intrusion Detection / Prevention Systems for Avionics Bus |
| M2064 | Detection techniques of exploitation attempts | TBD |
| M2037 | Digital certificates | CCSDS 357.0-B-1 |
| M2048 | Digital signing of software components | TBD |
| M2010 | Diversity | Diversity can protect a data source from faults or deceiving attempts. Different components or software are less likely to brake or have the same vulnerabilities, and a compromise of one of them doesn't automatically become a compromise of the whole system. Different locations are exposed to different physical problems. |
| M2071 | Dynamic Routing | TBD |
| M1041 | Encrypt Sensitive Information | Protect sensitive information with strong encryption. |
| M2003 | Encryption of communications | Encryption of communications hides the message content to unauthorized eavesdropper, ensuring confidentiality. |
| M2036 | End-to-End Security Measures for Space Systems | TBD |
| M2060 | Establish processes, procedures, and security measures to protect cryptographic keys / key management | TBD |
| M1037 | Filter Network Traffic | Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. |
| M2016 | Frequency Hopping | Frequency Hopping is a system to regularly change the carrier frequency according to a specific pattern. This procedure makes interception more difficult and protects the signal from interference, either deliberated or not. |
| M2039 | Fuzzing / testing | TBD |
| M2033 | High-power up-link | TBD |
| M2054 | Implementation on Trusted Execution Environments for critical parts of procedures | TBD |
| M2070 | Internal segregation and /or authentication | TBD |
| M2066 | Log integrity protection | TBD |
| M2008 | MMU and MPU | For secure spacecraft avionics, protection against read/write and execution access is necessary. The MMU or a MPU provide it, extremely important if the payload is not trusted. |
| M2017 | Monitoring |
Monitoring of the system's state to early detect undesirable behaviors or interactions. In case of Denial-of-Service attacks, the Ground Station should be able to notice the status of the receiver. If the receiver is targeted by attacks, the power of the transmitter should be increased, rising the receiver's threshold level, and cutting out the malicious signals. Monitoring of the radio channel permits the identification of messages sent by unauthorized users towards the spacecraft. Monitoring of the internal system may discover malignant or erroneous operations. |
| M2041 | Multi-factor authentication | TBD |
| M2012 | Navigation Message Authentication (NMA) | For GNSS data, Navigation Message Authentication (NMA) uses symmetric/asymmetric key encryption to provide authenticity and integrity of the navigation data to the receiver. |
| M1031 | Network Intrusion Prevention | Use intrusion detection signatures to block traffic at network boundaries. |
| M1030 | Network Segmentation | Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. |
| M2018 | Non-repudiation mechanisms | Use mechanisms, like Digital Signatures, to assure that nobody cannot deny responsibility for performing actions, communications or about the origin of data. |
| M2051 | On Board Authentication for executing critical commands | TBD |
| M2034 | Opaque spacecraft design | TBD |
| M2055 | Operating Systems partitioning | TBD |
| M2076 | Overloading / flooding detection mechanisms | TBD |
| M2031 | Padding | TBD |
| M2007 | Partitioning/Separation | Time and Space Partitioning or other satellite hypervisor types should protect systems from mutual interferences, creating security borders between services and preventing unauthorized interactions. |
| M2063 | Patching to the latest available software version | TBD |
| M2057 | Payload specific countermeasures | Implement tailored security mechanisms and protocols to address vulnerabilities unique to the spacecraft payload. These could include encryption for payload data, tamper-resistant hardware, and specific anomaly detection systems to monitor payload operations and communication. |
| M2059 | Physical and network protection of key management systems | using border protection devices like diodes, etc. |
| M2058 | Physical protection and isolation of root keys | Implement robust physical security measures to protect and isolate root cryptographic keys. This includes secure hardware modules, tamper-evident seals, and physical segregation within spacecraft or ground facilities to ensure that keys remain secure during storage, generation, and use. |
| M2021 | Physical security | Guards, gates, and other physical security countermeasures, permit to defend facilities from undesirable accesses, sabotages, or damages made on purpose. |
| M2056 | Platform protection | using logical and/or physical protection segregation mechanisms from payload |
| M1056 | Pre-compromise | This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques. |
| M2035 | Proper Information Classification and Flow-Down Guidelines | TBD |
| M2006 | Protect OTAR Key Management Service |
Over-the-air rekeying (OTAR) is the process of updating encryption keys via an existing encrypted communication channel. CCSDS Recommended Practice provides specific means for protection of the OTAR key management service. All key management communication must be protected by a security protocol such as the Space Data-Link Layer Security Protocol. |
| M2074 | Protect/isolate Key Mangement Facility | Secure and isolate key management facilities to prevent unauthorized access or tampering with cryptographic keys. This involves employing physical security controls (e.g., restricted areas, surveillance), logical access controls, and network segmentation to ensure that key generation, storage, and distribution processes remain uncompromised. |
| M2062 | Recovery to a known good state | TBD |
| M2009 | Redundancy |
Redundancy can improve the reliability and availability of a system, a data source, a service or a resource from faults and interruptions, either accidental or produced, or from deceiving attempts. It consists in the inclusion of extra components, either hardware or software, which are not strictly necessary to functioning, but that start to operate in case of failure in other components. As a downside, it increases the cost and complexity of a system design. |
| M2061 | Remote attestation | Employ remote attestation mechanisms to validate the integrity of spacecraft software or firmware remotely. This process enables ground control to verify that the onboard systems are unmodified and secure, ensuring confidence in the operation of the spacecraft and communication links. |
| M2020 | Resilience | Resilient hardware (e.g., SOS) protects systems, facilities, services, or data from damage or from Service interruption attacks. |
| M2073 | Revoke keys and replace with new ones (including master keys, if needed) | TBD |
| M2053 | Role Based Access Control | TBD |
| M2042 | Secure Design and Implementation of Ground Segment for Space Systems | TBD |
| M2040 | Secure PKI implementation | Public Key Infrastructure (PKI) is a framework of roles, policies, hardware, software, and procedures necessary to securely create, manage, and use digital certificates and public-key encryption. In spacecraft systems, PKI plays a critical role in securing communications, ensuring that only authorized entities can issue commands or access sensitive data. This is especially important for space-to-ground communication, inter-satellite links, and internal command authentication. |
| M2029 | Secure Safe Mode | In case of system problems, the Resource could enter in Safe mode, where the security functions are deactivated or bypassed. The system must have a fallback set of master keys to use in this case, to securely re-enable security functions and upload new sets of Traffic Protection Keys. |
| M2065 | Separate authentication for critical commands | TBD |
| M2052 | Software segregation / isolation | TBD |
| M2038 | Source code review | Static code analysis |
| M2005 | Space Link Extension | The Space Link Extension permits to transmit encrypted data end to end, with a part of the link on ground networks. It permits to reach the MCS without decrypt data. This feature is helpful if the link runs across untrusted nodes. |
| M2014 | Spread Spectrum | Spread Spectrum is a system to spread the signal power over a large frequency band, hiding the signal itself and protecting it. Reconstructing the original signal needs the knowledge of the spreading sequence. The resulting signal is more difficult to find and intercept, to jam or to spoof. |
| M2011 | Star tracker | A star tracker is an instrument enabling accurate and autonomous control of a satellite's attitude, by analyzing the placement of the surrounding stars. The estimation is reliable and extremely difficult to spoof. |
| M2069 | Strong authentication of Telecommands | TBD |
| M2024 | Supply chain confidence | Supply chain confidence is fundamental to mitigate risks or attacks related to supply chain, as introduction of backdoors or malicious capabilities in components that are going to be integrated in the system. Knowledge of the product chain, either hardware or software, reassurance in the measurements, tests, inspections, and certifications, can limit possible attack vectors and threats. |
| M2077 | Supply chain protections | Implement comprehensive security measures to safeguard the supply chain for spacecraft components and software. This includes verifying the integrity and authenticity of parts, conducting regular audits of suppliers, and ensuring secure transportation of critical elements to prevent tampering or compromise. |
| M2050 | Supply from trustworthy sources only | Source components from certified, verified suppliers to mitigate risks of counterfeit or tampered hardware/software. |
| M2023 | Timestamp | Timestamp can proof when a message is written, protecting it from a delay or a replay attack. |
| M2028 | Track debris and space vehicles | Tracking of space elements brings consciousness about dangerous Space Debris that can cause collision. Knowledge of other satellites permits to be aware of malicious neighbors. |
| M2030 | Usage of directive transmit antenna | Usage of directive transmit antenna (incl. potentially optical links, antennas with more focused patterns, etc.) |
| M2075 | Use keys of sufficient length | TBD |
| M1017 | User Training | Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spear phishing, social engineering, and other techniques that involve user interaction. |
| M2047 | Vulnerability/malware scanning | TBD |
| M2043 | Zero Trust Architecture | TBD |