Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes . The adversary is trying to damage the system security, interrupting its normal execution, or damaging it physically. Due to the impossibility to reach the resource and repair/reprogram it, if the damage is too severe the resource is definitively lost.The damage can be at data level, targeting the stored or transmitted data, deleting them, or modifying them to deceive the receiver. It can be also at service level, interrupting a payload execution or hitting the communication with jamming and flooding to prevent it. Damage can be also at hardware level, destroying the space resource with electromagnetic power, kinetic weapons, or malicious hardware preinserted in the system.
| ID | Name | Description | |
| T2054 | Data Manipulation | Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making. | |
| .001 | Stored Data Manipulation | An attacker can alter or corrupt stored data within a system, such as mission control databases, payload data storage, or onboard systems. Manipulating stored data can lead to incorrect decision-making, confusion, or operational errors, especially if the data is used for mission-critical analysis or operations. Preventive measures include employing encryption, access control, and integrity-checking mechanisms to ensure the authenticity and reliability of the stored data. | |
| .002 | Transmitted Data Manipulation | an attacker can modify transmitted data, jamming or overpowering the original signal and retransmitting a modified copy to the receiver, to command a spacecraft or to lead the system owner to erroneous decision. An attacker can target the telecommands sent from a GS, to change the spacecraft behavior, or he can tamper the telemetry sent from a spacecraft to change the GS received data. Intercepted and modified range measurement sent to the control center could lead to erroneous range measurements, which could cause incorrect trajectory determination. Mitigations are redundancy/diversity to protect the source and authentication to protect the message. To protect the data source, a star sensor offers ah high level of reliability. An attacker can also target the payload data sent from or to a spacecraft. To mitigate this, Navigation Message Authentication (NMA) uses symmetric/asymmetric key encryption to provide authenticity and integrity of the navigation data to the receiver. | |
| .003 | Runtime Data Manipulation | An attacker can use a controlled payload software or component to manipulate data of that or another component during the execution, if a MMU or a MPU is not implemented or is misconfigured. Only the most recent space qualified microprocessors (LEONII/III) have a MMU available, that provides only write protection. For secure spacecraft avionics, protection against read/write and execution access is necessary. The MMU or a MPU is extremely important if the payload is not trusted. | |
| T2050 | Ground Segment Jamming | An attacker can jam the communication to prevent data being delivered. TT&C: Usually is possible to wait and communicate later without noticeable problems. Proximity-1: jamming is difficult, because of high distance from Earth (upload) or the use of commercial frequencies (download jamming would affect lot of other terrestrial links). Jamming of the ranging signal could lead to the total loss of ranging data, and potential navigation errors. C&S Sublayer provides methods for frame re-synchronization. | |
| .001 | Jamming from the ground | TBD | |
| T2055 | Loss of spacecraft telecommanding | an attacker can interrupt the communication link between a ground station and a spacecraft by changing the TC channel configuration. | |
| .001 | Replacement of authentication keys | An attacker can replace the authentication keys (e.g SDLS session keys) to disconnect the legitimate ground station and potentially hijack the connection. | |
| T2027 | Permanent loss to telecommand satellite | An attacker can perform actions that permanently leave the owner without the control on the space resource. The resource can be either under the control of the attacker or not, that can act to gain an illegitimate ownership on the resource, or to damage the legitimate owner. | |
| .001 | Replace session and master keys | Adversaries can replace session and master keys in a space resource, to gain permanent access to the resource and permanently prevent the owner access. This attack leads to a definitive loss of the resource. | |
| T2028 | Resource damage | An attacker can attempt to damage a space resource, to cause a mission loss. | |
| .004 | Space Debris Impact | A space resource is damaged or destroyed if an impact with space debris happens. Space debris can be produced to harm resources in specific trajectories. | |
| .005 | Physical sabotage | An attacker can physically damage a satellite, with harmful commands or attacking it with another vehicle. Heaters and flow valves of the propulsion subsystem can be moved. Proximity operations with other satellites are possible (kinetic kill vehicles, radiofrequency jammers, lasers, chemical sprayers, high-power microwaves, and robotic mechanisms). Other possible attacks are against critical software subsystems or internal timers. | |
| .007 | Intentional collision with other satellites | Adversaries can command the satellite to collide other satellites. This results not only in the loss of the resource, but also in a damage of another resource. | |
| .009 | Destruction of sensors | An attacker could target and destroy the sensors onboard of a satellite. This may involve damaging optical, infrared, radar, or other sensing equipment critical to the satellite's mission. Destroying sensors can severely impair the satellite’s ability to gather and transmit valuable data, rendering it ineffective or causing mission failure. These sensors are often vital for navigation, Earth observation, and other scientific objectives. | |
| .010 | Destruction of receivers | An attacker may attempt to destroy or disable the receivers on a satellite, which are essential for receiving signals from ground stations, other satellites, or mission-specific communications. Destroying or impairing the receivers may render the satellite unable to communicate or receive essential data, leading to a complete loss of functionality. This could involve targeting radio-frequency receivers, optical receivers, or other communication interfaces critical to the satellite’s operation. | |
| .011 | Breakdown of counterfeit components | A space resource can be damaged if a specific HW component, built to fail after a specific period, or counterfeit with a low reliability, breaks out. Relevant for ASIC and FPGA. | |
| .012 | Kinetic attacks | Attackers can use anti-satellite (ASAT) missiles, or other kinetic energy threats, to attack a resource from the ground or from a plane, without the needs of an orbit insertion. Counterspace weapons are characterized by an easily attribution and the generation of space debris. These systems could include payloads such as kinetic kill vehicles, radiofrequency jammers, lasers, chemical sprayers, high-power microwaves, and robotic mechanisms. This last technology is developed to repair satellites or to remove space debris, but its use can be malicious. A nuclear explosion can also be used against all the space segments. | |
| T1496 | Resource Hijacking | An attacker can hijack resources of the space vehicle using them for different purposes. | |
| T2052 | Saturation of Inter Satellite Links | In a network constellation without an efficient routing protocol, a network attack aiming to flood the network is possible, causing a saturation of an intersatellite link. This kind of attack can be executed by authorized users, intentionally or not (botnet malware on user devices). | |
| .001 | Coremelt attacks | TBD | |
| T2053 | Saturation/Exhaustion of Spacecraft Resources | The attacker can target satellites with energy or resource constraints to lead them prioritizing power saving efforts and disabling security controls. The satellite becomes then more vulnerable to other attacks such as gaining unauthorized access or eavesdropping cleartext communications. This goal can be reached with a regenerative payload "flooding", sending to the satellite more packets than expected to rapidly consume its energy. The exploitation of a payload application can achieve a similar result. The attacker can abuse the satellite bandwidth for the retransmission of own content. | |
| .001 | Receiver flooding | An attacker can try to flood the spacecraft receiver sending great amount of data, valid or not. Since the Ground Station notices the status of the receiver, the power of the transmitter should increase to unlock the receiver from the messages flood, rising the receiver's threshold and cutting out the malicious signal. | |
| .002 | Avionics Bus Flooding | This technique involves overwhelming the avionics bus by injecting an excessive volume of messages, leading to the saturation or exhaustion of communication resources. An attacker can achieve this by gaining control over an ECU (Electronic Control Unit) or microcontroller with access to the bus (e.g., on the CAN bus). This access may be obtained through exploitation of system vulnerabilities or by physically connecting a compromised device to the bus. By flooding the bus with high-priority messages, the attacker can suppress lower-priority communications, causing delays, denial of service, or complete failure of mission-critical operations. | |
| .003 | OBC overloading | TBD | |
| .004 | Drain satellite's power | The attacker can target satellites with energy or resource constraints to lead them prioritizing power saving efforts and disabling security controls. The satellite becomes then more vulnerable to other attacks such as gaining unauthorized access or eavesdropping on cleartext communications. This goal can be reached with a regenerative payload "flooding", sending to the satellite more packets than expected to rapidly consume its energy. The exploitation of a payload application can achieve a similar result. | |
| .005 | Waste of propellant | An attacker can maliciously consume satellite propellant resources to achieve the goal of reducing satellite life. | |
| .006 | RTOS Scheduler Compromise | This involves manipulating the RTOS scheduler to delay or deny the execution of critical tasks, potentially impacting satellite operations like Attitude Determination and Control System (ADCS) or Electrical Power System (EPS) management. | |
| .007 | Hypervisor Scheduling Compromise | Similar to the RTOS scenario but within hypervisor environments, where malicious manipulation of partition schedules can disrupt mixed-criticality operations. | |
| T1489 | Service Stop | An attacker can interrupt services, disabling them or taking control over them. | |
| .001 | Ground system loss | The ground facility can be disabled, or an attacker can take control of it, via cyber or physical attack. The loss of the GS can be also caused by environmental factors, uncontrolled or induced (e.g, fire). | |
| .002 | Disabling Payload Service | An attacker can disable the payload, or parts of it, leveraging TC switch on-off commands. In a mission with a direct link for the payload, the latter can be disabled compromising its command channel. | |
| T2049 | Spacecraft Jamming | If the victim uses a free space (over the air) communication, it can be threatened by jamming attacks. An attacker can perform a Denial of Service (DoS) attack to limit or block the service availability through RF jamming. For Proximity-1 jamming becomes difficult, because of high distance from Earth (upload) and the use of commercial frequencies (download jamming would affect a lot of other terrestrial links). Jamming of the ranging signal could lead to the total loss of ranging data, and potential navigation errors. | |
| .001 | Receiver lock on a spurious carrier | The lock of the spacecraft receiver or of the ground station with a continuous wave or with the obtained DSSS sequence can be a threat. Increasing the power is the only way to unlock the receiver, or it unlocks when the spacecraft moves out of LOS with the attacker GS. The attack depends on the receiver and on the system dynamic, that causes the doppler effect and requires a major bandwidth. A possible mitigation is the cryptographic DSSS sequence. | |
| .002 | Optical Jamming (Links/Sensor Blinding) | An attacker can conduct optical attacks with high power laser beams to target optical sensors or optical links. If the payload uses cameras or other optical sensors to take pictures or measurements, they can be blinded or damaged. | |
| .003 | SDR buffer overflow | If SDRs or digital signal processing software are used to provide radio functionality, insufficient checks in radio frame processing, coupled with malformed data packets, could lead to buffer overflows, and create denial-of-service conditions. This type of jamming is significantly stealthier as it is triggered by sending a small number of packets and doesn't require a continuous RF jamming signal. | |
| T2026 | Temporary loss to telecommand satellite | An attacker can perform actions that temporarily leave the owner without the control on the space resource. During this period the resource can be either under the control of the attacker or not. | |
| .001 | Replace session keys | Adversaries can replace encryption keys used to encrypt TM/TC in order to gain permanent access to other functionalities, or to temporarily interrupt the owner's control. | |
| T2024 | Transmitted Data Manipulation | An attacker can modify transmitted data, jamming or overpowering the original signal and retransmitting a modified copy to the receiver, to command a spacecraft or to lead the system's owner to erroneous decision. | |