Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes . The adversary is trying to damage the system security, interrupting its normal execution, or damaging it physically. Due to the impossibility to reach the resource and repair/reprogram it, if the damage is too severe the resource is definitively lost.The damage can be at data level, targeting the stored or transmitted data, deleting them, or modifying them to deceive the receiver. It can be also at service level, interrupting a payload execution or hitting the communication with jamming and flooding to prevent it. Damage can be also at hardware level, destroying the space resource with electromagnetic power, kinetic weapons, or malicious hardware preinserted in the system.
ID | Name | Description | |
T2054 | Data Manipulation | Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making. | |
.001 | Stored Data Manipulation | TBD | |
.002 | Transmitted Data Manipulation | an attacker can modify transmitted data, jamming or overpowering the original signal and retransmitting a modified copy to the receiver, to command a spacecraft or to lead the system owner to erroneous decision. An attacker can target the telecommands sent from a GS, to change the spacecraft behavior, or he can tamper the telemetry sent from a spacecraft to change the GS received data. Intercepted and modified range measurement sent to the control center could lead to erroneous range measurements, which could cause incorrect trajectory determination. Mitigations are redundancy/diversity to protect the source and authentication to protect the message. To protect the data source, a star sensor offers ah high level of reliability. An attacker can also target the payload data sent from or to a spacecraft. To mitigate this, Navigation Message Authentication (NMA) uses symmetric/asymmetric key encryption to provide authenticity and integrity of the navigation data to the receiver. | |
.003 | Runtime Data Manipulation | An attacker can use a controlled payload software or component to manipulate data of that or another component during the execution, if a MMU or a MPU is not implemented or is misconfigured. Only the most recent space qualified microprocessors (LEONII/III) have a MMU available, that provides only write protection. For secure spacecraft avionics, protection against read/write and execution access is necessary. The MMU or a MPU is extremely important if the payload is not trusted. | |
T2050 | Ground Segment Jamming | An attacker can jam the communication to prevent data being delivered. TT&C: Usually is possible to wait and communicate later without noticeable problems. Proximity-1: jamming is difficult, because of high distance from Earth (upload) or the use of commercial frequencies (download jamming would affect lot of other terrestrial links). Jamming of the ranging signal could lead to the total loss of ranging data, and potential navigation errors. C&S Sublayer provides methods for frame re-synchronization. | |
.001 | Jamming from the ground | TBD | |
T2055 | Loss of spacecraft telecommanding | an attacker can interrupt the communication link between a ground station and a spacecraft by changing the TC channel configuration. | |
.001 | Replacement of authentication keys | An attacker can replace the authentication keys (e.g SDLS session keys) to disconnect the legitimate ground station and potentially hijack the connection. | |
T2027 | Permanent loss to telecommand satellite | An attacker can perform actions that permanently leave the owner without the control on the space resource. The resource can be either under the control of the attacker or not, that can act to gain an illegitimate ownership on the resource, or to damage the legitimate owner. | |
.001 | Replace session and master keys | Adversaries can replace session and master keys in a space resource, to gain permanent access to the resource and permanently prevent the owner access. This attack leads to a definitive loss of the resource. | |
T2028 | Resource damage | An attacker can attempt to damage a space resource, to cause a mission loss. | |
.004 | Space Debris Impact | A space resource is damaged or destroyed if an impact with space debris happens. Space debris can be produced to harm resources in specific trajectories. | |
.005 | Physical sabotage | An attacker can physically damage a satellite, with harmful commands or attacking it with another vehicle. Heaters and flow valves of the propulsion subsystem can be moved. Proximity operations with other satellites are possible (kinetic kill vehicles, radiofrequency jammers, lasers, chemical sprayers, high-power microwaves, and robotic mechanisms). Other possible attacks are against critical software subsystems or internal timers. | |
.007 | Intentional collision with other satellites | Adversaries can command the satellite to collide other satellites. This results not only in the loss of the resource, but also in a damage of another resource. | |
.009 | Destruction of sensors | TBD | |
.010 | Destruction of receivers | TBD | |
.011 | Breakdown of counterfeit components | A space resource can be damaged if a specific HW component, built to fail after a specific period, or counterfeit with a low reliability, breaks out. Relevant for ASIC and FPGA. | |
.012 | Kinetic attacks | Attackers can use anti-satellite (ASAT) missiles, or other kinetic energy threats, to attack a resource from the ground or from a plane, without the needs of an orbit insertion. Counterspace weapons are characterized by an easily attribution and the generation of space debris. These systems could include payloads such as kinetic kill vehicles, radiofrequency jammers, lasers, chemical sprayers, high-power microwaves, and robotic mechanisms. This last technology is developed to repair satellites or to remove space debris, but its use can be malicious. A nuclear explosion can also be used against all the space segments. | |
T1496 | Resource Hijacking | An attacker can hijack resources of the space vehicle using them for different purposes. | |
T2052 | Saturation of Inter Satellite Links | In a network constellation without an efficient routing protocol, a network attack aiming to flood the network is possible, causing a saturation of an intersatellite link. This kind of attack can be executed by authorized users, intentionally or not (botnet malware on user devices). | |
.001 | Coremelt attacks | TBD | |
T2053 | Saturation/Exhaustion of Spacecraft Resources | The attacker can target satellites with energy or resource constraints to lead them prioritizing power saving efforts and disabling security controls. The satellite becomes then more vulnerable to other attacks such as gaining unauthorized access or eavesdropping cleartext communications. This goal can be reached with a regenerative payload "flooding", sending to the satellite more packets than expected to rapidly consume its energy. The exploitation of a payload application can achieve a similar result. The attacker can abuse the satellite bandwidth for the retransmission of own content. | |
.001 | Receiver flooding | An attacker can try to flood the spacecraft receiver sending great amount of data, valid or not. Since the Ground Station notices the status of the receiver, the power of the transmitter should increase to unlock the receiver from the messages flood, rising the receiver's threshold and cutting out the malicious signal. | |
.002 | Avionics Bus Flooding | TBD | |
.003 | OBC overloading | TBD | |
.004 | Drain satellite's power | The attacker can target satellites with energy or resource constraints to lead them prioritizing power saving efforts and disabling security controls. The satellite becomes then more vulnerable to other attacks such as gaining unauthorized access or eavesdropping on cleartext communications. This goal can be reached with a regenerative payload "flooding", sending to the satellite more packets than expected to rapidly consume its energy. The exploitation of a payload application can achieve a similar result. | |
.005 | Waste of propellant | An attacker can maliciously consume satellite propellant resources to achieve the goal of reducing satellite life. | |
T1489 | Service Stop | An attacker can interrupt services, disabling them or taking control over them. | |
.001 | Ground system loss | The ground facility can be disabled, or an attacker can take control of it, via cyber or physical attack. The loss of the GS can be also caused by environmental factors, uncontrolled or induced (e.g, fire). | |
.002 | Disabling Payload Service | An attacker can disable the payload, or parts of it, leveraging TC switch on-off commands. In a mission with a direct link for the payload, the latter can be disabled compromising its command channel. | |
T2049 | Spacecraft Jamming | If the victim uses a free space (over the air) communication, it can be threatened by jamming attacks. An attacker can perform a Denial of Service (DoS) attack to limit or block the service availability through RF jamming. For Proximity-1 jamming becomes difficult, because of high distance from Earth (upload) and the use of commercial frequencies (download jamming would affect a lot of other terrestrial links). Jamming of the ranging signal could lead to the total loss of ranging data, and potential navigation errors. | |
.001 | Receiver lock on a spurious carrier | The lock of the spacecraft receiver or of the ground station with a continuous wave or with the obtained DSSS sequence can be a threat. Increasing the power is the only way to unlock the receiver, or it unlocks when the spacecraft moves out of LOS with the attacker GS. The attack depends on the receiver and on the system dynamic, that causes the doppler effect and requires a major bandwidth. A possible mitigation is the cryptographic DSSS sequence. | |
.002 | Optical Jamming (Links/Sensor Blinding) | An attacker can conduct optical attacks with high power laser beams to target optical sensors or optical links. If the payload uses cameras or other optical sensors to take pictures or measurements, they can be blinded or damaged. | |
.003 | SDR buffer overflow | If SDRs or digital signal processing software are used to provide radio functionality, insufficient checks in radio frame processing, coupled with malformed data packets, could lead to buffer overflows, and create denial-of-service conditions. This type of jamming is significantly stealthier as it is triggered by sending a small number of packets and doesn’t require a continuous RF jamming signal. | |
T2026 | Temporary loss to telecommand satellite | An attacker can perform actions that temporarily leave the owner without the control on the space resource. During this period the resource can be either under the control of the attacker or not. | |
.001 | Replace session keys | Adversaries can replace encryption keys used to encrypt TM/TC in order to gain permanent access to other functionalities, or to temporarily interrupt the owner's control. | |
T2024 | Transmitted Data Manipulation | An attacker can modify transmitted data, jamming or overpowering the original signal and retransmitting a modified copy to the receiver, to command a spacecraft or to lead the system's owner to erroneous decision. |