Impact

Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes . The adversary is trying to damage the system security, interrupting its normal execution, or damaging it physically. Due to the impossibility to reach the resource and repair/reprogram it, if the damage is too severe the resource is definitively lost.The damage can be at data level, targeting the stored or transmitted data, deleting them, or modifying them to deceive the receiver. It can be also at service level, interrupting a payload execution or hitting the communication with jamming and flooding to prevent it. Damage can be also at hardware level, destroying the space resource with electromagnetic power, kinetic weapons, or malicious hardware preinserted in the system.

ID: TA0040
Created: 25 August 2022
Last Modified: 14 April 2023

Techniques

Techniques: 12
ID Name Description
T2054 Data Manipulation Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.
.001 Stored Data Manipulation TBD
.002 Transmitted Data Manipulation an attacker can modify transmitted data, jamming or overpowering the original signal and retransmitting a modified copy to the receiver, to command a spacecraft or to lead the system owner to erroneous decision. An attacker can target the telecommands sent from a GS, to change the spacecraft behavior, or he can tamper the telemetry sent from a spacecraft to change the GS received data. Intercepted and modified range measurement sent to the control center could lead to erroneous range measurements, which could cause incorrect trajectory determination. Mitigations are redundancy/diversity to protect the source and authentication to protect the message. To protect the data source, a star sensor offers ah high level of reliability. An attacker can also target the payload data sent from or to a spacecraft. To mitigate this, Navigation Message Authentication (NMA) uses symmetric/asymmetric key encryption to provide authenticity and integrity of the navigation data to the receiver.
.003 Runtime Data Manipulation An attacker can use a controlled payload software or component to manipulate data of that or another component during the execution, if a MMU or a MPU is not implemented or is misconfigured. Only the most recent space qualified microprocessors (LEONII/III) have a MMU available, that provides only write protection. For secure spacecraft avionics, protection against read/write and execution access is necessary. The MMU or a MPU is extremely important if the payload is not trusted.
T2050 Ground Segment Jamming An attacker can jam the communication to prevent data being delivered. TT&C: Usually is possible to wait and communicate later without noticeable problems. Proximity-1: jamming is difficult, because of high distance from Earth (upload) or the use of commercial frequencies (download jamming would affect lot of other terrestrial links). Jamming of the ranging signal could lead to the total loss of ranging data, and potential navigation errors. C&S Sublayer provides methods for frame re-synchronization.
.001 Jamming from the ground TBD
T2055 Loss of spacecraft telecommanding an attacker can interrupt the communication link between a ground station and a spacecraft by changing the TC channel configuration.
.001 Replacement of authentication keys An attacker can replace the authentication keys (e.g SDLS session keys) to disconnect the legitimate ground station and potentially hijack the connection.
T2027 Permanent loss to telecommand satellite An attacker can perform actions that permanently leave the owner without the control on the space resource. The resource can be either under the control of the attacker or not, that can act to gain an illegitimate ownership on the resource, or to damage the legitimate owner.
.001 Replace session and master keys Adversaries can replace session and master keys in a space resource, to gain permanent access to the resource and permanently prevent the owner access. This attack leads to a definitive loss of the resource.
T2028 Resource damage An attacker can attempt to damage a space resource, to cause a mission loss.
.004 Space Debris Impact A space resource is damaged or destroyed if an impact with space debris happens. Space debris can be produced to harm resources in specific trajectories.
.005 Physical sabotage An attacker can physically damage a satellite, with harmful commands or attacking it with another vehicle. Heaters and flow valves of the propulsion subsystem can be moved. Proximity operations with other satellites are possible (kinetic kill vehicles, radiofrequency jammers, lasers, chemical sprayers, high-power microwaves, and robotic mechanisms). Other possible attacks are against critical software subsystems or internal timers.
.007 Intentional collision with other satellites Adversaries can command the satellite to collide other satellites. This results not only in the loss of the resource, but also in a damage of another resource.
.009 Destruction of sensors TBD
.010 Destruction of receivers TBD
.011 Breakdown of counterfeit components A space resource can be damaged if a specific HW component, built to fail after a specific period, or counterfeit with a low reliability, breaks out. Relevant for ASIC and FPGA.
.012 Kinetic attacks Attackers can use anti-satellite (ASAT) missiles, or other kinetic energy threats, to attack a resource from the ground or from a plane, without the needs of an orbit insertion. Counterspace weapons are characterized by an easily attribution and the generation of space debris. These systems could include payloads such as kinetic kill vehicles, radiofrequency jammers, lasers, chemical sprayers, high-power microwaves, and robotic mechanisms. This last technology is developed to repair satellites or to remove space debris, but its use can be malicious. A nuclear explosion can also be used against all the space segments.
T1496 Resource Hijacking An attacker can hijack resources of the space vehicle using them for different purposes.
T2052 Saturation of Inter Satellite Links In a network constellation without an efficient routing protocol, a network attack aiming to flood the network is possible, causing a saturation of an intersatellite link. This kind of attack can be executed by authorized users, intentionally or not (botnet malware on user devices).
.001 Coremelt attacks TBD
T2053 Saturation/Exhaustion of Spacecraft Resources The attacker can target satellites with energy or resource constraints to lead them prioritizing power saving efforts and disabling security controls. The satellite becomes then more vulnerable to other attacks such as gaining unauthorized access or eavesdropping cleartext communications. This goal can be reached with a regenerative payload "flooding", sending to the satellite more packets than expected to rapidly consume its energy. The exploitation of a payload application can achieve a similar result. The attacker can abuse the satellite bandwidth for the retransmission of own content.
.001 Receiver flooding An attacker can try to flood the spacecraft receiver sending great amount of data, valid or not. Since the Ground Station notices the status of the receiver, the power of the transmitter should increase to unlock the receiver from the messages flood, rising the receiver's threshold and cutting out the malicious signal.
.002 Avionics Bus Flooding TBD
.003 OBC overloading TBD
.004 Drain satellite's power The attacker can target satellites with energy or resource constraints to lead them prioritizing power saving efforts and disabling security controls. The satellite becomes then more vulnerable to other attacks such as gaining unauthorized access or eavesdropping on cleartext communications. This goal can be reached with a regenerative payload "flooding", sending to the satellite more packets than expected to rapidly consume its energy. The exploitation of a payload application can achieve a similar result.
.005 Waste of propellant An attacker can maliciously consume satellite propellant resources to achieve the goal of reducing satellite life.
T1489 Service Stop An attacker can interrupt services, disabling them or taking control over them.
.001 Ground system loss The ground facility can be disabled, or an attacker can take control of it, via cyber or physical attack. The loss of the GS can be also caused by environmental factors, uncontrolled or induced (e.g, fire).
.002 Disabling Payload Service An attacker can disable the payload, or parts of it, leveraging TC switch on-off commands. In a mission with a direct link for the payload, the latter can be disabled compromising its command channel.
T2049 Spacecraft Jamming If the victim uses a free space (over the air) communication, it can be threatened by jamming attacks. An attacker can perform a Denial of Service (DoS) attack to limit or block the service availability through RF jamming. For Proximity-1 jamming becomes difficult, because of high distance from Earth (upload) and the use of commercial frequencies (download jamming would affect a lot of other terrestrial links). Jamming of the ranging signal could lead to the total loss of ranging data, and potential navigation errors.
.001 Receiver lock on a spurious carrier The lock of the spacecraft receiver or of the ground station with a continuous wave or with the obtained DSSS sequence can be a threat. Increasing the power is the only way to unlock the receiver, or it unlocks when the spacecraft moves out of LOS with the attacker GS. The attack depends on the receiver and on the system dynamic, that causes the doppler effect and requires a major bandwidth. A possible mitigation is the cryptographic DSSS sequence.
.002 Optical Jamming (Links/Sensor Blinding) An attacker can conduct optical attacks with high power laser beams to target optical sensors or optical links. If the payload uses cameras or other optical sensors to take pictures or measurements, they can be blinded or damaged.
.003 SDR buffer overflow If SDRs or digital signal processing software are used to provide radio functionality, insufficient checks in radio frame processing, coupled with malformed data packets, could lead to buffer overflows, and create denial-of-service conditions. This type of jamming is significantly stealthier as it is triggered by sending a small number of packets and doesn’t require a continuous RF jamming signal.
T2026 Temporary loss to telecommand satellite An attacker can perform actions that temporarily leave the owner without the control on the space resource. During this period the resource can be either under the control of the attacker or not.
.001 Replace session keys Adversaries can replace encryption keys used to encrypt TM/TC in order to gain permanent access to other functionalities, or to temporarily interrupt the owner's control.
T2024 Transmitted Data Manipulation An attacker can modify transmitted data, jamming or overpowering the original signal and retransmitting a modified copy to the receiver, to command a spacecraft or to lead the system's owner to erroneous decision.