CyberInflight and Florent Rizzo shared an excerpt of their last Space Cybersecurity Market Intelligence 2023 Report.
Here is what Florent said in French about this report :
« 📢 Les systèmes spatiaux 🚀 constituent l’infrastructure critique de toutes les infrastructures critiques.
2022 a marqué une rupture dans le domaine de la cybersécurité spatiale🛰️, tant au niveau de la croissance des menaces que de l’émergence de nouveaux modes d’actions.
C’est au cœur de ce contexte en rapide évolution que CyberInflight se positionne. Acteur clé de l’intelligence économique dans le domaine de la cybersécurité appliquée à l’aérospatiale, CyberInflight accompagne les acteurs du secteur en leur fournissant les données essentielles à leurs activités que ce soit par de la production d’études d’intelligence économique ou au travers d’activités de conseil et de formation.
Le marché de la cybersécurité spatiale est particulièrement complexe à définir et à délimiter. CyberInflight fournit l’effort de répertorier ces acteurs, de les catégoriser et d’observer leur évolution. De fait, notre « Space Cybersecurity Market Intelligence Report » apporte une approche particulièrement complète sur le marché de la cybersécurité spatiale🛰️. Cette étude de plus de 150 pages se veut exhaustive et analytique en s’appuyant sur un ensemble de base de données.
👉Retrouvez ici la table des matières et l’extrait de notre rapport d’intelligence économique sur le marché de la cybersécurité spatiale ainsi que le teaser des différentes bases de données constituées par CyberInflight. »
👉En cas de question ou de demande d’information, n’hésitez pas à contacter à l’adresse suivante : research@cyberinflight.com«
Find below the executive summary of the report
« The ever-increasing demand for data and the growing dependency on space applications is pushing the need for processing more data on board and to send them to the ground. A new set of technologies is being developed allowing for higher performance, increased throughput and secure communications.
The improvement of existing technologies (RISC, ARM, FPGA), the creation or the adaption of new ones to space applications (lightweight cryptography, confidential computing, containerization, quantum) the shift to new business models (such as GSaaS, and as-a-service models in general) are a set of new challenges to be overcome not only to meet the growing demand for space data but also to reliably secure these services in front of an expanding threat landscape.
Embedding more technologies within the spacecraft implies meeting current and future operational and environmental constraints. It requires additional performance, power, weight or size (the SWaP tradeoff).
The soar of COTS has pushed the use of technologies which are well-used within traditional IT applications such as containerization (virtualization, Kubernetes, Docker). Trust is implemented at different level from hardware (root-of-trust) to software (LWC or confidential computing). The ground segment is also sustaining significant transformation – becoming more and more cloud-oriented. Future technologies such as quantum or artificial intelligence or machine learning may be seen as disruptors when reaching a higher maturity level.
Cybersecurity technologies are evolving between current and future requirements mainly driven by the rapid evolution and growing interest for space by the cyberthreat landscape. »
Find below the excerpt of the last Space Cybersecurity Market Intelligence 2023 Report edited by Cyberinflight
This full excerpt of the report can be downloaded here
« The space sector is in need of frameworks and methodologies specific to our unique operating environment » said Gregory Falco (Aerospace Security & Space Technology Asst. Prof at Johns Hopkins, Cybersecurity PhD from MIT).
In this article, we will present some recently released cybersecurity frameworks for space domain :
SPARTA : The Aerospace Corporation’s Space Attack Research and Tactic Analysis
SPACE-SHIELD : The Space Attacks and Countermeasures Engineering Shield from ESA
TREKS : The Targeting, Reconnaissance, & Exploitation Kill-Chain for Space Vehicles Cybersecurity Framework
The Aerospace Corporation’s Space Attack Research and Tactic Analysis (SPARTA)
Space Attack Research and Tactic Analysis (SPARTA) matrix
The Aerospace Corporation’s Space Attack Research and Tactic Analysis (SPARTA) framework was already in place. SPARTA is an ATT&CK® like knowledge-base framework but for for Space Missions.
SPARTA matrix is intended to provide unclassified information to space professionals about how spacecraft may be compromised due to adversarial actions across the attack lifecycle.
You can learn more about SPARTA in our article here.
The SPACE-SHIELD (Space Attacks and Countermeasures Engineering Shield) from ESA
SPACE-SHIELD or ATT&CK Matric for Space
There was also the SPACE-SHIELD (Space Attacks and Countermeasures Engineering Shield) from ESA. SPACE-SHIELD is an ATT&CK® like knowledge-base framework for Space Systems.
It is a collection of adversary tactics and techniques, and a security tool applicable in the Space environment to strengthen the security level. The matrix covers the Space Segment and communication links, and it does not address specific types of mission.
You can learn more about SPACE-SHIELD in our article here.
The Targeting, Reconnaissance, & Exploitation Kill-Chain for Space Vehicles (TREKS) Cybersecurity Framework
Targeting, Reconnaissance, & Exploitation Kill-Chain for Space Vehicles (TREKS) Cybersecurity Framework
TREKS (Targeting, Reconnaissance, & Exploitation Kill-Chain for Space Vehicles) is a new Cybersecurity Framework that highlights the unique kill chain for the space vehicle.
It’s a Cybersecurity Framework released by Dr. Jacob Oakley after more than five years spent researching and working on space system cybersecurity.
You can learn more about TREKS in our article here.
What about SPARTA vs. ATT&CK MITRE ?
The current cyber-security frameworks – MITRE’s ATT&CK and Microsoft’s Kubernetes – while representing the industry standard for analyzing attacks on terrestrial devices, however, do not sufficiently cover the space segment scenarios.
What about SPARTA vs. SPACE-SHIELD ?
SPACE-SHIELD (Space Attacks and Countermeasures Engineering Shield) is an ATT&CK® like knowledge-base framework for Space Systems. It is a collection of adversary tactics and techniques, and a security tool applicable in the Space environment to strengthen the security level. The matrix covers the Space Segment and communication links, and it does not address specific types of mission. You can learn more about SPACE-SHIELD here.
What about TREKS vs. other frameworks
TREKS is intended to provide a bridge between the existing frameworks available to address, categorize, taxonomize and analyze cybersecurity compromises of traditional terrestrial based network architectures and the future of cybersecurity for space where those frameworks become more applicable as compromises become more frequent, prolific, and acknowledged. This framework can provide a taxonomy that can be used to characterize foundational aspects of cyber threats to SVs in a way that allows for the identification of trends and enables analysis of this niche target set at the intersection of the space and cyber domains.
Conclusion
In conlusion, « We need frameworks, this is sure. But we need also to ensure that we are not diverging or duplicating the efforts. » said Paul Varela, CyberSecurity/Risk Expert and Trainer at EUSPA.
My position is that it’s right but I think these frameworks are complementory.
Brandon Bailey & Brad Roeher from the SPARTA team analyzed, in this article, Thales Group’s CYSAT ’23 presentation material to deconstruct the experiment, extract lessons learned, and document potential countermeasures.
Summary of the full attack flow
Summary of the full Thales attack flow
The SPARTA (Space Attack Research and Tactic Analysis) Framework was used to identify the tactics, techniques, and associated countermeasures associated with the experiment/attack.
They utilized the SPARTA Navigator tool to construct the attack chain and generated an Excel export to pinpoint relevant countermeasures. Subsequently, a thorough analysis is conducted to ensure the applicability of the associated countermeasures to the specific Tactics, Techniques, and Procedures (TTPs).
The SPARTA Navigator proves invaluable in presenting a comprehensive array of countermeasures categorized by defense-in-depth, effectively minimizing the risk posed by TTPs. By leveraging the SPARTA Navigator, we successfully map the attack chain to SPARTA TTPs, as exemplified below.
Upon exporting the data from the SPARTA Navigator, they have identified eight countermeasures. Out of these, five pertain to terrestrial countermeasures intended to prevent vulnerable software from infiltrating the spacecraft. The remaining three countermeasures are implemented onboard the spacecraft itself, serving to protect against and/or detect the TTPs executed during the experiment.
This paper was presented at the 44th IEEE Symposium on Security and Privacy (S&P) and received a distinguished paper award.
In this paper, they analyze the security of three real-world satellites and discover 13 vulnerabilities that enable attackers take over two of them. They also publish a survey confirms that these are widespread issues.
Terms used in this abstract are : satellites, satellite security, space segment, satellite firmware, threat taxonomy, software security.
Abstract — Satellites are an essential aspect of our modern society and have contributed significantly to the way we live today, most notable through modern telecommunications, global positioning, and Earth observation. In recent years, and especially in the wake of the New Space Era, the number of satellite deployments has seen explosive growth. Despite its critical importance, little academic research has been conducted on satellite security and, in particular, on the security of onboard firmware. This lack likely stems from by now outdated assumptions on achieving security by obscurity, effectively preventing meaningful research on satellite firmware.
In this paper, we first provide a taxonomy of threats against satellite firmware. We then conduct an experimental security analysis of three real-world satellite firmware images. We base our analysis on a set of real-world attacker models and find several security-critical vulnerabilities in all analyzed firmware images. The results of our experimental security assessment show that modern in-orbit satellites suffer from different software security vulnerabilities and often a lack of proper access protection mechanisms. They also underline the need to overcome prevailing but obsolete assumptions. To substantiate our observations, we also performed a survey of 19 professional satellite developers to obtain a comprehensive picture of the satellite security landscape.
The figure below is a taxonomy of threats against satellite firmware
A taxonomy of threats against satellite firmware
The figure below is a the OPS-SAT threat model
The OPS-SAT threat model
The figure below is an overview of the vulnerabilities identified in the satellite bus and their attacker paths
An overview of the vulnerabilities identified in the satellite bus and their attacker paths
CISPA researchers have contributed to twelve papers at this year’s. Four of these papers have received the highest honor: A Distinguished Paper Award, given out to the top 1% of submitted papers. Congratulations to everyone involved!
🔥 On Tuesday 25 April 2023, the MITRE Corporation released ATT&CK v13, the new version of its framework.
This new version includes significant updates and affects all matrices: Enterprise, Mobile and ICS.
In this article, we summarize the biggest changes : and will go through more details.
✔️ Addition of « Pseudocode analytics for Detection »: I understand this is the most important change in ATT&CK v13. It adds detailed recommendations to the TTPs in the Enterprise matrix to improve their detection by providing more precision and context on what to look for and collect. This new information can be consulted in the CAR (Cyber Analytics Repository) database.
✔️ Addition of new data sources for the Mobile matrix: Data sources represent information that can be collected from logs or probes. They also include characteristics that make it possible to identify the specific properties/values of a data source that are relevant to the detection of a technique or sub-technique.
✔️ Update of the ICS matrix: overhaul of assets, addition of new techniques and refresh of campaign mapping
✔️ Update of APT groups and attack campaigns with the possibility of cross-domain mapping
✔️ Improved coverage of the Cloud: addition of new technologies and completion of execution and lateral movement techniques
✔️ Improved coverage of Linux: updated techniques and sub-techniques with a better understanding of attacks
✔️ Improvements to the web interface, mainly in the search module
✔️ New changelog types to help identify more precisely what has changed in ATT&CK.
“we’re working toward enhanced tools for lower-resourced defenders, improving ATT&CK’s website usability, enhancing ICS and Mobile parity with Enterprise, and evolving overall content and structure this year”
Amy L. Robertson
🤩 A v14 is already announced for October with more details at ATT&CKCon 4.0 which takes place on 24-25 October 2023 :
The MITRE ATT&CK framework is a globally recognized knowledge base and methodology for understanding, organizing, and classifying cyber threats and tactics used by adversaries during different stages of a cyber attack. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge.
The framework was developed by MITRE, a not-for-profit organization that operates federally funded research and development centers (FFRDCs) to address various challenges faced by the U.S. government. However, the framework has gained widespread adoption in the cybersecurity community and is used by organizations around the world.
The MITRE ATT&CK framework provides a comprehensive model that describes the entire lifecycle of a cyber attack, from initial reconnaissance and weaponization to lateral movement, data exfiltration, and impact. It consists of a matrix that outlines various tactics and techniques employed by adversaries, along with information on the platforms they target (e.g., Windows, macOS, Linux) and the types of software they use.
The framework is organized into several categories, including Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, and Impact. Each category is further divided into specific techniques and sub-techniques that adversaries may employ.
For each technique, the framework provides detailed information on how it works, the potential impact, and real-world examples of its usage by known threat actors. This knowledge base allows organizations to better understand the tactics and techniques employed by adversaries and assists in building effective defensive strategies and improving incident response capabilities.
By utilizing the MITRE ATT&CK framework, organizations can map observed adversary behaviors to specific techniques, identify security gaps, prioritize defenses, develop threat intelligence, and share information with the broader cybersecurity community. The framework serves as a common language and reference point for cybersecurity professionals, enabling them to collaborate and exchange knowledge on emerging threats and effective defense strategies.
Overall, the MITRE ATT&CK framework plays a crucial role in enhancing cybersecurity awareness and readiness, facilitating the development of proactive defense measures, and improving the overall resilience of organizations against cyber attacks.
CYSAT ’23 is the first conference in Europe dedicated to satellite and space industry cyber security. It took place from 26 to 27 April 2023 and brought together key players from the European space industry to share challenges and solutions related to cyber risks and cyber security in space.
Faced with cybersecurity challenges and the growing importance of data protection in space, it is crucial to bring together communities of cybersecurity experts to build a European ecosystem capable of addressing current and future industry challenges.
Last years’ event saw more than 450 space specialists, decision-makers and experts come together. In its third year, CYSAT will highlight Europe’s cybersecurity capabilities and solutions dedicated to space from both a technological and geostrategic perspective.
What you will watch:
An exclusive testimony by Colonel Oleksandr Potii, Deputy Chairman of the State Service of Special Communications and Information Protection of Ukraine. A year since the cyber-attack on satellite network KA-SAT, Potii will reflect on what lessons can be learned from this attack.
Talks and keynotes from renowned industry experts, including Philippe Baptiste, President of CNES, Jean-Marc Nasr, Vice-President Space at Airbus Defence and Space, Massimo Mercati, Head of Security at ESA and Greg Wyler, founder of E-Space.
Workshops and demonstrations highlighting the know-how of the space industry
To find the full programme and more information on the event, visit: https://cysat.eu/
You will find below the full recording of the 2 days of conferences with all the speakers.
CYSAT, the only European event about cybersecurity in the space industry
CYSAT is the annual rendez-vous of all professionals at the crossroad between space and cyber. The 3rd edition will be taking place in Paris on April 26-27th at Station F and online.
CYSAT 2023
Here is the final retrospective of CYSAT 2023. We hope you enjoyed this third edition, which took place in Paris on April 26 and 27, 2023, and we hope to see even more of you in 2024.
Let’s continue to raise awareness about cybersecurity in space !
Opening of CYSAT 2023 with Lionel Suchet from CNES
Space is the new frontier of cybersecurity. The growing amount of space data collected and processed in the cloud makes cybersecurity a fundamental topic. CYSAT 2023, as the biggest European event dedicated to space cybersecurity, paved the way to a whole new set of reflexions within the European context.
As the COO of CNES, the French government space agency, Lionel Suchet was appointed Director of Innovation, Applications and Science. This new directorate (DIA) is tasked with supporting the interests, requirements and challenges of all potential users of space data and missions, and planning and proposing CNES’s future orbital systems with a view to nurturing creativity and driving innovation.
CYSAT 2023: Fireside chat with Greg Wyler, E Space
Greg Wyler is Founder, CEO and Chief Architect at E-Space, a global space company focused on bridging Earth and space with the world’s most sustainable low Earth orbit (LEO) satellite network.
With E-Space, Greg has re-imagined LEO satellite system design, manufacturing, economics and service delivery to overcome the limitations associated with legacy LEO systems. Greg is a recognized technology entrepreneur, engineer and visionary, with a proven track record of creating and growing innovative space companies.
In 2007, he founded O3b Networks, followed by starting OneWeb in 2012. Both have proven successful, leveraging satellite technology to fuel global connectivity missions. Greg holds more than 35 patents related to the design, implementation and use of satellite communications technology.
Hack CYSAT 2023 – World premiere: hacking and recovery of a flying satellite
For the third edition of CYSAT, the biggest European event entirely dedicated to cybersecurity for the space industry, taking place on 26-27 April 2023 at Station F in Paris, the European Space Agency (ESA) set up a satellite test bench to simulate attempts to seize control of OPS-SAT, a nanosatellite operated by the agency for demonstration purposes.
Thales’s offensive cybersecurity team stepped up to the challenge, identifying vulnerabilities that could enable malicious actors to disrupt operation of the ESA satellite.
Thanks to ESA and Thales for their hacking demonstration and involvement to raise awareness on cybersecurity risks in the space industry.
CYSAT 2023: Live from Kyiv with General Oleksandr Potii
Live from Kyiv with General Oleksandr Potii, Deputy Chairman of the State Service of Special Communications and Information Protection of Ukraine
CYSAT 2023: Panel « Protection of space systems in the EU »
Panel moderated by Mathieu Bailly, Director of CYSAT and VP space at CYSEC
Guillaume de La Brosse, Head of Unit – Innovation, start-ups, economics at European Commision DG-DEFIS : Protection of space systems in the EU : a paradigm shift ?
Rodrigo da Costa, executive director of EUSPA : EUSPA and the security of the EU Space Program
Claude Schanet, Deputy Chair Security Accreditation Board at EUSPA : EUSP SAB – EU Space programme’s security accreditation authority
CYSAT 2023: Panel « Information sharing and collective intelligence for the global space industry »
Panel moderated by Florent Rizzo, CEO of CyberinFlight
Erin Miller, Executive Director at SPACE-ISAC
Paul Varela, Security engineer at EUSPA
Andre Adelsbach, VP Group Information and Cyber Security of SES
Samuel Visner, Technical Fellow at MITRE & Vice-chair at Space-ISAC
CYSAT 2023: Panel « Overview of cybersecurity challenges for the IRIS2 constellation »
Panel moderated by Mathieu Bailly, Director of CYSAT and VP Space at CYSEC
Nicolas Guillermin, EU Satellite Navigation Programmes Manager at DG for Defence Industry and Space at European Commission
Christophe Allemand, 4S Strategic Programme Line Manager at ESA
Massimo Mercati, Head of Security Office at ESA
CYSAT 2023: Panel « What are the cybersecurity challenges for the IRIS2 constellation »
Panel moderated by Badia Belkouchi, Head of digital and data at Euroconsult
Yacine Felk, COO and co-founder of CYSEC
Alain Yvon, Head of cybersecurity laboratory at Thales SIX
Etienne Gérain, Information security expert at Priamos
Walter Ballheimer, CEO of Reflex Aerospace
Bertrand Leconte, Ground segment security expert at Airbus Defense and Space
CYSAT 2023: Keynote « The Risk governance model for supply chain cybersecurity in space »
Keynote by Rhea Group :
Matteo Merialdo, director cybersecurity products and engineering
Ana-Maria Matejic, director cybersecurity services and operations
CYSAT 2023: Keynote « The war in Ukraine from a space cybersecurity perspective »
Keynote presented by Clément Poirier, Resident fellow at ESPI
CYSAT 2023: Keynote « The approaches taken by the German Space Agency »
Keynote by Sabine Philip-May, Head of Product Assurance & Project support department at DLR
A propos de CYSEC
CYSEC is a Franco-Swiss cybersecurity company that is a pioneer in the protection of satellites and data collected and transmitted in space.
The company has just launched two security products in 2023, ARCA SATCOM dedicated to the satellite internet market, and ARCA SATLINK dedicated to constellation operators.
MITRE CALDERA is a framework for automating cyber defense testing. CALDERA is developed by the MITRE Corporation, a nonprofit organization based in the United States. This framework enables cybersecurity professionals to simulate attacks and defense scenarios in a controlled environment.
CALDERA provides a platform for creating, executing, and analyzing attack campaigns using various tactics, techniques, and procedures (TTPs). It allows users to generate realistic threat scenarios, test their defensive capabilities, and assess the effectiveness of their security measures. The framework supports the emulation of adversary behaviors and can be used for red teaming, threat intelligence analysis, and security tool evaluation. CALDERA aims to enhance organizations’ ability to detect, respond to, and mitigate cyber threats.
MITRE CALDERA is built on the MITRE ATT&CK™ framework and is an active research project at MITRE.
The framework consists of two components:
1. The core system. This is the framework code, including an asynchronous command-and-control (C2) server with a REST API and a web interface.
2. Plugins. These are separate repositories that hang off of the core framework, providing additional functionality. Examples include agents, GUI interfaces, collections of TTPs and more.
MITRE Caldera™ for OT
At the RSA 2023 conference, MITRE released its MITRE Caldera for OT tool, which allows security teams to run automated adversary emulation exercises that are specifically targeted against operational technology (OT).
As MITRE CALDERA is built on the MITRE ATT&CK™ framework, MITRE Caldera for OT is built on the MITRE ATT&CK™ for ICS framework.
“Cybersecurity within critical infrastructure is paramount for national security, the economy, and the safety of the public,” said Mark Bristow, director, Cyber Infrastructure Protection Innovation Center, MITRE.
“OT and industrial control systems (ICS) need innovative security solutions in order to be more resilient against increasing cyber threats. Often, a compliance-based approach has been taken to ICS cybersecurity which ultimately focuses on ‘easy to measure’ security controls like patch levels and password complexity. Instead, MITRE is offering better ways to measure risk and emulate threats that allow us to prioritize which potential scenarios would have the most impact on essential community services,” Bristow continued.
How can ICS/OT organizations know their cyber defenses are robust?
“During the last few years, OT owners and operators have made significant investments to increase their security postures. While these investments are a great step forward, many of these capabilities have not been thoroughly validated to ensure they are working as designed,” added Bristow. “Instead, MITRE Caldera for OT enables security teams to evaluate their cyber defenses against known OT adversaries.”
OT security teams can leverage MITRE Caldera for OT as an automated, preventive tool to examine their OT cyber environment and determine if there are any existing vulnerabilities that adversaries could exploit or gaps in their security architecture.
MITRE Caldera for OT, as part of the MITRE Caldera framework, provides OT-focused plug-ins to enhance red or blue team training, product testing and evaluation, or even measurement against acceptance testing milestones.
Built on the MITRE ATT&CK for ICS framework, MITRE Caldera for OT emulates the attack path and attacker capabilities that are defined either through ATT&CK for ICS or other custom-built plug-ins.
MITRE Caldera for OT Plugins can be found on Github here (coming soon, around mid-May).
Time to designate space systems as critical infrastructure
Recently, the Cybersecurity Solarium Commission (Solarium CSC 2.0) has endorsed designation of space systems as a critical infrastructure sector.
The Cyberspace Solarium Commission (CSC) was established in the John S. McCain National Defense Authorization Act for Fiscal Year 2019 to « develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences. » The finished report was presented to the public on March 11, 2020. The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 reauthorized the Commission to collect and assess feedback on the analysis and recommendations contained within the final report, review the implementation of the recommendations contained within the final report, and completing the activities originally set forth for the Commission.
Until today, CISA (Cybersecurity and Infrastructure Security Agency), the US Federal Agency, defined a list of the 16 critical infrastructure sectors.
Essential Critical Infrastructure CISA List
In the future, space systems will have to be added to this list of critical infrastructure sectors.
We written an article about this announcement here.
Convergence of IT and OT in the Critical Infrastructure Space systems
Space systems can often be seen as a convergence of IT, OT ans ICS in the Critical Infrastructure Space.
That’s why we often use and apply MITRE ATT&CK for ICS framework to identify attack path abd to know how a space system can be attacked.
Need to learn more about MITRE ATT&CK for ICS framework ?
MITRE ATT&CK for ICS framework is the MITRE ATT&CK framework applied on a specific domain.
The MITRE ATT&CK for ICS Matrix is an overview of the tactics and techniques described in the ATT&CK for ICS knowledge base. It visually aligns individual techniques under the tactics in which they can be applied.
The MITRE ATT&CK for ICS matrix (Source: https://collaborate.mitre.org/attackics/index.php/Main_Page )
Below is the mapping of Stuxnet attack on the ATT&CK for ICS matrix (Than’ks to Airbus Cybersecurity). « Mapping Stuxnet to the ATT&CK for ICS matrix, as shown in figure 3, quickly shows how complex this attack was. Business risk owners can now identify which techniques to focus on if they need to minimise the risk from strikes like Stuxnet. »
Mapping of Stuxnet on the ATT&CK for ICS matrix (Source: https://airbus-cyber-security.com/mitre-attck-for-ics-everything-you-need-to-know/)
« The space sector is in need of new frameworks and methodologies specific to our unique operating environment » said Gregory Falco (Aerospace Security & Space Technology Asst. Prof at Johns Hopkins, Cybersecurity PhD from MIT).
The Aerospace Corporation’s Space Attack Research and Tactic Analysis (SPARTA)
The Aerospace Corporation’s Space Attack Research and Tactic Analysis (SPARTA) framework was already in place. SPARTA is an ATT&CK® like knowledge-base framework but for for Space Missions. SPARTA matrix is intended to provide unclassified information to space professionals about how spacecraft may be compromised due to adversarial actions across the attack lifecycle. You can learn more about SPARTA in our article here.
Space Attack Research and Tactic Analysis (SPARTA) matrix
The SPACE-SHIELD (Space Attacks and Countermeasures Engineering Shield) from ESA
There was also the SPACE-SHIELD (Space Attacks and Countermeasures Engineering Shield) from ESA. SPACE-SHIELD is an ATT&CK® like knowledge-base framework for Space Systems. It is a collection of adversary tactics and techniques, and a security tool applicable in the Space environment to strengthen the security level. The matrix covers the Space Segment and communication links, and it does not address specific types of mission. You can learn more about SPACE-SHIELD in our article here.
SPACE-SHIELD or ATT&CK Matric for Space
The Targeting, Reconnaissance, & Exploitation Kill-Chain for Space Vehicles (TREKS) Cybersecurity Framework
Now, after more than five years spent researching and working on space system cybersecurity, Dr. Jacob Oakley released the Targeting, Reconnaissance, & Exploitation Kill-Chain for Space Vehicles (TREKS) Cybersecurity Framework.
About Dr. Jacob Oakley
Dr. Jacob Oakley is a cybersecurity professional and author with over 17 years of experience. A foremost expert on offensive cybersecurity, cyber warfare, and space system cybersecurity, he has advised Department of Defense (DoD) and Fortune 500 executives on strategic mitigation of risks and threats to globally distributed, multi-domain network architectures.
Dr. Jacob Oakley
The Targeting, Reconnaissance, & Exploitation Kill-Chain for Space Vehicles (TREKS) Cybersecurity framework was developed to provide a taxonomy for understanding, protecting against, and decomposing cybersecurity compromises of space-resident systems, otherwise known as space vehicles (SVs).
TREKS is intended to provide a bridge between the existing frameworks available to address, categorize, taxonomize and analyze cybersecurity compromises of traditional terrestrial based network architectures and the future of cybersecurity for space where those frameworks become more applicable as compromises become more frequent, prolific, and acknowledged. This framework can provide a taxonomy that can be used to characterize foundational aspects of cyber threats to SVs in a way that allows for the identification of trends and enables analysis of this niche target set at the intersection of the space and cyber domains.
Targeting, Reconnaissance, & Exploitation Kill-Chain for Space Vehicles (TREKS) Cybersecurity Framework
« This framework should be utilized to typify a space vehicle (SV) as a target, based on the function of that SV and an actor’s motivation for targeting it, tying those compromise characteristics to what vectors could be leveraged to exploit subsystems and execute effects related to said motivation. The initial version of this framework could be seen as satellite centric, but the intent is to continuously build out the understandings surrounding this taxonomy to best incorporate all manner of SVs, from satellites to weapons to crewed vessels, labs and beyond. » said Dr. Jacob Oakley.
The TREKS Companion: A Guidebook to the TREKS Cybersecurity Framework
The purpose of this guidebook is to act as a reference to the included TREKS cybersecurity framework and aid in its use by the offensive and defensive cybersecurity communities as well as space system owners and operators.
About future work
This guidebook will continue to be a living document, edited, and updated based on feedback from both the space and cyber communities, with new versions released as appropriate.
As was stated at the beginning of this guidebook, this is intended to be a continuously updated living document to make it easier to leverage and utilize the TREKS cybersecurity framework and act as a mechanism to keep the framework itself up to date.
« Like the Aerospace Corporation’s SPARTA framework contextualizes unique vulnerabilities and countermeasures for the space vehicle, the TREKS framework highlights the unique kill chain for the space vehicle. I encourage Space ISAC and others deep in the weeds of space cyber ops to consider leveraging this » said Gregory Falco.
For usage and licensing information please visit the treksframework.org website.
CYSAT 2023 is over. It’s time to review everything that has happened during this amazing event. But first, let’s remember what CYSAT is.
CYSAT is the leading European cybersecurity and space exhibition that took place 26th-27th April in Paris (Station F). This is the biggest European event entirely focused on cybersecurity for the space industry.
Since 2021, the event brings space and cybersecurity experts together to create a European ecosystem capable of responding to the current and future challenges faced by the European space industry.
Faced with cybersecurity challenges and the growing importance of data protection in space, it is crucial to bring together communities of cybersecurity experts to build a European ecosystem capable of addressing current and future industry challenges.
Last years’ event saw more than 450 space specialists, decision-makers and experts come together. In its third year, CYSAT highlighted Europe’s cybersecurity capabilities and solutions dedicated to space from both a technological and geostrategic perspective.
To find the full programme and more information on the event, visit: https://cysat.eu/
Mathieu Bailly, VP at CYSEC, Co-founder and Director of CYSAT, has published on his linkedin profile about the Hacking demo at CYSAT 2023: world first or « déjà vu »❓ Here is what he knows 👇
We publish these key takeaways below with his permission. Thank’s to Mathieu for sharing whith us its key takeaways.
Mathieu Bailly, VP Space chez CYSEC et Directeur de CYSAT
#Hacking demo at CYSAT 2023: world first or « déjà vu »❓Here is what I know 👇
The exact claim is first « ethical hacking demonstration performed on a flying satellite » 🏅
⚠️ Every word counts!
1️⃣ in the real world
Since satellites have been used for intelligence and military communications oh boy they’ve suffered many cyber attacks. Some have been successful, many haven’t.
I’d say most of the « attacks » publicly disclosed have not actually managed to disturb the nominal operations of the space segment
Examples include the Luch-Olympe fly-by, the Viasat attack (the Ka-sat satellite is still working perfectly fine!), all the jamming / spoofing attacks in the black Sea or Iran, etc etc
For the very few which seem to be related to the space segment I’d be very careful as most of the time the actual facts remain scarce and hard to prove (example: ROSAT story in 1998)
2️⃣ Security research
Some researchers did some really interesting stuff to point out the vulnerabilities of space systems but to my best knowledge never actually went all the way
I’m thinking about James Pavur for example that was among the pioneers in space security. He made a big splash by showing he was able to #eavesdrop quite easily on sensitive data transmitted by satellite 📡 but never performed an experiment on the satellite itself.
3️⃣ Ethical hacking
In terms of ethical hacking the number one reference is the US Air Force competition Hack-a-sat.
💬 « it’s been done already in Hack-a-sat » is the number one comment I’ve read below the CYSAT articles.
Well, no. Not yet exactly.
Hack-a-sat 1, 2 and 3 were done on the ground. On flatsats. Nothing was flying in orbit. Check out the testimonials of European hackers at CYSAT 2021 and 2022.
However it is true that hackers will get the chance to hack « Moonlighter », a flying 3U cubesat during Hack-a-sat 4 later this year 👾
4️⃣ Hack CYSAT 2022
There is also a bit of confusion regarding of what happened last year.
We had this idea of hacking a flying satellite back in the summer 2021 with CYSEC CEO and CYSAT co-founder Patrick Trinkler.
It took us a while to find a satellite operator that was okay to let hackers play with it
Finally I heard of OPS-SAT which I thought would be the ideal spacecraft to do a security demo.
Then it took David Evans and I some time to build the case to ESA’s management.
Finally in February 2022 we published the Hack CYSAT open call to invite hackers to submit their ideas, among them Didelot Maurice-Michel that blogged about a vulnerability he spotted and told ESA to fix it, which ESA did. But nothing was done on the 🛰️
5️⃣ random articles
Various articles out there are mixing the words « satellite » and « hacking », like the guys that « hijacked » a satellite to play a movie, etc etc. None of them did what we claim the Thales team did at CYSAT.
👉 So to me it looks like it had never been done before but maybe I’m wrong!
👇 PLEASE comment below if you have other references!
Check this demo in video
All 2023 CYSAT videos are online
All videos about 2023 CYSAT in Paris, the biggest European event around cybersecurity for commercial space, are online and can be seen here.
A propos de CYSEC
CYSEC is a Franco-Swiss cybersecurity company that is a pioneer in the protection of satellites and data collected and transmitted in space.
The company has just launched two security products in 2023, ARCA SATCOM dedicated to the satellite internet market, and ARCA SATLINK dedicated to constellation operators.
CYSAT 2023 is over. It’s time to review everything that has happened during this amazing event. But first, let’s remember what CYSAT is.
CYSAT is the leading European cybersecurity and space exhibition that took place 26th-27th April in Paris (Station F). This is the biggest European event entirely focused on cybersecurity for the space industry.
Since 2021, the event brings space and cybersecurity experts together to create a European ecosystem capable of responding to the current and future challenges faced by the European space industry.
Faced with cybersecurity challenges and the growing importance of data protection in space, it is crucial to bring together communities of cybersecurity experts to build a European ecosystem capable of addressing current and future industry challenges.
Last years’ event saw more than 450 space specialists, decision-makers and experts come together. In its third year, CYSAT highlighted Europe’s cybersecurity capabilities and solutions dedicated to space from both a technological and geostrategic perspective.
To find the full programme and more information on the event, visit: https://cysat.eu/
Mathieu Bailly, VP at CYSEC, Co-founder and Director of CYSAT, has published on his linkedin profile what was the point of the Thales demo at CYSAT. First, Mathieu what was NOT part of the demo.
We publish these key takeaways below with his permission. Thank’s to Mathieu for sharing whith us its key takeaways.
Mathieu Bailly, VP Space chez CYSEC et Directeur de CYSAT
For the short-medium term it is reasonable to assume that cyber attacks on space systems disturbing the nominal operations of the mission (i.e. taking control of the spacecraft bus and/or payload but excluding eavesdropping) remain ground-based.
That means discarding scenarios involving rogue satellites with capabilities to perform non-cooperative rendez-vous. To me that’s fair for the next 5 years.
2 main scenarios:
1. the spacecraft is flying and operational
👉 then the attacker has to go through the ground segment (mission control, ground stations, etc) before reaching the spacecraft
👉 the attacker is capable to send TMTC that are valid and executed on board without the operator noticing or able to react (e..g via its own ground stations)
2. the spacecraft is under development on ground (design, assembly, test, transport, launch)
👉 the attacker manages to access information (e.g. cryptographic keys) or to install a malware / backdoor on board (e.g. corrupting the flight control software)
These are the typical scenarios with the biggest likelihood x severity scores.
👉 None of the above were covered by the Thales demo since the ground segment was out of the scope as the team was granted the access to OPS-SAT (as any other experimenter).
2️⃣ On-board: not representative of most missions ❌
🔹On-board, OPS-SAT is also very « unique » since it’s been pioneering many technology innovation like flying Linux, re-configuring FPGAs on a daily basis, etc (read all OPS-SAT firsts here 🔗 https://lnkd.in/eC3eDgDv) 💪
👉 So the demo by Thales has been done a spacecraft that is currently not representative of the current missions in operations or close to the launch pad (especially institutional missions!)
❓ So what was the point of this demo then ❓
I’m getting there!
🔹The point was to show that current space tech trends (advanced on-board processing, regular in-orbit reconfiguration, as a service models, etc) are all great progress that will soon be adopted by most operators BUT that come at the expense of greater cyber risks 👾
🔹And currently the space industry (especially #newspace) is embracing these innovations without the security culture that should come with it 🤠
👉That’s why showing how security experts can manipulate data, take control of the Attitude and Control system of a modern spacecraft by using various methods of privilege escalation exploiting flaws on access management and Linux helps to spread the word: 📢 BE PREPARED!
Summary of the full attack flow
Summary of the full Thales attack flow
Check this demo in video
An analysis of the CYSAT 2023 Demo by SPARTA team
Brandon Bailey & Brad Roeher from the SPARTA team analyzed, in this article, Thales Group’s CYSAT ’23 presentation material to deconstruct the experiment, extract lessons learned, and document potential countermeasures.
The SPARTA (Space Attack Research and Tactic Analysis) Framework was used to identify the tactics, techniques, and associated countermeasures associated with the experiment/attack.
They utilized the SPARTA Navigator tool to construct the attack chain and generated an Excel export to pinpoint relevant countermeasures. Subsequently, a thorough analysis is conducted to ensure the applicability of the associated countermeasures to the specific Tactics, Techniques, and Procedures (TTPs).
The SPARTA Navigator proves invaluable in presenting a comprehensive array of countermeasures categorized by defense-in-depth, effectively minimizing the risk posed by TTPs. By leveraging the SPARTA Navigator, we successfully map the attack chain to SPARTA TTPs, as exemplified below.
Upon exporting the data from the SPARTA Navigator, they have identified eight countermeasures. Out of these, five pertain to terrestrial countermeasures intended to prevent vulnerable software from infiltrating the spacecraft. The remaining three countermeasures are implemented onboard the spacecraft itself, serving to protect against and/or detect the TTPs executed during the experiment.
All videos about 2023 CYSAT in Paris, the biggest European event around cybersecurity for commercial space, are online and can be seen here.
A propos de CYSEC
CYSEC is a Franco-Swiss cybersecurity company that is a pioneer in the protection of satellites and data collected and transmitted in space.
The company has just launched two security products in 2023, ARCA SATCOM dedicated to the satellite internet market, and ARCA SATLINK dedicated to constellation operators.
In March of 2022, Network battalion 65 (NB65), a hacktivist affiliate of Anonymous, publicly asserted its successful breach of ROSCOSMOS’s satellite imaging capabilities in...
I february 2024, I successfully passed the Certificate of Competence in Zero Trust (CCZT) from the Cloud Security Alliance (CSA).
This certificate is a logical...
Cet article est issu d'un post de Stéphane MORICO (Information Security Analyst | CEO @SMRC) sur LinkedIn.
Le hors série "Space Cybersecurity" édité par PenTest et...
Tim Fowler will provide a training course called "Introduction to Cybersecurity in Space Systems" at "The Most Offensive Con that Ever Offensived – Bypass...
Angelina Tsuboi is a programmer, mechatronics developer and Engineer, a pilot, a Scientific Researcher and cybersecurity researcher. She is currently working for NASA. She...
Avec l'aimable autorisation de Martial Le Guédard, nous reproduisons ci-dessous sa cartographie au sujet des différents acteurs étatiques évoluant dans le domaine du Cyber...
L'illustration ci-dessous est une carte heuristique qui présente les services spécialisés de la communauté du renseignement du 1er cercle. Cette cartographie est mise à...
A la différence des attaques électroniques qui interférent avec la transmission des signaux de Radio Fréquence, les cyberattaques visent quant à elles, les données...
Avec l'aimable autorisation de Martial Le Guédard, nous reproduisons ci-dessous sa cartographie au sujet des différents acteurs étatiques évoluant dans le domaine du Cyber...
L'illustration ci-dessous est une carte heuristique qui présente les services spécialisés de la communauté du renseignement du 1er cercle. Cette cartographie est mise à...
A la différence des attaques électroniques qui interférent avec la transmission des signaux de Radio Fréquence, les cyberattaques visent quant à elles, les données...
Here is what I know 
