{"id":3321,"date":"2026-03-17T14:37:47","date_gmt":"2026-03-17T13:37:47","guid":{"rendered":"https:\/\/www.spacesecurity.info\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\/"},"modified":"2026-03-17T14:46:37","modified_gmt":"2026-03-17T13:46:37","slug":"mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks","status":"publish","type":"post","link":"https:\/\/www.spacesecurity.info\/en\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\/","title":{"rendered":"MITRE ESTM + EMB3D in Action : Analyzing OPS-SAT Through These Dual Frameworks"},"content":{"rendered":"<h1>Disclaimer<\/h1>\n<p>Please be informed that the analysis detailed in this article is entirely separate from the hacking experiment conducted by the Thales team on the satellite.<\/p>\n<p>Both activities are independent of each other and were carried out by different teams. There is no association between me and the team that conducted the hacking experiment.<\/p>\n<p>This work is conducted on a personal basis and is independent of my work at Thales. Thales is in no way involved in this work, and Thales\u2019s responsibilities cannot be engaged under any circumstances.<\/p>\n<p>All slides embedded in this article are public slides presented by Thales during the CYSAT 2023 conference and available in the Youtube video which presents the Thales experiment.<\/p>\n<h1>Purpose of the article<\/h1>\n<p>Recently, MITRE released the Embedded Systems Threat Matrix (ESTM), a new ATT&amp;CK-style cybersecurity framework tailored to protect embedded systems through adversary tactics, techniques, and procedures (TTPs).<\/p>\n<p>In a previous analysis, <a href=\"https:\/\/www.spacesecurity.info\/an-analysis-of-the-thales-satellite-hacking-demo-at-cysat-2023-with-the-mitre-emb3d-threat-model\/\">I applied the MITRE EMB3D\u2122 Threat Model to dissect the Thales satellite hacking demonstration from CYSAT 2023, identifying key vulnerabilities and countermeasures across OPS-SAT&#8217;s attack chain<\/a>.<\/p>\n<p>This article replicates the study but using ESTM, mapping EMB3D Threat IDs to ESTM TTPs to demonstrate their practical complementarity.<\/p>\n<p>The result showcases how these frameworks complement each other, EMB3D for secure-by-design threat modeling, ESTM for offensive kill-chain analysis, enabling comprehensive defense for space and embedded systems.<\/p>\n<p>I also take this opportunity to highlight the TTPs identified by Brandon Bailey &amp; Brad Roeher from the SPARTA team, who used the SPARTA framework to deconstruct the experiment.<\/p>\n<ul>\n<li><a href=\"https:\/\/medium.com\/the-aerospace-corporation\/hacking-an-on-orbit-satellite-an-analysis-of-the-cysat-2023-demo-ae241e5b8ee5\">To know more about the SPARTA team study<\/a><\/li>\n<li><a href=\"https:\/\/www.spacesecurity.info\/aerospace-corporation-released-sparta-v1-3-a-new-version-of-the-space-attack-research-and-tactic-analysis-sparta-matrix\/\">To know more about the SPARTA Framework<\/a><\/li>\n<\/ul>\n<h2>More about the Thales hacking demo at CYSAT 2023 on the OPS-SAT satellite<\/h2>\n<p>To know more about the Thales hacking demo at CYSAT 2023, I encourage you to visit the following pages\u00a0<a href=\"https:\/\/www.spacesecurity.info\/thales-demo-at-cysat-what-was-the-point-again\/\">here<\/a>,\u00a0<a href=\"https:\/\/www.spacesecurity.info\/hacking-demo-at-cysat-2023-world-first-or-deja-vu%e2%9d%93-here-is-what-i-know-%f0%9f%91%87\/\">here<\/a>\u00a0and\u00a0<a href=\"https:\/\/www.spacesecurity.info\/an-analysis-of-the-thales-satellite-hacking-demo-at-cysat-2023-with-the-mitre-emb3d-threat-model\/\">here<\/a>\u00a0where the results of the ethical satellite hacking exercise is detailed.<\/p>\n<p>To know more about the Thales hacking demo at CYSAT 2023, I encourage you to visit the following page\u00a0<a href=\"https:\/\/www.spacesecurity.info\/an-analysis-of-the-thales-satellite-hacking-demo-at-cysat-2023-with-the-mitre-emb3d-threat-model\/\">here<\/a>\u00a0where OPS-SAT, a small, CubeSat-class satellite developed by the European Space Agency (ESA) to serve as a testbed for innovative software, systems, and operational concepts in space, is detailed.<\/p>\n<h1>More about EMB3D and ESTM<\/h1>\n<ul>\n<li><a href=\"https:\/\/www.spacesecurity.info\/mitre-releases-emb3d-a-cybersecurity-threat-model-for-embedded-devices\/\">To know more about MITRE EMB3D<\/a><\/li>\n<li><a href=\"https:\/\/www.spacesecurity.info\/introducing-the-new-mitre-embedded-systems-threat-matrix-estm\/\">To know more about MITRE ESTM<\/a><\/li>\n<li><a href=\"https:\/\/www.spacesecurity.info\/exploring-how-the-new-mitre-estm-embedded-systems-threat-matrix-can-work-in-conjunction-with-the-existing-mitre-emb3d-threat-model\/\">To understand how MITRE ESTM and MITRE EMB3D can work together<\/a><\/li>\n<\/ul>\n<h1>Methodology<\/h1>\n<p>To bridge EMB3D and ESTM, I followed a structured mapping process across the five-step OPS-SAT attack chain documented in my prior EMB3D analysis. For each step, I identified relevant EMB3D Threat IDs (TIDs) based on device properties and vulnerabilities exploited by Thales.<\/p>\n<p>These TIDs were then mapped to ESTM&#8217;s tactics (e.g., Initial Access, Persistence) and embedded-specific techniques (e.g., Firmware Injection, Bus Interception), drawing from ESTM&#8217;s ATT&amp;CK-inspired structure tailored to hardware\/firmware realities.<\/p>\n<p>This bidirectional approach validates EMB3D mitigations against realistic adversary TTPs while highlighting ESTM gaps for space systems like OPS-SAT.<\/p>\n<h1>OPS-SAT Attack Chain Mapping<\/h1>\n<p>Now let&#8217;s apply this methodology to the Thales OPS-SAT demo, breaking down each of the five attack steps with their corresponding EMB3D TIDs and ESTM TTP mappings.<\/p>\n<p>The figure below is showing a summary of the full attack flow used by the Thales team to conduct the attack on OPS-SAT.<\/p>\n<figure id=\"attachment_3113\" aria-describedby=\"caption-attachment-3113\" style=\"width: 940px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/Summary-of-the-full-attack-flow.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-3113 size-full\" src=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/Summary-of-the-full-attack-flow.jpg\" alt=\"\" width=\"940\" height=\"538\" srcset=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/Summary-of-the-full-attack-flow.jpg 940w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/Summary-of-the-full-attack-flow-300x172.jpg 300w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/Summary-of-the-full-attack-flow-768x440.jpg 768w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/Summary-of-the-full-attack-flow-696x398.jpg 696w\" sizes=\"auto, (max-width: 940px) 100vw, 940px\" \/><\/a><figcaption id=\"caption-attachment-3113\" class=\"wp-caption-text\">Figure 1: Summary of the full attack flow (Slide courtesy Thales Group)<\/figcaption><\/figure>\n<p><strong>Step 1: Unsafe Java Deserialization<\/strong><\/p>\n<p>To introduce the compromised or flawed software onto the spacecraft, the team needed to bypass security checks and evaluations. To achieve their objective, they introduced a deserialization vulnerability into the software, enabling defensive mechanism evasion and potential exploitation for executing arbitrary commands.<\/p>\n<figure id=\"attachment_3094\" aria-describedby=\"caption-attachment-3094\" style=\"width: 926px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Deserialization.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-3094 size-full\" src=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Deserialization.jpg\" alt=\"\" width=\"926\" height=\"524\" srcset=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Deserialization.jpg 926w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Deserialization-300x170.jpg 300w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Deserialization-768x435.jpg 768w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Deserialization-696x394.jpg 696w\" sizes=\"auto, (max-width: 926px) 100vw, 926px\" \/><\/a><figcaption id=\"caption-attachment-3094\" class=\"wp-caption-text\">Figure 2: The Deserialization Vulnerability (Slide courtesy Thales Group)<\/figcaption><\/figure>\n<table style=\"border-collapse: collapse; width: 100%;\">\n<tbody>\n<tr style=\"background-color: #e3dede;\">\n<td style=\"width: 16.6667%;\"><strong>EMB3D Threat ID<\/strong><\/td>\n<td style=\"width: 16.6667%;\"><strong>SPARTA TTPs<\/strong><\/td>\n<td style=\"width: 33.3333%;\"><strong>ESTM TTPs<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 16.6667%;\">\n<ul>\n<li><a href=\"https:\/\/emb3d.mitre.org\/threats\/TID-326.html\">EMB3D.TID-326<\/a>: Insecure Deserialization<\/li>\n<\/ul>\n<\/td>\n<td style=\"width: 16.6667%;\">\n<ul>\n<li><a href=\"https:\/\/sparta.aerospace.org\/technique\/EX-0009\/\">SPARTA.EX-0009<\/a>: Exploit Code Flaws<\/li>\n<li><a href=\"https:\/\/sparta.aerospace.org\/technique\/EX-0009\/01\/\">SPARTA.EX-0009.01<\/a>: Exploit Code Flaws: Flight Software<\/li>\n<\/ul>\n<\/td>\n<td style=\"width: 33.3333%;\">\n<ul>\n<li>EST000131: Application Deployment Software<\/li>\n<li>EST000134: Remote File Copy<\/li>\n<li>EST000160: Program Upload<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>Others proposed ESTM TTPs for step 1 :<\/strong><\/p>\n<p>As the ground segment use a ground proxy to connect to the space segment, I propose to add the following ESTM TTPs<\/p>\n<ul>\n<li>EST000021: Execute via Trusted Developer Utilities<\/li>\n<li>EST000073: Evasive Connection Proxy<\/li>\n<li>EST000094: Evade via Trusted Developer Utilities<\/li>\n<li>EST000167: C2 Connection Proxy<\/li>\n<\/ul>\n<div><\/div>\n<figure id=\"attachment_3098\" aria-describedby=\"caption-attachment-3098\" style=\"width: 926px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Stay-Undetected-Success.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-3098 size-full\" src=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Stay-Undetected-Success.jpg\" alt=\"\" width=\"926\" height=\"526\" srcset=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Stay-Undetected-Success.jpg 926w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Stay-Undetected-Success-300x170.jpg 300w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Stay-Undetected-Success-768x436.jpg 768w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Stay-Undetected-Success-696x395.jpg 696w\" sizes=\"auto, (max-width: 926px) 100vw, 926px\" \/><\/a><figcaption id=\"caption-attachment-3098\" class=\"wp-caption-text\">Figure 3: Stay Undetected \u2013 Success! (Slide courtesy Thales Group)<\/figcaption><\/figure>\n<p><strong>Step 2: Applications Binaries Modified\u00a0<\/strong><\/p>\n<p>Once the insecure deserialization achieved, the team uploaded a malicious code with the deserialization vulnerability to modify the application-level binaries on the remote device to introduce unauthorized code and to execute arbitrary commands on the remote system.<\/p>\n<figure id=\"attachment_3096\" aria-describedby=\"caption-attachment-3096\" style=\"width: 932px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Applications-Binaries-Modified.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-3096 size-full\" src=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Applications-Binaries-Modified.jpg\" alt=\"\" width=\"932\" height=\"526\" srcset=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Applications-Binaries-Modified.jpg 932w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Applications-Binaries-Modified-300x169.jpg 300w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Applications-Binaries-Modified-768x433.jpg 768w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Applications-Binaries-Modified-696x393.jpg 696w\" sizes=\"auto, (max-width: 932px) 100vw, 932px\" \/><\/a><figcaption id=\"caption-attachment-3096\" class=\"wp-caption-text\">Figure 4: Stay Undetected \u2013 Execute Arbitrary Commands (Slide courtesy Thales Group)<\/figcaption><\/figure>\n<figure id=\"attachment_3096\" class=\"wp-caption alignnone\" aria-describedby=\"caption-attachment-3096\"><\/figure>\n<table style=\"border-collapse: collapse; width: 100%;\">\n<tbody>\n<tr style=\"background-color: #e3dede;\">\n<td style=\"width: 33.3333%;\"><strong>EMB3D Threat ID<\/strong><\/td>\n<td style=\"width: 16.6667%;\"><strong>SPARTA TTPs<\/strong><\/td>\n<td style=\"width: 33.3333%;\"><strong>ESTM TTPs<\/strong><\/td>\n<\/tr>\n<tr>\n<td class=\"border-subtlest px-sm min-w-[48px] break-normal border-b border-r last:border-r-0\" style=\"width: 33.3333%;\">\n<ul>\n<li><a href=\"https:\/\/emb3d.mitre.org\/threats\/TID-301.html\">EMB3D.TID-301<\/a>: Applications Binaries Modified<\/li>\n<li><a href=\"https:\/\/emb3d.mitre.org\/threats\/TID-302.html\">EMB3D.TID-302<\/a>: Install Untrusted Application<\/li>\n<li><a href=\"https:\/\/emb3d.mitre.org\/threats\/TID-307.html\">EMB3D.TID-307<\/a>: Device Code Representations Inconsistent<\/li>\n<li><a href=\"https:\/\/emb3d.mitre.org\/threats\/TID-308.html\">EMB3D.TID-308<\/a>: Code Overwritten to Avoid Detection<\/li>\n<li><a href=\"https:\/\/emb3d.mitre.org\/threats\/TID-309.html\">EMB3D.TID-309<\/a>: Device Exploits Engineering Workstation<\/li>\n<\/ul>\n<\/td>\n<td class=\"border-subtlest px-sm min-w-[48px] break-normal border-b border-r last:border-r-0\" style=\"width: 16.6667%;\">\n<ul>\n<li><a href=\"https:\/\/sparta.aerospace.org\/technique\/IA-0001\/02\/\">SPARTA IA-0001.02<\/a>: Compromise Supply Chain: Software Supply Chain<\/li>\n<li><a href=\"https:\/\/sparta.aerospace.org\/technique\/IA-0006\/\">SPARTA IA-0006<\/a>: Compromise Hosted Payload<\/li>\n<li><a href=\"https:\/\/sparta.aerospace.org\/technique\/RD-0003\/01\/\">SPARTA RD-0003.01<\/a>: Exploit\/Payload<\/li>\n<li><a href=\"https:\/\/sparta.aerospace.org\/technique\/RD-0004\/02\/\">SPARTA RD-0004.02<\/a>: Upload Exploit\/Payload<\/li>\n<\/ul>\n<\/td>\n<td class=\"border-subtlest px-sm min-w-[48px] break-normal border-b border-r last:border-r-0\" style=\"width: 33.3333%;\">\n<ul>\n<li>EST000089: Process Injection<\/li>\n<li>EST000020: Service Execution<\/li>\n<li>EST000036: Persistent Firmware<\/li>\n<li>EST000210: Malicious Firmware Implant<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>Step 3: Privilege Escalation via CAN Bus<\/strong><\/p>\n<p>At this stage, their app runs as an unprivileged Linux user and has no direct access to sensors but though the supervisor. Their objective is now to find system configuration issues or vulnerabilities to realize a privilege escalation from user to root.<\/p>\n<p>They identified that anyone can talk on the CAN bus, including unprivileged apps. And then, all commands send on the CAN bus are executing as root by a client that runs as root and that decodes and executes as root whatever command it receives.<\/p>\n<figure id=\"attachment_3100\" aria-describedby=\"caption-attachment-3100\" style=\"width: 940px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Privilege-Escalation.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-3100 size-full\" src=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Privilege-Escalation.jpg\" alt=\"\" width=\"940\" height=\"532\" srcset=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Privilege-Escalation.jpg 940w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Privilege-Escalation-300x170.jpg 300w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Privilege-Escalation-768x435.jpg 768w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Privilege-Escalation-696x394.jpg 696w\" sizes=\"auto, (max-width: 940px) 100vw, 940px\" \/><\/a><figcaption id=\"caption-attachment-3100\" class=\"wp-caption-text\">Figure 5: Taking Control \u2013 Privilege Escalation from User to Root (Slide courtesy Thales Group)<\/figcaption><\/figure>\n<table style=\"border-collapse: collapse; width: 100%; height: 52px;\">\n<tbody>\n<tr style=\"background-color: #e3dede;\">\n<td style=\"width: 33.3333%; height: 26px;\"><strong>EMB3D Threat ID<\/strong><\/td>\n<td style=\"width: 16.6667%;\"><strong>SPARTA TTPs<\/strong><\/td>\n<td style=\"width: 33.3333%;\"><strong>ESTM TTPs<\/strong><\/td>\n<\/tr>\n<tr>\n<td class=\"border-subtlest px-sm min-w-[48px] break-normal border-b border-r last:border-r-0\" style=\"width: 33.3333%;\">\n<ul>\n<li><a href=\"https:\/\/emb3d.mitre.org\/threats\/TID-114.html\">EMB3D.TID-114<\/a>: Peripheral Data Bus Interception<\/li>\n<li><a href=\"https:\/\/emb3d.mitre.org\/threats\/TID-412.html\">EMB3D.TID-412<\/a>: Network Routing Capability Abuse<\/li>\n<li><a href=\"https:\/\/emb3d.mitre.org\/threats\/TID-204.html\">EMB3D.TID-204<\/a>: Untrusted Programs Can Access Privileged OS Functions<\/li>\n<li><a href=\"https:\/\/emb3d.mitre.org\/threats\/TID-219.html\">EMB3D.TID-219<\/a>: OS\/Kernel Privilege Escalation<\/li>\n<\/ul>\n<\/td>\n<td class=\"border-subtlest px-sm min-w-[48px] break-normal border-b border-r last:border-r-0\" style=\"width: 16.6667%;\">\n<ul>\n<li><a href=\"https:\/\/sparta.aerospace.org\/technique\/EX-0009\/02\/\">SPARTA EX-0009.02<\/a>: Exploit Code Flaws: Operating System<\/li>\n<li><a href=\"https:\/\/sparta.aerospace.org\/technique\/LM-0002\/\">SPARTA LM-0002<\/a>: Exploit Lack of Bus Segregation<\/li>\n<\/ul>\n<\/td>\n<td class=\"border-subtlest px-sm min-w-[48px] break-normal border-b border-r last:border-r-0\" style=\"width: 33.3333%;\">\n<ul>\n<li>EST000006: Access via Valid Accounts<\/li>\n<li>EST000047: Path Interception<\/li>\n<li>EST000062: Privilege Escalation via Direct Connect System<\/li>\n<li>EST000085: Bus Communication Masquerading<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<figure id=\"attachment_3102\" aria-describedby=\"caption-attachment-3102\" style=\"width: 942px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-3102 size-full\" src=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Arbitrary-Code-Execution.jpg\" alt=\"\" width=\"942\" height=\"540\" srcset=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Arbitrary-Code-Execution.jpg 942w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Arbitrary-Code-Execution-300x172.jpg 300w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Arbitrary-Code-Execution-768x440.jpg 768w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Arbitrary-Code-Execution-696x399.jpg 696w\" sizes=\"auto, (max-width: 942px) 100vw, 942px\" \/><figcaption id=\"caption-attachment-3102\" class=\"wp-caption-text\">Figure 6: Taking Control \u2013 Arbitrary Code Execution as Root (Slide courtesy Thales Group)<\/figcaption><\/figure>\n<p><strong>Step 4: Persistence<\/strong><\/p>\n<p>At this stage, the app escalated as root. Now, the team needed to ensure persistent effects on sensors. They identified a jar library on the Supervisor that is writable by root user. A jar is simply a zip file, with compiled Java bytecode inside. The team crafted a bytecode based on the original one, and simply replace some files inside the jar. The supervisor now runs the jar containing the malicious bytecode.<\/p>\n<figure id=\"attachment_3104\" aria-describedby=\"caption-attachment-3104\" style=\"width: 934px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Persistance.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-3104 size-full\" src=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Persistance.jpg\" alt=\"\" width=\"934\" height=\"534\" srcset=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Persistance.jpg 934w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Persistance-300x172.jpg 300w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Persistance-768x439.jpg 768w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Persistance-696x398.jpg 696w\" sizes=\"auto, (max-width: 934px) 100vw, 934px\" \/><\/a><figcaption id=\"caption-attachment-3104\" class=\"wp-caption-text\">Figure 7: Persistence \u2013 Injection of a Jar Library (Slide courtesy Thales Group)<\/figcaption><\/figure>\n<figure id=\"attachment_3104\" class=\"wp-caption alignnone\" aria-describedby=\"caption-attachment-3104\"><\/figure>\n<table style=\"border-collapse: collapse; width: 100%;\">\n<tbody>\n<tr style=\"background-color: #e3dede;\">\n<td style=\"width: 33.3333%;\"><strong>EMB3D Threat ID<\/strong><\/td>\n<td style=\"width: 16.6667%;\"><strong>SPARTA TTPs<\/strong><\/td>\n<td style=\"width: 33.3333%;\"><strong>ESTM TTPs<\/strong><\/td>\n<\/tr>\n<tr>\n<td class=\"border-subtlest px-sm min-w-[48px] break-normal border-b border-r last:border-r-0\" style=\"width: 33.3333%;\">\n<ul>\n<li><a href=\"https:\/\/emb3d.mitre.org\/threats\/TID-304\">EMB3D.TID-304<\/a>: Manipulate Runtime Environment<\/li>\n<li><a href=\"https:\/\/emb3d.mitre.org\/threats\/TID-305.html\">EMB3D.TID-305<\/a>: Program Executes Dangerous System Calls<\/li>\n<li><a href=\"https:\/\/emb3d.mitre.org\/threats\/TID-203.html\">EMB3D.TID-203<\/a>: Malicious OS Kernel Driver\/Module Installable<\/li>\n<li><a href=\"https:\/\/emb3d.mitre.org\/threats\/TID-202.html\">EMB3D.TID-202<\/a>: Exploitable System Network Stack Component<\/li>\n<li><a href=\"https:\/\/emb3d.mitre.org\/threats\/TID-307.html\">EMB3D.TID-307<\/a>: Device Code Representations Inconsistent<\/li>\n<li><a href=\"https:\/\/emb3d.mitre.org\/threats\/TID-308.html\">EMB3D.TID-308<\/a>: Code Overwritten to Avoid Detection<\/li>\n<\/ul>\n<\/td>\n<td class=\"border-subtlest px-sm min-w-[48px] break-normal border-b border-r last:border-r-0\" style=\"width: 16.6667%;\">\n<ul>\n<li><a href=\"https:\/\/sparta.aerospace.org\/technique\/PER-0002\/02\/\">SPARTA PER-0002.02<\/a>: Backdoor: Software<\/li>\n<\/ul>\n<\/td>\n<td class=\"border-subtlest px-sm min-w-[48px] break-normal border-b border-r last:border-r-0\" style=\"width: 33.3333%;\">\n<ul>\n<li>EST000039: File System Permissions Weakness<\/li>\n<li>EST000041: Persistence Hooking<\/li>\n<li>EST000054: Persistence via Valid Accounts<\/li>\n<li>EST000061: Operational Data Files<\/li>\n<li>EST000084: Process Masquerading<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>Step 5: OPS-SAT attack by tampering with camera and ADCS\u00a0<\/strong><\/p>\n<p>Once the team escalated as root and ensured persistency, they took control on the supervisor and the demo effects was achieved.<\/p>\n<figure id=\"attachment_3106\" aria-describedby=\"caption-attachment-3106\" style=\"width: 930px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Demo-Effects.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-3106 size-full\" src=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Demo-Effects.jpg\" alt=\"\" width=\"930\" height=\"526\" srcset=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Demo-Effects.jpg 930w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Demo-Effects-300x170.jpg 300w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Demo-Effects-768x434.jpg 768w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/THALES-OPS-SAT-Demo-Effects-696x394.jpg 696w\" sizes=\"auto, (max-width: 930px) 100vw, 930px\" \/><\/a><figcaption id=\"caption-attachment-3106\" class=\"wp-caption-text\">Figure 8: Demo Effects \u2013 Tampering with Camera &amp; ADCS (Slide courtesy Thales Group)<\/figcaption><\/figure>\n<figure id=\"attachment_3106\" class=\"wp-caption alignnone\" aria-describedby=\"caption-attachment-3106\"><\/figure>\n<table style=\"border-collapse: collapse; width: 100%;\">\n<tbody>\n<tr style=\"background-color: #e3dede;\">\n<td style=\"width: 33.3333%;\"><strong>EMB3D Implied Threats<\/strong><\/td>\n<td style=\"width: 16.6667%;\"><strong>SPARTA TTPs<\/strong><\/td>\n<td style=\"width: 33.3333%;\"><strong>ESTM TTPs<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 33.3333%;\">Sensor\/Actuator Tampering<\/td>\n<td style=\"width: 16.6667%;\">\n<ul>\n<li><a href=\"https:\/\/sparta.aerospace.org\/technique\/EX-0012\/06\/\">SPARTA EX-0007.02<\/a>: Modify On\u2011Board Values: Science\/Payload Data<\/li>\n<\/ul>\n<\/td>\n<td style=\"width: 33.3333%;\">\n<ul>\n<li>EST000145: Audio Capture<\/li>\n<li>EST000153: Video Capture<\/li>\n<li>EST000155: Capture Camera<\/li>\n<li>EST000165: Intercept Sensor Data Prior to Processing<\/li>\n<li>EST000193: Data Manipulation<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>Step 6: Other potential effects (but non demonstrated)<br \/>\n<\/strong><\/p>\n<p>When adversaries target a spacecraft, their primary goal is often to disrupt the mission. This disruption can involve compromising imagery, intercepting signals, or other mission-critical functions. Thales Group demonstrated this by successfully manipulating the payload data transmitted from the spacecraft. They also identified additional potential impacts that could occur if attackers gain further access and maintain their presence, though these were not carried out. With root access and ongoing control, the range of possible attacks becomes virtually unlimited.<\/p>\n<ul>\n<li>They could alter\/delete all images captured by the camera<\/li>\n<li>They could override satellite attitude requested by other apps<\/li>\n<li>This also provides persistence for the malicious code since the supervisor starts early and is almost always running<\/li>\n<\/ul>\n<figure id=\"attachment_3116\" aria-describedby=\"caption-attachment-3116\" style=\"width: 954px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/Others-Potential-Effects.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-3116 size-full\" src=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/Others-Potential-Effects.jpg\" alt=\"\" width=\"954\" height=\"542\" srcset=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/Others-Potential-Effects.jpg 954w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/Others-Potential-Effects-300x170.jpg 300w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/Others-Potential-Effects-768x436.jpg 768w, https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2025\/03\/Others-Potential-Effects-696x395.jpg 696w\" sizes=\"auto, (max-width: 954px) 100vw, 954px\" \/><\/a><figcaption id=\"caption-attachment-3116\" class=\"wp-caption-text\">Figure 9: Other Potential Effects (Slide courtesy Thales Group)<\/figcaption><\/figure>\n<h1>Observations<\/h1>\n<p><strong>Complementarity<\/strong>:\u00a0EMB3D and ESTM are genuinely complementary<\/p>\n<ul>\n<li><strong>EMB3D<\/strong> models threats from <strong>device properties<\/strong> (hardware, firmware, software, comms, safety features) \u2192 threats \u2192 mitigations (secure-by-design focus).<\/li>\n<li><strong>ESTM<\/strong> captures <strong>adversary TTPs<\/strong> across the full embedded attack chain (recon, initial access, firmware manipulation, bus abuse, impact) in ATT&amp;CK-style matrix format.<\/li>\n<\/ul>\n<p><strong>Mapping Reality<\/strong>: Not all EMB3D TIDs have a direct equivalent to ESTM techniques:<\/p>\n<ul>\n<li><strong>Good coverage<\/strong>: TID-326 (unsafe deserialization), TID-301\/302 (binary mods), TID-114 (bus interception) \u2192 clear ESTM Initial Access\/Persistence\/Lateral Movement equivalents.<\/li>\n<li><strong>Software gaps<\/strong>: Pure software exploits (TID-305 dangerous syscalls, TID-204 untrusted program access) fall in ESTM&#8217;s &#8220;Execution\/Privilege Escalation&#8221; but lack embedded-specific granularity vs. enterprise ATT&amp;CK.<\/li>\n<li><strong>Hardware strength<\/strong>: ESTM shines on bus interception (CAN\/SpaceWire), firmware persistence, boot tampering \u2192 areas where EMB3D stays higher-level.<\/li>\n<\/ul>\n<p><strong>Practical Takeaway<\/strong><\/p>\n<p>Use EMB3D first for architecture review (derive requirements\/mitigations), then ESTM to validate those mitigations block realistic embedded TTPs. The OPS-SAT case proves this works across space systems.<\/p>\n<h1>Conclusion<\/h1>\n<p><strong>Practical Complementarity Proven<\/strong><\/p>\n<p>The OPS-SAT attack chain mapping confirms EMB3D and ESTM work powerfully together: EMB3D identifies threats from device properties (hardware \u2192 software \u2192 mitigations), while ESTM captures adversary TTPs across the embedded kill chain (firmware exploits, bus abuse, persistence).<\/p>\n<p><strong>Mapping Insights<\/strong><\/p>\n<ul>\n<li><strong>Strong alignment<\/strong>: Bus interception (TID-114), binary modification (TID-301\/302), kernel persistence (TID-203) map cleanly to ESTM&#8217;s hardware\/firmware tactics.<\/li>\n<li><strong>Software gaps<\/strong>: Pure software exploits (TID-326 deserialization, TID-305 syscalls) find equivalents in ESTM&#8217;s Execution\/Privilege Escalation tactics but lack the embedded-specific granularity of hardware-focused techniques.<\/li>\n<\/ul>\n<p><strong>Actionable Workflow<\/strong><\/p>\n<ol>\n<li><strong>EMB3D first<\/strong>: Model device properties \u2192 derive mitigations during design.<\/li>\n<li><strong>ESTM validation<\/strong>: Test those mitigations against realistic embedded TTPs.<\/li>\n<li><strong>Iterate<\/strong>: Use gaps to prioritize R&amp;D (software TTPs need more embedded detail).<\/li>\n<\/ol>\n<h1>Space Systems Impact<\/h1>\n<p>For satellite or space programs, this dual-framework approach delivers comprehensive threat coverage from architecture to operations, bridging the secure-by-design and red-team worlds.<\/p>\n<h1>Future work<\/h1>\n<p><strong>Enhanced Risk Mitigation with ESTM Mitigations<\/strong><\/p>\n<p>Future iterations of this analysis will leverage upcoming ESTM versions featuring Associated Mitigations, similar to ATT&amp;CK&#8217;s mitigation guidance. This will enable direct mapping from ESTM TTPs to specific countermeasures (e.g., secure boot enforcement, CAN bus encryption, &#8230;).<\/p>\n<p><strong>Operational Impact<\/strong><\/p>\n<p>This will deliver satellite programs a prioritized mitigation backlog, from Foundational (e.g., disable debug ports) to Leading Edge (e.g., runtime integrity monitoring), directly tied to demonstrated attack chains like Thales&#8217; CYSAT demo.<\/p>\n<p>The combined ESTM+EMB3D methodology positions space cybersecurity as proactive engineering, not reactive forensics. Stay tuned for the mitigations deep-dive!<\/p>\n<h1>Adding SPARTA to have a complete Space Framework<\/h1>\n<p>SPARTA from The Aerospace Corporation rounds out the perfect space cybersecurity stack. SPARTA (Space Attack Research &amp; Tactic Analysis) is the space-mission-specific ATT&amp;CK matrix, tactics\/techniques\/procedures (TTPs) for spacecraft across ground, link, and orbit phases.\u00a0ESTM + EMB3D + SPARTA can offer a full framework for satellites\/space systems<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Disclaimer Please be informed that the analysis detailed in this article is entirely separate from the hacking experiment conducted by the Thales team on the satellite. Both activities are independent of each other and were carried out by different teams. There is no association between me and the team that conducted the hacking experiment. This [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3310,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[38,28,19],"tags":[],"class_list":{"0":"post-3321","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-en","8":"category-satellite-en","9":"category-united-states"},"a3_pvc":{"activated":false,"total_views":0,"today_views":0},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>MITRE ESTM + EMB3D in Action : Analyzing OPS-SAT Through These Dual Frameworks - Space &amp; Cybersecurity Info<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.spacesecurity.info\/en\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"MITRE ESTM + EMB3D in Action : Analyzing OPS-SAT Through These Dual Frameworks - Space &amp; Cybersecurity Info\" \/>\n<meta property=\"og:description\" content=\"Disclaimer Please be informed that the analysis detailed in this article is entirely separate from the hacking experiment conducted by the Thales team on the satellite. Both activities are independent of each other and were carried out by different teams. There is no association between me and the team that conducted the hacking experiment. This [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.spacesecurity.info\/en\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\/\" \/>\n<meta property=\"og:site_name\" content=\"Space &amp; Cybersecurity Info\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-17T13:37:47+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-17T13:46:37+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2026\/03\/MITRE-ESTM-vs-MITRE-EMB3D.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"714\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Fran\u00e7ois Quiquet\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Fran\u00e7ois Quiquet\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\\\/\"},\"author\":{\"name\":\"Fran\u00e7ois Quiquet\",\"@id\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/#\\\/schema\\\/person\\\/5e36ba49bf1d87a387c9ab60c233013c\"},\"headline\":\"MITRE ESTM + EMB3D in Action : Analyzing OPS-SAT Through These Dual Frameworks\",\"datePublished\":\"2026-03-17T13:37:47+00:00\",\"dateModified\":\"2026-03-17T13:46:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\\\/\"},\"wordCount\":1951,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.spacesecurity.info\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/MITRE-ESTM-vs-MITRE-EMB3D.jpg\",\"articleSection\":[\"Cyber\",\"Satellite\",\"United-States\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\\\/\",\"url\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\\\/\",\"name\":\"MITRE ESTM + EMB3D in Action : Analyzing OPS-SAT Through These Dual Frameworks - Space &amp; Cybersecurity Info\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.spacesecurity.info\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/MITRE-ESTM-vs-MITRE-EMB3D.jpg\",\"datePublished\":\"2026-03-17T13:37:47+00:00\",\"dateModified\":\"2026-03-17T13:46:37+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.spacesecurity.info\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/MITRE-ESTM-vs-MITRE-EMB3D.jpg\",\"contentUrl\":\"https:\\\/\\\/www.spacesecurity.info\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/MITRE-ESTM-vs-MITRE-EMB3D.jpg\",\"width\":1280,\"height\":714},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"MITRE ESTM + EMB3D in Action : Analyzing OPS-SAT Through These Dual Frameworks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/\",\"name\":\"Space Cybersecurity Info\",\"description\":\"La cybers\u00e9curit\u00e9 appliqu\u00e9e au domaine de l&#039;espace\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/#organization\",\"name\":\"Space Security Info\",\"url\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.spacesecurity.info\\\/wp-content\\\/uploads\\\/2020\\\/05\\\/SSI-Logo-4.jpg\",\"contentUrl\":\"https:\\\/\\\/www.spacesecurity.info\\\/wp-content\\\/uploads\\\/2020\\\/05\\\/SSI-Logo-4.jpg\",\"width\":594,\"height\":144,\"caption\":\"Space Security Info\"},\"image\":{\"@id\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/#\\\/schema\\\/person\\\/5e36ba49bf1d87a387c9ab60c233013c\",\"name\":\"Fran\u00e7ois Quiquet\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/e50e669b3dbfb22c278a01d57cebe52e5b3900d3301faa1c4fefe35cd22d2186?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/e50e669b3dbfb22c278a01d57cebe52e5b3900d3301faa1c4fefe35cd22d2186?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/e50e669b3dbfb22c278a01d57cebe52e5b3900d3301faa1c4fefe35cd22d2186?s=96&d=mm&r=g\",\"caption\":\"Fran\u00e7ois Quiquet\"},\"description\":\"(EN) I'm a cybersecurity engineer in network, telecommunication and embedded\\\/integrated systems. Founder of the website spacesecurity.info. Passionate about cybersecurity and space, I share my two passions through this site. My goal is to federate a community around these two themes. Join my LinkedIn Group. (FR) Je suis ing\u00e9nieur cybers\u00e9curit\u00e9 en r\u00e9seau, t\u00e9l\u00e9communication et syst\u00e8mes embarqu\u00e9s et int\u00e9gr\u00e9s. Fondateur du site spacesecurity.info. Passionn\u00e9 de cybers\u00e9curit\u00e9 et du monde de l'espace, j'ai souhait\u00e9 partager mes deux passions \u00e0 travers ce site. Mon objectif est de f\u00e9d\u00e9rer une communaut\u00e9 autour de ces deux th\u00e8mes. Rejoindre mon groupe LinkedIn.\",\"sameAs\":[\"https:\\\/\\\/www.spacesecurity.info\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/francoisquiquet\\\/\"],\"url\":\"https:\\\/\\\/www.spacesecurity.info\\\/en\\\/author\\\/francois\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"MITRE ESTM + EMB3D in Action : Analyzing OPS-SAT Through These Dual Frameworks - Space &amp; Cybersecurity Info","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.spacesecurity.info\/en\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\/","og_locale":"en_US","og_type":"article","og_title":"MITRE ESTM + EMB3D in Action : Analyzing OPS-SAT Through These Dual Frameworks - Space &amp; Cybersecurity Info","og_description":"Disclaimer Please be informed that the analysis detailed in this article is entirely separate from the hacking experiment conducted by the Thales team on the satellite. Both activities are independent of each other and were carried out by different teams. There is no association between me and the team that conducted the hacking experiment. This [&hellip;]","og_url":"https:\/\/www.spacesecurity.info\/en\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\/","og_site_name":"Space &amp; Cybersecurity Info","article_published_time":"2026-03-17T13:37:47+00:00","article_modified_time":"2026-03-17T13:46:37+00:00","og_image":[{"width":1280,"height":714,"url":"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2026\/03\/MITRE-ESTM-vs-MITRE-EMB3D.jpg","type":"image\/jpeg"}],"author":"Fran\u00e7ois Quiquet","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Fran\u00e7ois Quiquet","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.spacesecurity.info\/en\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\/#article","isPartOf":{"@id":"https:\/\/www.spacesecurity.info\/en\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\/"},"author":{"name":"Fran\u00e7ois Quiquet","@id":"https:\/\/www.spacesecurity.info\/en\/#\/schema\/person\/5e36ba49bf1d87a387c9ab60c233013c"},"headline":"MITRE ESTM + EMB3D in Action : Analyzing OPS-SAT Through These Dual Frameworks","datePublished":"2026-03-17T13:37:47+00:00","dateModified":"2026-03-17T13:46:37+00:00","mainEntityOfPage":{"@id":"https:\/\/www.spacesecurity.info\/en\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\/"},"wordCount":1951,"commentCount":0,"publisher":{"@id":"https:\/\/www.spacesecurity.info\/en\/#organization"},"image":{"@id":"https:\/\/www.spacesecurity.info\/en\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2026\/03\/MITRE-ESTM-vs-MITRE-EMB3D.jpg","articleSection":["Cyber","Satellite","United-States"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.spacesecurity.info\/en\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.spacesecurity.info\/en\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\/","url":"https:\/\/www.spacesecurity.info\/en\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\/","name":"MITRE ESTM + EMB3D in Action : Analyzing OPS-SAT Through These Dual Frameworks - Space &amp; Cybersecurity Info","isPartOf":{"@id":"https:\/\/www.spacesecurity.info\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.spacesecurity.info\/en\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\/#primaryimage"},"image":{"@id":"https:\/\/www.spacesecurity.info\/en\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2026\/03\/MITRE-ESTM-vs-MITRE-EMB3D.jpg","datePublished":"2026-03-17T13:37:47+00:00","dateModified":"2026-03-17T13:46:37+00:00","breadcrumb":{"@id":"https:\/\/www.spacesecurity.info\/en\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.spacesecurity.info\/en\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.spacesecurity.info\/en\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\/#primaryimage","url":"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2026\/03\/MITRE-ESTM-vs-MITRE-EMB3D.jpg","contentUrl":"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2026\/03\/MITRE-ESTM-vs-MITRE-EMB3D.jpg","width":1280,"height":714},{"@type":"BreadcrumbList","@id":"https:\/\/www.spacesecurity.info\/en\/mitre-estm-emb3d-in-action-analyzing-ops-sat-through-these-dual-frameworks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.spacesecurity.info\/en\/"},{"@type":"ListItem","position":2,"name":"MITRE ESTM + EMB3D in Action : Analyzing OPS-SAT Through These Dual Frameworks"}]},{"@type":"WebSite","@id":"https:\/\/www.spacesecurity.info\/en\/#website","url":"https:\/\/www.spacesecurity.info\/en\/","name":"Space Cybersecurity Info","description":"La cybers\u00e9curit\u00e9 appliqu\u00e9e au domaine de l&#039;espace","publisher":{"@id":"https:\/\/www.spacesecurity.info\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.spacesecurity.info\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.spacesecurity.info\/en\/#organization","name":"Space Security Info","url":"https:\/\/www.spacesecurity.info\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.spacesecurity.info\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2020\/05\/SSI-Logo-4.jpg","contentUrl":"https:\/\/www.spacesecurity.info\/wp-content\/uploads\/2020\/05\/SSI-Logo-4.jpg","width":594,"height":144,"caption":"Space Security Info"},"image":{"@id":"https:\/\/www.spacesecurity.info\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.spacesecurity.info\/en\/#\/schema\/person\/5e36ba49bf1d87a387c9ab60c233013c","name":"Fran\u00e7ois Quiquet","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/e50e669b3dbfb22c278a01d57cebe52e5b3900d3301faa1c4fefe35cd22d2186?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/e50e669b3dbfb22c278a01d57cebe52e5b3900d3301faa1c4fefe35cd22d2186?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e50e669b3dbfb22c278a01d57cebe52e5b3900d3301faa1c4fefe35cd22d2186?s=96&d=mm&r=g","caption":"Fran\u00e7ois Quiquet"},"description":"(EN) I'm a cybersecurity engineer in network, telecommunication and embedded\/integrated systems. Founder of the website spacesecurity.info. Passionate about cybersecurity and space, I share my two passions through this site. My goal is to federate a community around these two themes. Join my LinkedIn Group. (FR) Je suis ing\u00e9nieur cybers\u00e9curit\u00e9 en r\u00e9seau, t\u00e9l\u00e9communication et syst\u00e8mes embarqu\u00e9s et int\u00e9gr\u00e9s. Fondateur du site spacesecurity.info. Passionn\u00e9 de cybers\u00e9curit\u00e9 et du monde de l'espace, j'ai souhait\u00e9 partager mes deux passions \u00e0 travers ce site. Mon objectif est de f\u00e9d\u00e9rer une communaut\u00e9 autour de ces deux th\u00e8mes. Rejoindre mon groupe LinkedIn.","sameAs":["https:\/\/www.spacesecurity.info","https:\/\/www.linkedin.com\/in\/francoisquiquet\/"],"url":"https:\/\/www.spacesecurity.info\/en\/author\/francois\/"}]}},"_links":{"self":[{"href":"https:\/\/www.spacesecurity.info\/en\/wp-json\/wp\/v2\/posts\/3321","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.spacesecurity.info\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.spacesecurity.info\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.spacesecurity.info\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.spacesecurity.info\/en\/wp-json\/wp\/v2\/comments?post=3321"}],"version-history":[{"count":3,"href":"https:\/\/www.spacesecurity.info\/en\/wp-json\/wp\/v2\/posts\/3321\/revisions"}],"predecessor-version":[{"id":3327,"href":"https:\/\/www.spacesecurity.info\/en\/wp-json\/wp\/v2\/posts\/3321\/revisions\/3327"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.spacesecurity.info\/en\/wp-json\/wp\/v2\/media\/3310"}],"wp:attachment":[{"href":"https:\/\/www.spacesecurity.info\/en\/wp-json\/wp\/v2\/media?parent=3321"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.spacesecurity.info\/en\/wp-json\/wp\/v2\/categories?post=3321"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.spacesecurity.info\/en\/wp-json\/wp\/v2\/tags?post=3321"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}