05/2024

BDLI Whitepaper

Security for
Space Systems
Content

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1. Scope of This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2. Space Systems Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3. Security by Design for Space Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

4. Threat Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

5. Cyber Security for Space Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

6. Minimum Requirements for Space Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

7. Information Security for Space Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

8. Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Contact
Sentiana Schwerin
Manager Digitalization,
Cyber Security & UAS/AAM

[email protected]
+49 173 769 7881

German Aerospace Industries Association

(Bundesverband der Deutschen
Luft- und Raumfahrtindustrie e. V.)

ATRIUM | Friedrichstr. 60 | 10117 Berlin

Tel. +49 30 2061 40-0 | [email protected]

www.bdli.de

2 Whitepaper: Security for Space Systems

Introduction

Threats to space-based systems are becoming increasingly numerous

and complex. It is therefore necessary to address these threats by imple-
menting industry-wide standards. Significant efforts are being made to
develop guidelines in this field. For example, the German Federal Office for
Information Security (“BSI”) defines the key objective of cyber security for
space infrastructures as follows: Strengthening cyber security for space
infrastructure with relevance for government, the economy and civil
society in order to safeguard the availability of services via secure and
trusted communication.1 For this purpose, the BSI has published a profile
and a technical guideline targeting security for space systems.

Documents such as the above help to understand and manage the risks to
space missions and ensure secure and successful operations. This is espe-
cially important considering the increasing number of satellites in orbit.
Managing risks to space missions in a structured way leads to the imple-
mentation of necessary cyber security measures for future missions. Space
systems security — clearly distinguishing between safety and security —
exists to prevent malicious acts against space systems. The aim of space
systems security is, therefore, to prevent acts of unlawful interference.

1 https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfe�
-
hlungen/IT-Sicherheit-in-Luft-und-Raumfahrt/it-sicherheit-in-luft-und-raumfahrt.html

3 Whitepaper: Security for Space Systems

1. Scope of This Document
This document gives an overview of the
national and international efforts regarding
the definition of guidelines for the aerospace
industry. It explains why and in which way
cyber security needs to be implemented for
space systems.
For this purpose, space systems architecture
is described, followed by an explanation of
the security-by-design approach recom-
2. Space Systems Architecture
In this context, architecture refers to differ-
ent parts working together or interacting to
achieve a specific purpose. Space system
architectures are based on the mission they
perform, with each mission having a specific
architecture. Nevertheless, space systems
architectures generally have several compo-
nents in common. The general architecture
can be broken down into three physical parts:
the space segment, the launch segment and
the ground segment.
Relevant classes of space missions are com-
munication, positioning and navigation,
weather, remote sensing and launch. Satel-
lite communications enable the exchange of
data across the globe within the footprints
of the antennas of the network of communi-
cation satellites. Such communication relies
on ground telecommunication infrastructure,
transmitters and receivers to facilitate critical
communications under a wide range of cir-
cumstances and situations.2
2 https://www.esa.int/Enabling_Support/Preparing_for_the_Future/Space_for_Earth/Space_for_health/Satellite_communications
3 https://www.esa.int/Enabling_Support/Preparing_for_the_Future/Space_for_Earth/Space_for_health/Satellite_positioning_navigation
4 https://www.esa.int/About_Us/Business_with_ESA/Business_Opportunities/Meteorological_Missions
4 Whitepaper: Security for Space Systems
mended for space systems. Next, a threat
analysis shows the main threats that need
to be controlled by cyber security meas-
ures. Furthermore, industry standards in the
fields of cyber security or cyber security of
space systems are mentioned. Then, the min-
imum requirements for space systems are
explained, followed by a description of infor-
mation security for space systems.
Satellite positioning and navigation systems
enable the location of a position all over the
world, on land, the sea, or in the air at any time,
allowing continuous information even when
using a moving receiver. This is particularly
relevant where maps or orientation points
are unavailable or limited.3 Meteorological
missions consist of a series of satellites pro-
viding observations and measurements from
orbit for numerical weather prediction and
also contributing to climate monitoring.4
Finally, remote sensing missions enable the
monitoring of the physical characteristics of
an area by measuring its reflected and emit-
ted radiation at a distance.
Satellites contain payloads to accomplish
their primary mission and the necessary infra-
structure for operating the payload.
3. Security by Design
for Space Systems
The security-by-design approach ensures
that security is incorporated into the system
starting from the earliest design phase. Secu-
rity by design (or secure by design) refers to
a range of security practices aiming to cre-
ate systems that are impenetrable to cyber-
attacks. The principles of security by design
involve incorporating security measures into
the entire life cycle of space systems, includ-
ing design, development and operation.
Lifecycle phases in focus:
• Conception and design
• Production
• Testing
• Transports
• Commissioning
• Operation
• Decommissioning
Security for space systems is addressed
starting from the first lifecycle phase in focus,
conception and design. As a result, secure
design is integrated into the product from
the very start of the project.
5 Whitepaper: Security for Space Systems
4. Threat Analysis
For cyber security measures to be imple-
mented, it is important to get an overview
of the relevant threats. Here below are listed
some of the most urgent threats to space
systems:
• Ground-based active interference (agent
in the ground station)
• Ground-based adjacent active monitor-
ing and interference (agents with special
equipment in neighbouring buildings,
etc., with access to the Internet infra-
structure or via radio relay to the antenna
systems)
• Reading and encrypting optical laser links
• Disruption of connection to the satellite
at low elevation
• Space debris (including purposeful crea-
tion of space debris)
• Espionage satellites in close encounter/in
LEO (e.g. attacking Galileo)
5. Cyber Security for Space Systems
There are several different cyber security
standards available. The following standards
are amongst the most commonly applied
industry-wide standards:
• ISO 27k standards
• NIST standards
• BSI IT-Grundschutz (IT baseline protec-
tion) standards
• Further European standards, including
EBIOS standards
6. Minimum Requirements for Space Systems
The BSI IT-Grundschutz Profile5 Space Infra-
structures—Minimum Protection for Satellites
Covering their Entire Life Cycle defines mini-
mum requirements for space systems. It pro-
vides assistance in formulating requirements
for minimum protection measures during the
planning, manufacturing and operation of a
satellite until the end of its mission. It covers
at least the basic protection requirements for
all types of satellite missions. The described
security measures protecting the confidenti-
ality, availability and integrity of information
aim to minimise material loss and intangible
damage across a satellite’s lifetime.
5 https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/profiles/Profile_Space-Infrastructures.
pdf?__blob=publicationFile&v=2
6 Whitepaper: Security for Space Systems
When it comes to cyber security for space
systems, some standards/guidelines have
been published just recently or are still under
development:
• NIST publications: NISTIR 8270 “Intro-
duction to Cybersecurity for Commercial
Satellite Operations”, NISTIR 8323 Rev. 1
“Foundational PNT Profile (Final)”, NISTIR
8401 “Satellite Ground Segment (Final)”
• Planned publication: ECSS-Q-ST-80-10C
DIR1 “Space product assurance – Security
in space systems lifecycles”
However, security measures must be adapted
to each mission profile. The document also
includes a list of relevant assets to be pro-
tected (applications, IT systems and prem-
ises), an assignment of corresponding BSI
IT-Grundschutz modules and a checklist to
support the implementation of those secu-
rity requirements deemed necessary for the
respective mission.
7. Information Security for Space Systems

Apart from the minimum requirements Physical security measures consist of meas-
described in the profile, there are secu- ures concerning the setup of secured/
rity measures that are recommended for restricted areas (including monitored
space systems. The Technical Guideline6 BSI access), instalment of different types of
TR-03184 maps relevant security measures to environmental protection (e.g. fire alarm, fire
potential threats. Security measures include extinguishing systems, air quality monitoring,
the following: protecting equipment against moisture, radi-
ation monitoring, air conditioning), but also
Technical security measures are concerned
the use of clean rooms, fixing devices at their
with implementing certain concepts, such
workplace or keeping documents and media
as a backup concept, a configuration man-
under lock and key.
agement concept and a patch management
concept. Technical security measures also Security measures for software are integrity
include the use of specific systems such as checks of the software supply chain, allow-
intrusion detection and prevention systems ance of the installation of only tested and
or security information and event manage- approved software and software supplier
ment systems. In addition, certain methods, checks.
such as checksums, need to be applied to
Network-specific security measures include
check the integrity of sent/received informa-
setting up the network as a security zone
tion. One last important aspect is carrying out
or making use of separate task-specific
vulnerability scans or penetration tests.
networks.
Additional IT-based security measures are
Satellite-specific security measures are
concerned with the use of mobile devices
suitable frequency band management,
under lock and key, the use of virus protection
communication with the satellite in several
programs and remote access/remote dele-
communication channels/media, encrypted
tion in case of loss of equipment.
communication, and detection of communi-
On the other hand, organisational security cation problems.
measures are concerned with the training of
staff on specific topics, such as handling cer-
tain equipment, as well as general security
awareness. Emergency procedures also need
to be put in place. For visitors coming to site,
rules need to be implemented concerning
the visibility of badges and the supervised
presence in restricted zones. Another field
of organisation security measures includes
cyber threat intelligence and intelligence
sharing amongst organisations.

6 https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03184/BSI-TR-03184_part1.
pdf?__blob=publicationFile&v=2

7 Whitepaper: Security for Space Systems

8. Conclusion

The IEEE Standards Association P3349 - Space System Cybersecurity Working Group 7 is cur-
rently working on establishing international standardisation for space systems. For this pur-
pose, the working group is divided into several subgroups, as shown in the following graph.

Space Link Ground

Segment Segment Segment

User S2CY Integration

Segment Layer

Further resources:

• The paper8 summarises space security • SPARTA9

standardisation efforts
• ESA SPACE-SHIELD10

7 https://sagroups.ieee.org/3349/the-project/
8 https://australiancybersecuritymagazine.com.au/wp-content/uploads/2022/12/6.2022-4302-Int-space-standard.pdf
9 https://aerospacecorp.medium.com/sparta-cyber-security-for-space-missions-4876f789e41c
10 https://spaceshield.esa.int/

8 Whitepaper: Security for Space Systems

Both Sparta and ESA Space Shield are based on the MITRE ATT&CK® Matrix. Adversary tactics
can be applied to several different fields, including space systems. Tactics are the adversary’s
goal. They are the reason for performing an action. Tactics represent the “why” of an ATT&CK
technique11:

ID Name Description

TA0043 Reconnaissance The adversary is trying to gather information they can use to plan future
operations.

TA0042 Resource Development The adversary is trying to establish resources they can use to support operations.

TA0001 Initial Access The adversary is trying to get into your network.

TA0002 Execution The adversary is trying to run malicious code.

TA0003 Persistence The adversary is trying to maintain their foothold.

TA0004 Privilege Escalation The adversary is trying to gain higher-level permissions.

TA0005 Defense Evasion The adversary is trying to avoid being detected.

TA0006 Credential Access The adversary is trying to steal account names and passwords.

TA0007 Discovery The adversary is trying to figure out your environment.

TA0008 Lateral Movement The adversary is trying to move through your environment.

TA0009 Collection The adversary is trying to gather data of interest to their goal.

TA0011 Command and Control The adversary is trying to communicate with compromised systems to control
them.

TA0010 Exfiltration The adversary is trying to steal data.

TA0040 Impact The adversary is trying to manipulate, interrupt, or destroy your systems and data.

The SPACE-SHIELD (Space Attacks and Countermeasures Engineering Shield) is an ATT&CK®-

like knowledge-base framework for space systems. It is a collection of adversary tactics and
techniques and a security tool applicable in the space environment to strengthen security. It is
composed of threats that are relevant to space systems, leveraging the available and related lit-
erature. The matrix is tailored to the space segment and communication links, but it does not
address specific types of mission, maintaining a broad and general point of view. The matrix con-
tains information for the following platforms: generic, none, space segment, ground segment,
and space-link communication.

11 https://attack.mitre.org/tactics/enterprise/

9 Whitepaper: Security for Space Systems

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005

Reconnais- Resource Initial Execution Persistence Privilege Defense

sance Development Access Escalation Evasion
6 techniques 4 techniques 5 techniques 3 techniques 4 techniques 2 techniques 4 techniques
Active Scan- Acquire or Direct Attack Modification of Backdoor Ins- Become Avio- Impair Defen-
ning (RF/Opti- Build Infras- to Space Com- On Board Con- tallation 5 nics Bus Master ses 1
cal) 4 tructure 4 munication trol Procedures
Links 2 modification
Gather Victim Compromise Ground Seg- Native API Key Manage- Escape to Host Indicator
Mission Infor- Account 1 ment Compro- ment Infras- 1 Removal on
mation 3 mise 2 tructure Host 1
Manipulation
2
Gather Victim Compromise Supply Chain Payload Pre-OS Boot 1 Masquerading
Org Informa- Infrastructure Compromise Exploitation
tion 3 2 3 to Execute
Commands
In orbit pro- Develop/Obtain Trusted Rela- Valid Credenti- Pre-Os Boot 1
ximity intelli- Capabilities 9 tionship 3 als 3
gence 6
Passive Inter- Valid Credenti-
ception (RF/ als 3
Optical) 4
Phishing for
Information 2

Full Space Attacks and Countermeasures Engineering Shield

(SPACE-SHIELD) with sub-techniques:

↗ https://spaceshield.esa.int

10 Whitepaper: Security for Space Systems

TA0006 TA0007 TA0008 TA0093 TA0011 TA0010 TA0040

Credential Discovery Lateral Collection Command Exfiltration Impact

Access Movement and Control
4 techniques 4 techniques 4 techniques 2 techniques 3 techniques 5 techniques 12 techniques
Adversary in Key Manage- Compromise Adversary in the Protocol Exfiltration Data Manipula-
the Middle 1 ment Policy a Payload after Middle 2 Tunnelling Over Payload tion 3
Discovery compromising Channel
the main satel-
lite platform
Brute Force 1 Spacecraft‘s Compromise Data from link Telecommand a Exfiltration Ground Seg-
Components of another eavesdropping Spacescraft 3 Over TM ment Jamming
Discovery partition in 3 Channel 1
Time and Space
Partitioning OS
or other types
of satellite
hypervisors
Communi- System Service Compromise TT&C over ISL Optical link Loss of space-
cation Link Discovery the satellite modification craft telecom-
Sniffing 1 platform manding 1
starting from a
compromised
payload
Retrieve TT&C Trust Relation- Lateral Move- RF modification Permanent loss
master/session ships Discovery ment via com- to telecom-
keys 3 mon Avionics mand satellite
Bus 1
Side-channel Resource dam-
exfiltration age 7
Resource
Hijacking
Saturation of
Inter Satellite
Links 1
Saturation/
Exhaustion of
Spacecraft
Resources 5
Service Stop
2
Spacecraft
Jamming 3
Temporary loss
to telecom-
mand satellite
Full Space Attacks and Countermeasures Engineering Shield 1
(SPACE-SHIELD) with sub-techniques: Transmit-
ted Data

↗ https://spaceshield.esa.int Manipulation

11 Whitepaper: Security for Space Systems

www.bdli.de