In the following article, discover the major advancements announced with the release of SPARTA v3.1: the addition of new NIST space segment guidance, the integration of MITRE EMB3D into the SPARTA framework by mapping TTPs, and the unveiling of an extended MITRE ATT&CK Flow builder supporting the SPARTA framework for aerospace security use cases.
SPARTA v3.1: A Major Leap for Space Cybersecurity
The recent release of SPARTA v3.1 marks a significant milestone in advancing cybersecurity for space missions and infrastructure. This update solidifies SPARTA’s role as the reference framework for identifying, mapping, and mitigating threats to spacecraft and space-enabled services.
New: Space Segment Guidance for NIST Controls
SPARTA v3.1 introduces dedicated guidance for applying NIST cybersecurity controls specifically to the space segment, including spacecraft payloads, buses, and specialized communication modules. This new layer helps organizations better map traditional NIST requirements to the unique risks and workflows of space assets, supporting compliance efforts for both government and commercial operators.
Integration with MITRE’s EMB3D: TTP Mapping
A pivotal enhancement is the integration and mapping of SPARTA’s Tactics, Techniques, and Procedures (TTP) to MITRE’s EMB3D threat model for embedded devices. By linking SPARTA TTPs with EMB3D’s taxonomy, security teams can coordinate countermeasures and risk assessments between space and embedded domains, offering unprecedented interoperability for spacecraft, ground, and IoT systems.
A MITRE ATT&CK Flow Builder fork that supports SPARTA
In parallel, Kevin Jahaziel Leon Morales and Romel Marin have have expanded the MITRE ATT&CK Flow builder to natively incorporate the SPARTA framework. This enables automated and graphical creation of attack flows tailored to aerospace technologies and missions, boosting the analysis and simulation of realistic cyberattack scenarios based on SPARTA data.
Stronger Space Domain Resilience: The new NIST mapping brings formal cybersecurity maturity to satellite and mission assets.
Seamless Threat Modeling: The EMB3D integration bridges embedded and space system security, streamlining threat tracking and mitigation.
Operational Alignment: Enhanced tools like the ATT&CK Flow Builder empower red and blue teams to simulate, document, and strengthen defenses based on real-world tactics.
Community Growth: These changes reflect the continued collaboration between aerospace stakeholders and leading threat intelligence bodies to keep space assets secure in an evolving threat landscape.
SPARTA v3.1 stands as a robust, forward-looking framework that helps the aerospace community translate cutting-edge threat information into actionable defenses for the vital missions of tomorrow.
Please be informed that the analysis detailed in this article is entirely separate from the hacking experiment conducted by the Thales team on the satellite.
Both activities are independent of each other and were carried out by different teams. There is no association between me and the team that conducted the hacking experiment.
This work is conducted on a personal basis and is independent of my work at Thales. Thales is in no way involved in this work, and Thales’s responsibilities cannot be engaged under any circumstances.
All slides embedded in this article are public slides presented by Thales during the CYSAT 2023 conference and available in the Youtube video which presents the Thales experiment.
Purpose of the article
This article is part of a series of articles on the analysis of the Thales satellite hacking demo at CYSAT 2023 with the METEORSTORM™ framework and the AI-CoPilot.
Recently, I discovered the METEORSTORM™ framework built by EthicallyHackingspace (eHs)®. I was lucky to be offered a preview of how to use this new framework by participating in and successfully completing a challenge exam which is still in beta version. The success of this exam allowed me to obtain the certification: Full Spectrum Space Cybersecurity Professional (SCOR Practitioner).
As I now know how to use the METEORSTORM™ framework correctly, I propose to show, in this series of articles, how I used the METEORSTORM™ and its AI Copilot to:
break down the experiment of Thales satellite hacking demo at CYSAT 2023,
design the Threat Model with known and theoretical attack paths,
record resilience and possible counter measures,
identify detection measures,
model Indicators of Compromise (IoC) and Recovery Resilience for the Incident Response Preparation phase.
Brandon Bailey and Brad Roeher from the SPARTA team already did an analysis of the Thales satellite hacking demo (summarized in this article, full article here) but with the SPARTA framework.
On my side, I have also already conducted an analysis of the Thales satellite hacking demonstration (full article here) but using the MITRE EMB3D™ framework.
The goal with this series of articles is to go further by using METEORSTORM™, a modeling and analytic framework purpose-built to assess and enhance resilience across converged space systems.
Hacking demo at CYSAT 2023: what was the point again
To know more about the Thales hacking demo at CYSAT 2023, I encourage you to visit the following pages here, here and here where the results of the ethical satellite hacking exercise is detailed.
What is OPS-SAT
To know more about the Thales hacking demo at CYSAT 2023, I encourage you to visit the following page here where OPS-SAT, a small, CubeSat-class satellite developed by the European Space Agency (ESA) to serve as a testbed for innovative software, systems, and operational concepts in space, is detailed.
What is METEORSTORM™
METEORSTORM™ stands for Multiple Environment Threat Evaluation of Resources, Space Threats, and Operational Risks to Missions.
METEORSTORM™ is a modeling and analytic framework purpose-built to assess and enhance resilience across converged space systems. Its core strengths include:
Layered decomposition across physical environments, system segments, services, and assets.
Analytic enrichment drawing from leading frameworks (e.g., MITRE ATT&CK™, D3FEND™, CAPEC™, ATLAS™, FIGHT™, EMB3D™, ESA Space Shield, Aerospace SPARTA, NIST SP 800-160 Vol. 1 & Vol. 2, and NIST SP 800-53).
Support for hybrid architectures, including terrestrial, aquatic, aerial, orbital, and deep space domains.
The METEORSTORM™ framework is accompanied by a AI-Copilot platform. The AI Co-Pilot is an evolving assistant that guides real-time analysis and decomposition workflows.
The METEORSTORM™ framework is executed through six strict functions, each dependent on the prior, forming a traceable and enforced modeling sequence:
Function One – Concept of Operations (CONOPS) : Models the nominal state of a space platform by enforcing layered decomposition: PCE (Primary Capability Environment), SEG (Segment), SVC (Service), AST (Asset), AN (Analytic Enrichment)
Function Two – Threat Model : Models known/theoretical attack paths (AN: ATT) and resilience measures (AN: RES).
Function Three – Detection Engineering : Transforms threats into detection logic using AN: DET and AN: IOA.
Function Four – Incident Response Preparation : Models Indicators of Compromise (AN: IOC) and Recovery Resilience (AN: RES)
Function Five – Adversary Management : Overlays real or theoretical adversaries to defined behaviors.
Function Six – Commercial Hybrid Warfare Attribution : Final function. Attributes actions to dual-use or commercial actors.
EthicallyHackingspace (eHs)® is working on launching a certification portal in a few months. In the upcoming weeks a few other community professionals will be invited to participate in the exam challenge process until it is finalized in August.
To know more about the METEORSTORM™ framework, check our article here.
Analysis of OPS-SAT with Function One – Concept of Operations (CONOPS)
At this stage, we will model the OPS-SAT platform by decomposing it into its environment, segments, services, and assets to establish a traceable baseline before introducing threats.
Technical Features of OPS-SAT overview
ARM-based onboard computer with 10× the power of standard ESA satellite computers.
Reconfigurable software platform, allowing remote code uploads and flexible updates.
Includes:
Camera with high-resolution imagery.
GPS receiver.
S-band and UHF radios.
AI processing onboard, and support for satellite cybersecurity research
Full decomposition of OPS-SAT is described in the following article
Below is the full METEORSTORM™ decomposition for OPS-SAT based on Function One: Concept of Operations (CONOPS) — fully compliant with the strict taxonomy, sequencing, and validation rules defined in the framework.
Layer
Entry
PCE
PCE: OR: Orbital: 00: LEO: Low Earth Orbit operational environment for technology demonstration (mission duration: launched 18 Dec 2019, deorbited 22 May 2024)
AST: CI: Communications: 02: UHF Backup Link: Redundant link for telemetry & commands
AST: SO: Software: 00: Remote Experiment Execution Stack: Software interface for executing uploaded experiments from ESA or external contributors
AST: SI: Signal: 00: S-Band Uplink Receiver: Signal channel used for command uplink and experimental software transfer
AST: DA: Data: 00: Onboard Experiment & Telemetry Logs: Operational data and telemetry captured from experimental runs for downlink and analysis
Analysis of Thales hacking demo with Function Two – Threat Model (using attack paths AN: ATT only)
At this stage, in this article, for the moment, we will deconstruct the Thales experiment with METEORSTORM™ Function Two – Threat Model but only with attack paths using AN: ATT elements.
In the next article, we will compete the METEORSTORM™ Function Two – Threat Model with resilience measures using AN: RES elements.
In the other articles of this series, we will complete this article and build a full threat model by adding all the other functions of the METEORSTORM™ framework :
Function Two – Threat Model : with resilience measures using AN: RES elements
Function Three – Detection Engineering : Transforms threats into detection logic using AN: DET and AN: IOA.
Function Four – Incident Response Preparation : Models Indicators of Compromise (AN: IOC) and Recovery Resilience (AN: RES)
Function Five – Adversary Management : Overlays real or theoretical adversaries to defined behaviors.
Function Six – Commercial Hybrid Warfare Attribution : Final function. Attributes actions to dual-use or commercial actors.
The figure below is showing a summary of the full attack flow used by the Thales team to conduct the attack on OPS-SAT.
Figure 4: Summary of the full attack flow (Slide courtesy Thales Group)
Since the Thales OPS-SAT attack is multi-stage, we can model each phase as its own discrete AN: ATT element. This approach aligns with the METEORSTORM™ enforcement model and supports full traceability for detection and resilience mapping.
Here is the full, six-stage multi-vector attack path (AN: ATT: 00–05) for the OPS-SAT satellite hacking scenario. Each stage includes:
To introduce the compromised or flawed software onto the spacecraft, the team needed to bypass security checks and evaluations. To achieve their objective, they introduced a deserialization vulnerability into the software, enabling defensive mechanism evasion and potential exploitation for executing arbitrary commands.
Figure 5: The Deserialization Vulnerability (Slide courtesy Thales Group)
With the METEORSTORM™ framework, this translates to:
Once the insecure deserialization achieved, the team uploaded a malicious code with the deserialization vulnerability to modify the application-level binaries on the remote device to introduce unauthorized code and to execute arbitrary commands on the remote system.
Step 3: Privilege escalation via the CAN bus (AN: ATT: 02 – Privilege Escalation via CAN Bus)
At this stage, their app runs as an unprivileged Linux user and has no direct access to sensors but though the supervisor. Their objective is now to find system configuration issues or vulnerabilities to realize a privilege escalation from user to root.
They identified that anyone can talk on the CAN bus, including unprivileged apps. And then, all commands send on the CAN bus are executing as root by a client that runs as root and that decodes and executes as root whatever command it receives.
Figure 8: Taking Control – Privilege Escalation from User to Root (Slide courtesy Thales Group)
With the METEORSTORM™ framework, this translates to
Layer
Entry
AN
AN: ATT: Attack Path: 02: Privilege Escalation via CAN Bus Interface
Description
Description: Experiment abuses unsecured access to CAN bus to issue root-level commands bypassing sandbox.
At this stage, the app escalated as root. Now, the team needed to ensure persistent effects on sensors. They identified a jar library on the Supervisor that is writable by root user. A jar is simply a zip file, with compiled Java bytecode inside. The team crafted a bytecode based on the original one, and simply replace some files inside the jar. The supervisor now runs the jar containing the malicious bytecode.
Figure 10: Persistence – Injection of a Jar Library (Slide courtesy Thales Group)
With the METEORSTORM™ framework, this translates to
Step 6: Other potential effects (but non demonstrated)
When adversaries target a spacecraft, their primary goal is often to disrupt the mission. This disruption can involve compromising imagery, intercepting signals, or other mission-critical functions. Thales Group demonstrated this by successfully manipulating the payload data transmitted from the spacecraft. They also identified additional potential impacts that could occur if attackers gain further access and maintain their presence, though these were not carried out. With root access and ongoing control, the range of possible attacks becomes virtually unlimited.
They could alter/delete all images captured by the camera
They could override satellite attitude requested by other apps
This also provides persistence for the malicious code since the supervisor starts early and is almost always running
Figure 12: Other Potential Effects (Slide courtesy Thales Group)
With the METEORSTORM™ framework, this translates to
Layer
Entry
AN
AN: ATT: Attack Path: 05: Other potential effects (but non demonstrated)
Description
Description: Thales Group also identified additional potential impacts that could occur if attackers gain further access and maintain their presence, though these were not carried out.
Privilege Escalation via CAN Bus (EX-0009.02, LM-0002, T1548, TID-114/412/204/219)
AST: HA: ARM-Based Computer
ATT:03
Persistence
Persistence via Reverse Shell (PER-0002.02, TID-304/305/203/202/307/308)
AST: SO: Experiment Execution
ATT:04
Impact
Camera/ADCS tampering (EX-0007.02)
AST: HA: ADCS, GPS, Optical Sensors
ATT:05
Other potential effects
Modeled Additional Impacts like Eavesdropping, Deception (EX-0012.08, EX-0012.09, EXF-0003, IMP-0001)
AST: DA, SI, HA (SDR & Optics)
Next steps to go further
After modeling the nominal state of the OPS-SAT platform with Function One – Concept of Operations (CONOPS) and after Threat Modeling the system with known and theoretical attack paths, the next step of this series of articles is to record resilience measures.
At the end of this series, we will present the advantages of the METEORSTORM™ framework for a Satellite System. We will summarize the key benefits of applying this approach to space assets. We will consolidate our findings, highlight the added value of the METEORSTORM™ framework, and provide practical insights for system designers, cybersecurity architects, and mission planners.
Acknowledgments
Many thanks to ESA, to the CYSAT conference and to the Thales team for making this experiment possible, and for making it so enriching for the community.
A big thank you also to the SPARTA team, who inspired this article and contribute to strengthening the cybersecurity of satellites and space systems.
Congratulations to the ethicallyHackingspace (eHs)® team and William Ferguson for this amazing work!
I’m very proud to have successfully taken up a new challenge exam in beta version about METEORSTORM™ framework which allowed me to obtain the certification: Full Spectrum Space Cybersecurity Professional (SCOR Practitioner).
Completing the METEORSTORM™ module ensures that I can be part of a work role that is responsible for platform decomposition and analysis to understand and break down space platforms, identifying exposure and developing resilience measures. It also involves preparing Space Collective Defense solutions focused on Collective Development, Research, and Response. Furthermore, this role directly supports organizational and communal efforts in space platform Threat Management, Resilience Engineering, and Breach Management.
EthicallyHackingspace (eHs)® is working on launching a certification portal in a few months.
In the upcoming weeks a few other community professionals will be invited to participate in the exam challenge process until it is finalized in August.
I was lucky to be offered a preview of this new portal and this new challenge exam.
METEORSTORM™ stands for Multiple Environment Threat Evaluation of Resources, Space Threats, and Operational Risks to Missions.
It is a systematic resilience modeling framework specifically designed for converged space systems that face:
METEORSTORM™ is a modeling and analytic framework purpose-built to assess and enhance resilience across converged space systems. Its core strengths include:
Layered decomposition across physical environments, system segments, services, and assets.
Analytic enrichment drawing from leading frameworks (e.g., MITRE ATT&CK™, D3FEND™, CAPEC™, ATLAS™, FIGHT™, EMB3D™, ESA Space Shield, Aerospace SPARTA, NIST SP 800-160 Vol. 1 & Vol. 2, and NIST SP 800-53).
Support for hybrid architectures, including terrestrial, aquatic, aerial, orbital, and deep space domains.
The METEORSTORM™ AI assistant is also beneficial for:
Students studying space and cyber convergence.
Researchers analyzing resilience strategies for next-gen missions.
Security-minded technologists modeling exposure, risk, and mitigation.
METEORSTORM™ framework is amazing. The EthicallyHackingspace (eHs)® team did a great job. I had a lot of fun using the METEORSTORM framework in the challenge exam. METEORSTORM™ is very simple to use and the results are very useful, valuable and actionable.
The model is across multiple domains, including:
Drones (terrestrial, aquatic, orbital, deep space)
Aquatic systems (beacons, transoceanic cables)
Hybrid terrestrial–orbital–aerial platforms
The model allows:
Threat modeling & emulation
Hybrid warfare scenario analysis
Resilience & detection signature engineering
METEORSTORM Cheat Sheet
To know more
You can access the public version of the decomposition and analytic AI-Copilot platform, now open beyond the eHs FS-SCP™ community.
The AI Co-Pilot is an evolving assistant that guides real-time analysis and decomposition workflows.
Please be informed that the analysis detailed in this article is entirely separate from the hacking experiment conducted by the Thales team on the satellite.
Both activities are independent of each other and were carried out by different teams. There is no association between me and the team that conducted the hacking experiment.
This work is conducted on a personal basis and is independent of my work at Thales. Thales is in no way involved in this work, and Thales’s responsibilities cannot be engaged under any circumstances.
All slides embedded in this article are public slides presented by Thales during the CYSAT 2023 conference and available in the Youtube video which presents the Thales experiment.
Purpose of the article
In this article, I show how I used the MITRE EMB3D™ Threat Model to break down the experiment of Thales satellite hacking demo at CYSAT 2023, identify key lessons learned, and record possible countermeasures.
Brandon Bailey and Brad Roeher from the SPARTA team already did an analysis of the Thales satellite hacking demo (summarized in this article, full article here) but with the SPARTA framework. You can enter to the SPARTA portal here.
The goal with this article is to go further by using the MITRE EMB3D™, a Threat Model for embedded systems, to identify threats and possible associated countermeasures.
Important Note
Before we dive in, I want to clarify an important distinction between threats and vulnerabilities.
Threat modeling tools focus on identifying threats, which are potential risks that could be exploited by an attacker. Vulnerabilities, on the other hand, are specific weaknesses in a system that can be exploited.
In this analysis, it turns out that the threats identified by the threat model were actual vulnerabilities, as they could be exploited by the team.
Hacking demo at CYSAT 2023: what was the point again
For the third edition of CYSAT, the European event entirely dedicated to cybersecurity for the space industry, taking place on 26-27 April 2023 at Station F in Paris, the European Space Agency (ESA) set up a satellite test bench to simulate attempts to seize control of OPS-SAT, a nanosatellite operated by the agency for demonstration purposes.
Thales’s offensive cybersecurity team stepped up to the challenge, identifying vulnerabilities that could enable malicious actors to disrupt operation of the ESA satellite.
Figure 1: Thales Cyber Security Experiment Context (Slide courtesy The European Space Agency).
The results of the ethical satellite hacking exercise, the first of its kind in the world, will be used to tighten security for the satellite and its onboard applications, helping to improve the cyber resilience of space systems, protect sensitive data and support the long-term success of space programs.
To know more about the Thales Demo in video
What is OPS-SAT
OPS-SAT is a small, CubeSat-class satellite developed by the European Space Agency (ESA) to serve as a testbed for innovative software, systems, and operational concepts in space.
From a cybersecurity perspective, OPS-SAT represents a critical platform for experimenting with and addressing the unique challenges of securing space-based assets.
Figure 2: What is the OPS-SAT Space Lab? (Slide courtesy The European Space Agency).
What is MITRE EMB3D™ Threat Model
EMB3D™ is a Cybersecurity Threat Model released by MITRE in May 2024 and dedicated for Embedded Devices.
EMB3D is aligned with and expands on several existing models, including Common Weakness Enumeration, MITRE ATT&CK®, and Common Vulnerabilities and Exposures, but with a specific embedded-device focus. The threats defined within EMB3D are based on observation of use by threat actors, proof-of-concept and theoretical/conceptual security research publications, and device vulnerability and weakness reports. These threats are mapped to device properties to help users develop and tailor accurate threat models for specific embedded devices.
Figure 3: The MITRE EMB3D™ Threat Model (figure courtesy The MITRE Corporation).
Each threat description include a set of Foundational, Intermediate, and Leading mitigations. These mitigations will provide guidance on what technical mechanisms can best prevent or reduce the risk of that threat.
For each threat, EMB3D will suggest technical mechanisms that vendors should build into the device to mitigate the given threat. EMB3D is a comprehensive framework for the entire security ecosystem—device vendors, asset owners, security researchers, and testing organizations.
To know more about the MITRE EMB3D™ Cybersecurity Threat Model for Embedded Devices, check our article here.
Analysis of the Thales OPS-SAT hacking Attack Chain
The figure below is showing a summary of the full attack flow used by the Thales team to conduct the attack on OPS-SAT.
Figure 4: Summary of the full attack flow (Slide courtesy Thales Group)
Step 1: Unsafe Java deserialization
To introduce the compromised or flawed software onto the spacecraft, the team needed to bypass security checks and evaluations. To achieve their objective, they introduced a deserialization vulnerability into the software, enabling defensive mechanism evasion and potential exploitation for executing arbitrary commands.
Figure 5: The Deserialization Vulnerability (Slide courtesy Thales Group)
The insecure deserialization threat is documented in the EMB3D Threat Model with the following Threat ID (TID) and Properties ID (PID):
Once the insecure deserialization achieved, the team uploaded a malicious code with the deserialization vulnerability to modify the application-level binaries on the remote device to introduce unauthorized code and to execute arbitrary commands on the remote system.
The ability to modify application-level binaries and to install Untrusted Application on a remote system is documented in the EMB3D Threat Model with the following threats ID and properties ID:
Table 2: Identified threats for the step 2 (Applications Binaries Modified)
Step 3: Privilege escalation via the CAN bus
At this stage, their app runs as an unprivileged Linux user and has no direct access to sensors but though the supervisor. Their objective is now to find system configuration issues or vulnerabilities to realize a privilege escalation from user to root.
They identified that anyone can talk on the CAN bus, including unprivileged apps. And then, all commands send on the CAN bus are executing as root by a client that runs as root and that decodes and executes as root whatever command it receives.
Figure 8: Taking Control – Privilege Escalation from User to Root (Slide courtesy Thales Group)
The ability to privilege escalation is documented in the EMB3D Threat Model with the following threats ID and properties ID:
PID-23221: Device includes and enforces OS user accounts
Table 3: Identified threats for the step 3 (Privilege escalation via the CAN Bus)
Figure 9: Taking Control – Arbitrary Code Execution as Root (Slide courtesy Thales Group)
Step 4: Persistence
At this stage, the app escalated as root. Now, the team needed to ensure persistent effects on sensors. They identified a jar library on the Supervisor that is writable by root user. A jar is simply a zip file, with compiled Java bytecode inside. The team crafted a bytecode based on the original one, and simply replace some files inside the jar. The supervisor now runs the jar containing the malicious bytecode.
Figure 10: Persistence – Injection of a Jar Library (Slide courtesy Thales Group)
The ability to manipulate Runtime Environment, to modify System Component and modify native library of the operating system are documented in the EMB3D Threat Model with the following threats ID and properties ID:
The figure below shows the result of the analysis conducted by Brandon Bailey & Brad Roeher of the Thales experiment with the SPARTA framework (you can enter to the SPARTA portal here). In this figure, they are showing the full attack chain overlaid with SPARTA TTPs and associated countermeasures (full article of their analysis here).
Figure 14: The full attack chain overlaid with SPARTA TTPs and associated countermeasures. (Slide courtesy Thales Group and SPARTA Team)
In the rest of this article, I propose to identify a list of associated mitigations proposed by EMB3D Threat Model.
About Associated Mitigations in the EMB3D Threat Model
In light of the various threats we have identified, we outline below a list of associated mitigations proposed by EMB3D Threat Model.
Mitigation tiers
These mitigations have varying efficiencies and challenges with their implementations.
Mitigation tiers (foundational/intermediate/leading) are intended to help better understand how to assess the challenge of deploying mitigations and better strategize and prioritize efforts to add additional mitigations or technologies to address threats.
Table 6: List of Mitigation Tiers in the MITRE EMB3D threat model
ISA/IEC 62443-4-2 Mappings
ISA is the International Society of Automation. ISA/IEC 62443 is the applicable standard for cybersecurity of OT and ICS (IACS). Each associated mitigation is mapped with the ISA/IEC 62443-4-2.
Table 10: Identified mitigations for the step 4 (Persistence)
The Advantages of the EMB3D Threat Model for a Satellite System
The EMB3D threat model enables the prioritization of mitigations through categorization into levels (fundamental, intermediate, advanced). This allows for a gradual implementation.
The EMB3D threat model is aligned with standards. The mitigations are mapped to the security controls specified in the ISA/IEC 62443-4-2 standard for industrial control systems.
The EMB3D threat model is complementary to the SPARTA framework. It helps propose additional mitigations, allowing to create a consolidated list of security measures.
Next steps to go further
After identifying the mitigations and countermeasures proposed by the EMB3D threat model, here are the next steps you can take.
The next step in the study will be to verify if the countermeasures proposed by the EMB3D threat model can be embedded on the OPS-SAT system and can effectively prevent all the actions carried out by the team.
The next step can be also to develop an implementation plan and a roadmap to implement the selected mitigations, considering technical and operational constraints.
We could also do a comparative analysis by comparing the mitigations proposed by the EMB3D threat model and the SPARTA framework to check their relevance and to identify overlaps and differences. This will allow to create a consolidated list of security measures.
Acknowledgments
Many thanks to ESA, to the CYSAT conference and to the Thales team for making this experiment possible, and for making it so enriching for the community.
A big thank you also to the SPARTA team, who inspired this article and contribute to strengthening the cybersecurity of satellites and space systems.
In the complex landscape of modern cybersecurity, understanding the intricate mechanisms of sophisticated cyber attacks has become paramount.
On February 24, 2022, Viasat, a global communications company, fell victim to a significant cyber attack that disrupted satellite internet services across Europe. This incident highlighted the vulnerabilities in critical infrastructure and the need for advanced threat modeling tools.
As part of a previous study, the work of which you can read in this article, I did an analysis of the Viasat cyber attack with the MITRE ATT&CK® framework.
To go further, I conducted in this article, an in-depth analysis of the attack using the Attack Flow Builder, a cutting-edge tool developed by MITRE Engenuity’s Center for Threat-Informed Defense.
About the Viasat hack in brief
Viasat Logo
The Viasat hack was a cyberattack on American communications company Viasat affecting their KA-SAT network, on 24 February, 2022.
Thousands of Viasat modems got hacked by a « deliberate … cyber event ». Thousands of customers in Europe have been without internet for a month since. During the same time, remote control of 5,800 wind turbines belonging to Enercon in Central Europe was affected.
According to Viasat, the attacker used a poorly configured virtual private network appliance to gain access to the trusted management part of the KA-SAT network. The attackers then issued commands to overwrite part of the flash memory in modems, making them unable to access the network, but not permanently damaged. The satellite itself and its ground infrastructure were not directly affected.
About the Attack Flow Builder Tool
Exemple of Attack Flow Builder
The Attack Flow Builder is an online tool designed by MITRE Engenuity’s Center for Threat-Informed Defense to visualize and analyze complex attack sequences. It allows cybersecurity professionals to model adversary behaviors, providing a comprehensive view of how attackers achieve their objectives.
The key features of the Attack Flow Builder include:
Visual representation of attack sequences
Integration with the MITRE ATT&CK framework
Collaborative sharing capabilities
Support for various use cases, from threat intelligence to defensive planning
I compared the 4 frameworks that can be used for the space sector: MITRE ATT&CK, SPARTA, SPACE-SHIELD and TREKS.
I explained why I choose the MITRE ATT&CK Framework
I identified Tactics, Techniques and Procedures (TTPs) from the MITRE ATT&CK® framework that have been used by the hackers
I mapped them on the MITRE ATT&CK® Navigator in order to have the complete attack chain.
Table showing all TTPs used during the Viasat Attack and mapped on the MITRE ATT&CK Navigator
Using results of this work, I created a detailed model of the Viasat cyber attack.
Threat Model showing all TTPs used during the Viasat Attack
I then utilized the Attack Flow Builder to deconstruct the Viasat cyber attack, meticulously tracing each stage of the intrusion. By systematically documenting the initial access vector, tracking lateral movement within the network, and visualizing the execution of the malicious firmware update, I created a detailed forensic map of the attack’s progression.
Results of the Modeling of the Viasat Attack with the Attack Flow Builder
Original file in big format can be found below
Viasat Attack Threat Modeling with the MITRE Attack Flow Builder
Downloading and sharing the project files
The format used for creating and editing in the Attack Flow Builder is the AFB builder format (.afb). The AFB file below can be used to open the project for further editing in the future.
The machine-readable format for exchanging flows is the JSON format (.json). The JSON file below can be used for exchanging, publishing and processing Attack Flows.
The PNG format is used to save the flow. This format is great for visualizing, using in presentations, sharing with others, etc..
The attack flow modeling process revealed critical insights into the attack’s methodology, exposing potential vulnerabilities and attack vectors. This approach allows a better understanding of the specific incident. This approach also provides a replicable framework for analyzing similar complex cyber incidents.
Impact and Perspectives
By demonstrating the Attack Flow Builder’s capabilities, I hope my work will contribute to the broader cybersecurity community’s understanding of threat modeling.
I think that the Attack Flow Builder tool represents a significant step towards more proactive, intelligence-driven defensive strategies, enabling organizations to anticipate and mitigate potential cyber risks more effectively.
My analysis not only illuminates the specifics of this particular Viasat Attack but also provides a methodology for understanding and defending against complex cyber threats in an increasingly interconnected landscape.
In the complex landscape where cyber threats continue to evolve with increasing sophistication, a such threat modeling approach allo to develop robust and adaptive cybersecurity frameworks.
Thank’s for the Center for Threat-Informed Defense for this very useful tool.
The dissemination of my work aims to contribute to the advancement of security practices in the field of satellite systems.
The objective of presenting my work also offers me the opportunity to receive constructive feedback so that I can continue in my research.
I’m very proud and honored to be featured in the Angelina Tsuboi’s course on Satellite Cybersecurity Foundations hosted on Udemy. Thank you very much Angelina for mentioning my work about the Viasat cyber attack analysis with the MITRE ATT&CK framework. The article relating my work can be found here.
I compared the 4 frameworks that can be used for the space sector: MITRE ATT&CK, SPARTA, SPACE-SHIELD and TREKS.
I explained why I choose the MITRE ATT&CK Framework
I identified Tactics, Techniques and Procedures (TTPs) from the MITRE ATT&CK matrix that have been used by the hackers
I mapped them on the MITRE ATT&CK Navigator in order to have the complete attack chain.
I drawn a diagram as a Cyber Kill Chain showing all TTPs mapped on the entire attack life cycle of the Viasat cyber attack.
Thank’s again to Angelina Tsuboi for mentioning my work about the Viasat cyber attack analysis with the MITRE ATT&CK framework. The article relating my work can be found here.
Why Satellite Cybersecurity is critical
The space industry has been expanding rapidly the past few years and this trend is expected to continue as more companies and organizations conduct space-related research and projects. The democratization and demand in the aerospace industry has also encountered bad actors who try to exploit the new technology for malicious purposes. It’s now mandatory to understand the foundations of satellite security and detection methods for common satellite cyber attacks in order to combat this growing threat
About the Satellite Cybersecurity Foundations course on Udemy
The Satellite Cybersecurity Foundations course on Udemy is an intensive course and hands-on CTF workshop.
In this course, you will learn the foundations of satellite cybersecurity and master satellite cybersecurity. You will gain critical skills to defend aerospace systems, covering satellite OSINT, orbital mechanics, signal reverse engineering, TLE analysis, attack simulation, and SPARTA-based defenses. You will learn how to identify vulnerabilities, secure-by-design, and protect satellite infrastructure against modern threats.
In mode details, find below what you’ll learn:
Foundations of Satellite Technology: Subsystems, Communications, and Applications
OSINT for Satellite Systems, Mission Analysis, and Reading Engineering Specifications
Communications & Tracking: Intercepeting and Reverse Engineering Signals
Tracking and Orbital Mechanics: TLEs, Propagation Methods, and Visual Tools
Interactive CTF Workshop
Secure-by-Design Implementation for Satellite Infrastructure
This course is for anyone who is interested in learning about the foundations of satellite security
About course instructor Angelina Tsuboi
Angelina Tsuboi is a Programmer, Security Researcher, and Developer with a passion for satellites, signals intelligence, and scientific research.
She is interested in educating others about the exciting field of aerospace cybersecurity in conjunction with developing open-source programs and research in the field spanning satellites, UAVs, and aircraft.
I am very happy and proud that my article on DNS security has been accepted and published in the last issue of Hakin9 Magazine after being reviewed by the editorial board.
This new issue of Hakin9 Magazine, titled « Dark Web Vol.3 », is an exploratory journey into the shadowy realms of the internet and the cybersecurity challenges that lurk within.
The title of my article is « The dark side of the DNS or the war of the port 53 ».
We are all familiar with classic DNS-based attacks such as DNS Cache Poisoning, DNS Reflexion attack, DNS Amplification attack, DNS Pseudo Random SubDomain (PRSD) attack, DNS NX Domain attack, etc. ….
However, less is known about the techniques and algorithms behind these attacks. And since most modern malware uses DNS in at least one of the 7 stages of the Cyber Kill Chain, the aim of this article is to give a little insight into these techniques and to analyze the most sophisticated DNS-based attacks.
I was quoted in the following article alongside Gerome Billois (Partner – Cybersecurity and Digital Trust – Wavestone) and Martial Gervaise (Cybersecurity Expert – Former Deputy Director at Orange Group). This article shows how important it’s to have a guideline in your cybersecurity career. This article shows also how it’s important to share whith others. It’s not by staying on your own that you grow the community. It’s by sharing that we collectively increase our skills. Cybersecurity grows when it’s shared.
I was elected as a CyberStar (or SpaceCyberStar) by Yohann BAUZIL. CyberStar is a program that highlights those who work to make cybersecurity a reality on a daily basis, either by sharing their knowledge or by their work.
The first step was to identify the properties of the Siemens PLC by analyzing the data sheet.
Next, I used the Properties tool to select the properties relevant to Siemens PLCs.
Finally, I used the mapping tool to list the threats that represent a viable risk for Siemens PLCs.
I checked to confirm that these vulnerabilities have been exploited by the Stuxnet worm.
I used the Associated mitigations to propose a list of mitigations to the threats that pose a viable risk to the Siemens S7 series PLC.
I finally mapped the associated mitigations with IEC 62443 4-2 framework
I successfully passed the CISM (Certified Information Security Manager) from ISACA. You can view my experience and tips after successfully passed this amazing certification here.
This journey has been both challenging and rewarding, filled with extensive study and deep dives into security governance, incident management, risk management and information security programs.
I’m proud to have achieved this important milestone in my career. I look forward to leveraging these skills and expertise to drive impactful security initiatives and contribute to the community.
Then, I describe that attacks on OT and ICS systems are modeled by the ICS Cyber Kill Chain and the MITRE ATT&CK for ICS Matrix described below.
I am very happy and proud that my article on DNS security has been accepted and published in the last issue of Hakin9 Magazine after being reviewed by the editorial board.
This new issue of Hakin9 Magazine, titled « Dark Web Vol.3 », is an exploratory journey into the shadowy realms of the internet and the cybersecurity challenges that lurk within.
The title of my article is « The dark side of the DNS or the war of the port 53 ». To know more here.
=========
I’d like to thank everyone who has followed me, encouraged me and supported me.
I hope all the information I share with you is interesting and helps you keep up to date and learn more.
But stay tuned because 2025 promises to be just as incredible and intense.
🌟 I’m thrilled to share that I’ve earned the CISM (Certified Information Security Manager) from ISACA. You can view my achievement on Credly.
🌍 This journey has been both challenging and rewarding, filled with extensive study and deep dives into security governance, incident management, risk management and information security programs.
🚀 I’m proud to have achieved this important milestone in my career. I look forward to leveraging these skills and expertise to drive impactful security initiatives and contribute to the community.
💡 Achieving the Certified Information Security Manager (CISM) certification is about much more than adding a line to your resume. It transforms how you approach, communicate, and prioritize security solutions with a business-centric mindset. After completing CISSP from ISC2, it’s clear that CISM has been one of the most impactful certifications, giving me a structured approach with business priorities always top of mind.
🏢 The exam itself wasn’t necessarily tougher than CISSP. The approach is different, though. But the CISM exam can be very tricky as not all questions have a strictly correct answer. Most of the questions are subjective. Often, it’s a case of choosing the most correct answer or the least wrong answer. Thinking like a manager or understanding the business context/requirements will help you choose the correct answer.
« Success is not the destination; it’s the incredible journey of pushing your limits, embracing challenges, and celebrating every small achievement all the way.”
💼 No certification can replace actual work experience and knowledge obtained from getting your hands dirty. At the same time, certification prep can help in expanding your knowledge.
👉 What do I notice every time I take a certification :
– The quality of my work has improved
– I am more engaged with my work
– I am faster at performing my job
– I have decreased errors in my work
The CISM Mindset:
Think like an Information Security Manager
Human life is always the most important
Everything we do supports the mission of the business
Metrics allow control objectives to be met
IS Governance = Board of directors
IS Program = Board of directors or equivalent gov body
Dialogue is a KEY
Involve stakeholder in collaborative dialogue, understand their needs, face-to-face
Security addendum = terms and conditions – NOT additions
It’s generally accepted that CISO reports to COO (not to CEO)
A problem statement describes the problem in business terms
A problem statement has 2 parts
the description of possible events
the optic that the organization is negligent
Always to align with the business
Always choose a collaborative approach
About CISM materials:
I especially thank Thor Pedersen. All materials he provides on Udemy are truly amazing :
Attacks on OT (Operational Technology) systems are made easier due to the OT/IT convergence.
The figure below is showing an example of OT/IT convergence.
Attacks on OT and ICS systems are modeled by the ICS Cyber Kill Chain and the MITRE ATT&CK for ICS Matrix described below.
ICS Cyber Kill Chain
Published by SANS in 2015 by Michael Assante and Robert M. Lee as an adaptation of the traditional cyber kill chain developed by Lockheed Martin analysts as it applied to ICSs.
The ICS Cyber Kill Chain details the steps an adversary must follow to perform a high‐confidence attack on the ICS process and/or cause physical damage to equipment in a predictable and controllable way.
ICS Cyber Kill Chain has Two stages:
Stage 1 : Cyber Intrusion Preparation and Execution – « IT »
Stage 2 : ICS Attack Developpement and Execution – « OT »
ICS Cyber Kill Chain mapped to the ICS Zoned Architecture
ICS Zoned Architecture (left) : This is the Purdue Model for ICS Security
Cyber Kill Chain for Industrial Control Systems (right) : This is an ICS Attack as Cascading Events
The ICS Cyber Kill Chain is a powerful approach for Neutralizing a Cyber Attack reducing ICS cyber risk. Security Engineering has the challenge to Kill the Kill Chain
ICS Cyber Kill Chain applied to STUXNET
The figure below is the ICS Cyber Kill Chain applied to STUXNET
About the MITRE ATT&CK for ICS Matrix
To go futhermore convergence of IT and OT, and the concept of ICS (Industrial Control System), you can also have a look on the MITRE ATT&CK for ICS Matrix.
The MITRE ATT&CK for ICS Matrix is an overview of the tactics and techniques described in the ATT&CK for ICS knowledge base. It visually aligns individual techniques under the tactics in which they can be applied.
The MITRE ATT&CK for ICS matrix (Source: https://collaborate.mitre.org/attackics/index.php/Main_Page)
Mapping of Stuxnet attack on the ATT&CK for ICS matrix
Below is the mapping of Stuxnet attack on the ATT&CK for ICS matrix (Than’ks to Airbus Cybersecurity). « Mapping Stuxnet to the ATT&CK for ICS matrix, as shown in figure 3, quickly shows how complex this attack was. Business risk owners can now identify which techniques to focus on if they need to minimise the risk from strikes like Stuxnet. »
Mapping of Stuxnet on the ATT&CK for ICS matrix (Source: https://airbus-cyber-security.com/mitre-attck-for-ics-everything-you-need-to-know/)
EMB3D is aligned with and expands on several existing models, including Common Weakness Enumeration, MITRE ATT&CK®, and Common Vulnerabilities and Exposures, but with a specific embedded-device focus. The threats defined within EMB3D are based on observation of use by threat actors, proof-of-concept and theoretical/conceptual security research publications, and device vulnerability and weakness reports. These threats are mapped to device properties to help users develop and tailor accurate threat models for specific embedded devices.
In the following article, discover the major advancements announced with the release of SPARTA v3.1: the addition of new NIST space segment guidance, the...
Disclaimer
Please be informed that the analysis detailed in this article is entirely separate from the hacking experiment conducted by the Thales team on the...
Disclaimer
Please be informed that the analysis detailed in this article is entirely separate from the hacking experiment conducted by the Thales team on the...
Introduction
In the complex landscape of modern cybersecurity, understanding the intricate mechanisms of sophisticated cyber attacks has become paramount.
On February 24, 2022, Viasat, a global...
Avec l'aimable autorisation de Martial Le Guédard, nous reproduisons ci-dessous sa cartographie au sujet des différents acteurs étatiques évoluant dans le domaine du Cyber...
L'illustration ci-dessous est une carte heuristique qui présente les services spécialisés de la communauté du renseignement du 1er cercle. Cette cartographie est mise à...
A la différence des attaques électroniques qui interférent avec la transmission des signaux de Radio Fréquence, les cyberattaques visent quant à elles, les données...
Avec l'aimable autorisation de Martial Le Guédard, nous reproduisons ci-dessous sa cartographie au sujet des différents acteurs étatiques évoluant dans le domaine du Cyber...
L'illustration ci-dessous est une carte heuristique qui présente les services spécialisés de la communauté du renseignement du 1er cercle. Cette cartographie est mise à...
A la différence des attaques électroniques qui interférent avec la transmission des signaux de Radio Fréquence, les cyberattaques visent quant à elles, les données...
Nous utilisons des cookies pour vous garantir la meilleure expérience sur notre site web. Si vous continuez à utiliser ce site, nous supposerons que vous en êtes satisfait.
