This assessment characterizes the current threat picture across the platform’s four operational enclaves (Space, Link, Ground, User). For each enclave, the report identifies the potential attacks the platform faces and the subsystems each attack would touch.
Each enclave is presented in two parts: a narrative of the current threat picture, followed by a table of potential attacks and the subsystems each would touch.
Picture. State-linked actors have shown the most willingness to put on-orbit platforms at risk. Three patterns dominate public reporting: destructive intent against the bus, integrity attacks against the command path, and supply-chain firmware compromise pre-launch. A fourth, less common, is payload-data tampering.
Working hypotheses. Destructive actors target attitude and power. Integrity actors target C&DH and crypto. Supply-chain actors ride in firmware (FTS, thermal, EPS) and wait for a trigger. Payload tampering targets the data plane between the instrument and the downlink encryptor.
| Threat | Services touched | Hardware / firmware / data touched |
|---|---|---|
| Destructive bus attack | Attitude determination & control, electrical power management, flight termination. | ADCS sensors and flight software, power chain (solar arrays, battery, PCDU), FTS receiver and firmware. |
| Command-path integrity attack | Command & Data Handling (C&DH), space-side cryptography. | Every commanding-path component bound to C&DH and the space-side crypto service. |
| Pre-launch supply-chain firmware compromise | Flight termination, thermal control, power management. | FTS firmware and any other firmware-bearing hardware ingested through the same supply path. |
| Payload-data tampering | Mission downlink / uplink data plane, payload data plane. | Payload-side hardware and software between the science instrument and the downlink encryptor. |
Picture. The link is where state-linked RF actors operate most visibly: sustained jamming campaigns, pass-timed uplink interference, and replay-and-spoof against the command waveform. Adversaries can degrade mission product here without touching ground or space.
Working hypotheses. Jamming actors prefer the downlink (slower to detect than uplink failure). Spoofing actors pair with credential or session-key theft. Interference operators time passes; persistent campaigns rotate frequency to evade single-source mitigations.
| Threat | Services touched | Hardware / firmware / data touched |
|---|---|---|
| Jamming campaign | Link-side communications serving the downlink and uplink bands. | The waveforms in those bands; antenna and modem hardware on both ends of the link. |
| Replay-and-spoof attack on the uplink | Command & Data Handling (space side), space-side and ground-side cryptography. | The uplink command waveform itself; cryptographic key material on both ends of the link. |
| Downlink interception | Mission downlink data plane, payload data plane. | The downlink waveform; mission and payload data traversing the link. |
Picture. Ground hosts the largest population of adversaries: nation-state long-dwell intruders, criminal credential-theft actors, privileged insiders, persistent ground-network pivoters, and ransomware actors targeting launch and mission ops.
Working hypotheses. Long-dwell intruders target ground crypto and the mission ops network. Credential theft targets operator and service accounts. Insiders sit on commanding workstations. Pivoters move operator-network → mission control. Ransomware’s highest-impact path runs through launch control.
| Threat | Services touched | Hardware / firmware / data touched |
|---|---|---|
| Long-dwell network intrusion | Ground-side cryptography, mission operations, command authority. | Mission ops network equipment, command authority application, ground cryptographic key material. |
| Operator credential theft | Ground-station operations, mission operations. | Operator credentials and ground-station service-account credentials. |
| Privileged insider misuse | Command authority, mission operations. | Commanding workstations (hardware and software), audit logs. |
| Lateral movement into mission control | Operator network, mission operations. | Operator workstations, mission-control hosts and their software. |
| Ransomware against launch infrastructure | Launch control, mission operations. | Launch control hardware and software; co-resident operator backup data. |
Picture. Few threats, but high-consequence: the user side is what shapes operator and customer decisions. Two patterns matter: tampering with end-user applications (distorting what the operator sees), and credential harvesting against operator consoles.
Working hypotheses. Application tamperers go for the app and the data it displays (degrading downlink trust without touching the bird). Credential actors go for the console’s auth path and any cached credential or session data.
| Threat | Services touched | Hardware / firmware / data touched |
|---|---|---|
| End-user application tampering | End-user application, mission product display. | End-user application software, displayed mission product. |
| Operator console credential theft | Operator console, authentication service for the console. | Console workstation hardware and software, cached credentials and session tokens. |
Ground dominates the picture: state-linked long-dwell intrusions and credential-theft actors operate the most visibly. Space is shaped by destructive intent against bus subsystems and pre-launch firmware compromise. Link faces jamming, replay-and-spoof, and downlink interception. User is small in volume, high in consequence.