Satellite Infrastructure - Complete PASTA Walkthrough
This case study demonstrates threat modeling applied to space satellite infrastructure. This walkthrough addresses a fundamentally different domain with unique constraints: systems you cannot physically access after deployment, extreme latency considerations, radio frequency vulnerabilities, and nation-state threat actors.
Satellite systems make fascinating threat modeling subjects because the consequences of getting security wrong are severe and often irreversible. You cannot SSH into a satellite to patch it. You cannot reboot the ground station while customers are mid-flight over the Atlantic. The attack surface spans from terrestrial facilities to orbital assets to user terminals scattered across the globe.
The System: OrbitLink Satellite Communications Network
OrbitLink operates a commercial low Earth orbit (LEO) satellite constellation providing broadband connectivity to maritime, aviation, and remote enterprise customers. Here’s the system at a glance:
| Attribute | Detail |
|---|---|
| Organization | Commercial satellite communications provider |
| Constellation | 180 LEO satellites at ~550km altitude |
| Ground Infrastructure | 12 ground stations across 4 continents |
| Customer Base | ~2,500 enterprise customers (shipping, airlines, oil/gas, government) |
| Key Functions | Broadband data relay, maritime safety communications, aviation connectivity |
| Annual Revenue | $850M |
| Regulatory Context | FCC (Part 25), ITU Radio Regulations, ITAR (some components) |
The network handles commercial traffic but also serves as backup communications for emergency services and includes some government contracts. A compromise could disrupt maritime safety communications, expose confidential business data, or enable tracking of sensitive government movements.
Let’s threat model it.
Stage 1: Define Business Objectives
Satellite communications is a capital-intensive business with long planning horizons. A single satellite costs $5-15M to build and $50-80M to launch. The constellation represents over $3B in deployed assets that cannot be physically serviced. Business context matters enormously because security investments must be weighed against the irreversible nature of space infrastructure decisions.
Business Drivers
OrbitLink exists to provide reliable connectivity where terrestrial infrastructure doesn’t reach. Ships in the middle of the Pacific, aircraft over polar routes, oil rigs hundreds of miles offshore, and rural communities beyond fiber reach all depend on satellite connectivity. For many customers, OrbitLink isn’t a convenience—it’s their only option.
Revenue concentration creates specific business risks. The top 20 customers (major shipping lines, airlines, and government agencies) represent 65% of revenue. Losing a major airline contract due to a security incident would be catastrophic. Government customers have explicit security requirements in their contracts.
Competitive dynamics are intensifying. SpaceX’s Starlink and Amazon’s Project Kuiper are deploying massive constellations. Differentiation increasingly depends on service reliability and security posture, particularly for enterprise and government customers who won’t trust their data to the lowest bidder.
Security Objectives
| Priority | Objective | Rationale |
|---|---|---|
| Primary | Protect command and control integrity | Loss of satellite control could result in debris, interference, or total asset loss |
| Primary | Ensure service availability | Customers depend on connectivity for safety-critical operations |
| Secondary | Protect customer data confidentiality | Competitive intelligence, personal data, government communications |
| Tertiary | Maintain regulatory compliance | License to operate depends on meeting FCC/ITU requirements |
Consequence of Failure
The consequences of security failures in satellite systems range from expensive to existential.
Command and Control Compromise
If an attacker gains control of satellite command systems, potential outcomes include:
| Scenario | Impact |
|---|---|
| Satellite repositioning | Collision risk, debris generation, total constellation loss |
| Thruster exhaustion | Premature satellite decommissioning (~$60M per satellite) |
| Frequency interference | FCC enforcement action, customer service disruption |
| Ransomware of ground systems | Complete service outage, ransom payment or lengthy recovery |
The Kessler syndrome scenario (cascading debris collisions) is unlikely from a single satellite but represents existential risk to the space industry. Regulators and insurers are increasingly focused on debris mitigation.
Service Disruption
| Impact Type | Estimated Cost |
|---|---|
| Revenue loss during outage | $2.3M per day |
| SLA penalties | Up to 50% of monthly fees for affected customers |
| Customer churn (major incident) | $50-100M annual revenue loss |
| Emergency response degradation | Unquantifiable human safety impact |
Maritime customers rely on OrbitLink for GMDSS (Global Maritime Distress and Safety System) backup. Aviation customers depend on it for oceanic position reporting. Prolonged outages could result in regulatory action and, in worst cases, contribute to safety incidents.
Data Breach
Customer traffic includes:
- Corporate communications (mergers, legal matters, competitive intelligence)
- Personal data of passengers and crew
- Government communications (some classified at CUI level)
- Maritime cargo manifests and routing
| Impact Type | Estimated Cost |
|---|---|
| Regulatory fines (GDPR, etc.) | $10-50M |
| Government contract termination | $120M annual revenue |
| Litigation | $20-100M |
| Reputation damage | 15-30% customer churn |
Total Potential Exposure Summary
| Scenario | Potential Impact |
|---|---|
| Single satellite loss (adversary action) | $60M + insurance implications |
| Constellation-wide control compromise | $500M-3B + potential bankruptcy |
| Extended service outage (>7 days) | $50-200M |
| Major data breach | $100-300M |
| Combined attack (control + ransomware) | $500M+ potential business closure |
Risk Appetite
| Risk Type | Tolerance | Justification |
|---|---|---|
| Command and control compromise | Zero | Existential threat to assets and business |
| Extended outage (>4 hours) | Zero | Safety implications, SLA obligations |
| Brief outage (<4 hours) | Low | Acceptable with proper communication |
| Customer data exposure | Very Low | Contractual obligations, regulatory requirements |
| Non-sensitive internal data exposure | Low | Reputational concern but manageable |
The organization accepts that some risks cannot be fully eliminated given the nature of space operations. However, any credible path to command and control compromise requires immediate mitigation regardless of cost.
Key Stakeholders
| Role | Responsibility |
|---|---|
| CEO | Overall business risk acceptance |
| VP Space Operations | Satellite control, ground station operations |
| VP Engineering | System architecture, software development |
| CISO | Security program, threat response |
| Chief Commercial Officer | Customer relationships, contract obligations |
| General Counsel | Regulatory compliance, ITAR, government contracts |
| Insurance Liaison | $2B space insurance policy requirements |
Stage 2: Define Technical Scope
Satellite systems have three distinct segments, each with unique security considerations: the space segment (satellites themselves), the ground segment (control and gateway infrastructure), and the user segment (customer terminals). Attackers can target any segment or the links between them.
System Architecture
Space Segment
The 180-satellite constellation operates in six orbital planes at approximately 550km altitude. Each satellite includes:
| Component | Function | Security Relevance |
|---|---|---|
| Software-defined radio payload | Customer traffic relay | Configuration determines frequencies, power levels |
| Telemetry, Tracking, and Command (TT&C) | Satellite operations | Primary attack target for control compromise |
| Electric propulsion | Orbit maintenance | Thruster commands could reposition or deorbit |
| Flight computer | Onboard processing | Limited compute, runs custom RTOS |
| Inter-satellite links (ISL) | Mesh networking | Extends attack surface to adjacent satellites |
Satellites run custom firmware that cannot be fully updated after launch. Security patches must work within severe constraints: limited uplink bandwidth, tight timing windows, and zero tolerance for bricking a $60M asset.
Ground Segment
| Facility Type | Locations | Function |
|---|---|---|
| Satellite Operations Center (SOC) | Primary: Colorado; Backup: Netherlands | TT&C, constellation management, anomaly resolution |
| Ground Stations | 12 globally distributed | RF uplink/downlink, customer gateway |
| Network Operations Center (NOC) | Colorado (co-located with SOC) | Network management, customer service |
| Data Centers | AWS (primary), Azure (DR) | Backend services, billing, customer portal |
The SOC is the crown jewel. It houses the command and control systems that can upload commands to any satellite in the constellation. Physical security includes biometric access, mantrap entry, and 24/7 security staff.
User Segment
| Terminal Type | Deployment | Characteristics |
|---|---|---|
| Maritime VSAT | Ship-mounted | Stabilized antenna, always-on, challenging physical security |
| Aero terminal | Aircraft-mounted | Certified avionics, airline-managed |
| Enterprise VSAT | Fixed installations | Controlled environment, IT-managed |
| Mobile terminals | Vehicle/portable | Smallest, most exposed |
User terminals are managed devices but operate in environments OrbitLink doesn’t control. A compromised terminal could potentially be used to attack the network or other customers.
Component Inventory
| Layer | Components |
|---|---|
| Space Segment | 180 LEO satellites, inter-satellite link mesh, TT&C subsystems, customer payload |
| Ground Stations | RF equipment, antenna systems, baseband processing, network connectivity |
| Operations Centers | Satellite control software, network management, monitoring systems |
| Cloud Infrastructure | AWS (compute, storage, databases), Azure (DR), CDN |
| Customer Systems | Billing platform, customer portal, API gateway, provisioning systems |
| User Terminals | Maritime terminals, aero terminals, enterprise terminals, mobile units |
Third-Party Dependencies
| Service | Function | Risk Consideration |
|---|---|---|
| AWS | Primary cloud infrastructure | Availability, access control, shared responsibility model |
| SpaceX/Arianespace | Launch services | Supply chain, schedule dependencies |
| Terminal manufacturers | User equipment | Firmware security, supply chain |
| Teleport operators | Some ground station facilities leased | Physical security, operational security |
| Frequency coordination (ITU) | Spectrum rights | Regulatory compliance |
Data Classification
| Classification | Data Types | Protection Level |
|---|---|---|
| Critical | TT&C encryption keys, satellite command authentication, orbit parameters | Highest (destruction of business if compromised) |
| High | Customer traffic (encrypted in transit), authentication credentials, network topology | Strong encryption, strict access control |
| Medium | Operational telemetry, performance metrics, maintenance schedules | Standard protection |
| Low | Public marketing materials, general documentation | Minimal |
| Government (CUI) | Government customer traffic, some contracts | Per NIST 800-171 |
Network Boundaries
| Boundary | Location | Concern |
|---|---|---|
| Internet-facing | Customer portal, API gateway | Standard web application attacks |
| RF uplink/downlink | Ground station to satellite | Jamming, spoofing, interception |
| Inter-satellite links | Between satellites | Compromise propagation |
| SOC perimeter | Operations center network edge | Critical asset protection |
| Terminal boundary | Customer terminal to customer network | Managed device in uncontrolled environment |
| Third-party boundary | Cloud providers, launch providers | Supply chain, shared responsibility |
Stage 3: Application Decomposition
Stage 3 creates detailed data flows and identifies trust boundaries specific to satellite operations.
Primary Data Flows
| Flow | Path | Trust Boundaries Crossed |
|---|---|---|
| Customer traffic | Terminal → Satellite → Ground Station → Internet | Terminal→Satellite (RF), Satellite→Ground (RF), Ground→Internet |
| TT&C commands | SOC → Ground Station → Satellite | SOC→Ground (terrestrial), Ground→Satellite (RF, encrypted) |
| Telemetry | Satellite → Ground Station → SOC | Satellite→Ground (RF), Ground→SOC (terrestrial) |
| Inter-satellite routing | Satellite A → Satellite B | ISL (optical/RF) |
| Customer provisioning | Portal → Backend → Ground Station → Satellite | Multiple terrestrial + RF boundaries |
Trust Boundary Analysis
Seven critical trust boundaries require focused analysis:
| # | Boundary | Key Assumptions | Validation Required |
|---|---|---|---|
| 1 | RF Uplink (Ground → Satellite) | Commands are authenticated and encrypted; transmitter is authorized | Cryptographic authentication, frequency monitoring |
| 2 | RF Downlink (Satellite → Ground) | Telemetry is authentic; no injection | Cryptographic signing, anomaly detection |
| 3 | SOC → Ground Station | Ground station is not compromised | Network segmentation, mutual authentication |
| 4 | Terminal → Satellite | Terminal is legitimate customer equipment | Terminal authentication, traffic analysis |
| 5 | Internet → Customer Systems | Standard web threats | WAF, authentication, input validation |
| 6 | Inter-satellite Links | Adjacent satellite is not compromised | Link-layer encryption, routing validation |
| 7 | Cloud Provider | AWS/Azure are operating securely | Shared responsibility model, monitoring |
RF Link Security Deep Dive
The RF links are unique attack surfaces that don’t exist in traditional IT systems. Understanding them is critical for satellite threat modeling.
Uplink Threats (Ground → Space)
| Threat | Description | Difficulty |
|---|---|---|
| Jamming | Overwhelm legitimate signal with noise | Low (if attacker has RF equipment) |
| Command spoofing | Send unauthorized commands | High (requires breaking encryption) |
| Replay attacks | Re-transmit captured legitimate commands | Medium (depends on protocol design) |
| Signal analysis | Infer operational patterns from RF emissions | Medium |
Downlink Threats (Space → Ground)
| Threat | Description | Difficulty |
|---|---|---|
| Interception | Capture customer traffic | Low (RF is broadcast) |
| Telemetry spoofing | Fake telemetry to mask attack | High (requires authentication bypass) |
| Traffic analysis | Infer usage patterns | Low |
Inter-Satellite Link Threats
| Threat | Description | Difficulty |
|---|---|---|
| ISL injection | Insert traffic into mesh | High (optical links, geometric constraints) |
| Routing manipulation | Alter traffic paths through constellation | High (requires satellite compromise) |
Asset Inventory
| Priority | Assets |
|---|---|
| Critical | TT&C encryption keys, satellite flight software, command authentication system, SOC access credentials, orbit determination data |
| High | Customer encryption keys, ground station control systems, network routing configuration, ISL encryption keys |
| Medium | Operational telemetry, customer billing data, terminal firmware |
| Lower | Marketing systems, general corporate IT |
Stage 4: Threat Analysis
Stage 4 identifies threats using industry intelligence, STRIDE analysis, and attacker personas. Satellite systems face a unique threat landscape including nation-state actors with anti-satellite weapons (ASAT) capabilities.
Industry Threat Intelligence
Space systems are increasingly targeted as critical infrastructure and military assets.
| Metric | Observation |
|---|---|
| Nation-state interest | Russia, China, Iran have demonstrated satellite disruption capabilities |
| ASAT testing | Multiple kinetic and non-kinetic tests since 2007 |
| Commercial targeting | Viasat KA-SAT attack (2022) disabled thousands of terminals at Ukraine invasion start |
| Ransomware targeting | Ground systems increasingly targeted as part of critical infrastructure |
| Regulatory attention | Space systems added to CISA critical infrastructure sectors |
The Viasat attack is particularly instructive. Attackers used VPN misconfiguration to access the management network, then pushed destructive firmware to customer terminals. The attack:
- Disabled ~30,000 terminals
- Disrupted Ukrainian military communications at invasion start
- Affected wind turbine operations in Germany (collateral damage)
- Recovery required physical terminal replacement in many cases
This demonstrated that attacks on space systems don’t require space capabilities. Ground segment and user segment attacks can be devastating.
STRIDE Analysis: Satellite TT&C Subsystem
Spoofing
Attackers could attempt to impersonate ground stations to send unauthorized commands. The TT&C link uses spread-spectrum modulation and encryption, but vulnerabilities in the cryptographic implementation or key management could enable spoofing. Historical incidents include the 1998 ROSAT incident where attackers reportedly took control of a German satellite.
Threats identified:
- THR-001: Ground station impersonation via compromised TT&C encryption keys
- THR-002: Replay of captured command sequences with insufficient nonce protection
- THR-003: Rogue ground station with stolen credentials
Tampering
Satellite firmware cannot be easily modified after launch, but the configuration can be updated. An attacker with command access could alter frequency allocations, power levels, or routing tables.
Threats identified:
- THR-004: Malicious firmware update bricking satellite
- THR-005: Configuration tampering to cause harmful interference
- THR-006: Thruster command injection for deorbit or collision course
Repudiation
Command logging occurs at the ground station, but an attacker who compromises the SOC could potentially modify logs to hide their activity.
Threats identified:
- THR-007: SOC log tampering to conceal unauthorized commands
- THR-008: Insufficient satellite-side command logging
Information Disclosure
Telemetry reveals operational details including orbit parameters, fuel status, and subsystem health. This information could inform further attacks or provide intelligence value.
Threats identified:
- THR-009: Telemetry interception revealing operational status
- THR-010: Orbit determination data exposure enabling tracking
- THR-011: Key extraction from captured telemetry
Denial of Service
Satellites have limited redundancy. Exhausting thrusters, damaging solar panels via attitude manipulation, or disrupting communications equipment would end the satellite’s useful life.
Threats identified:
- THR-012: Thruster exhaustion through repeated unnecessary maneuvers
- THR-013: RF jamming of TT&C link
- THR-014: Attitude manipulation damaging solar arrays
- THR-015: Commanding safe mode to disable customer payload
Elevation of Privilege
The satellite’s flight computer runs constrained software, but bugs could allow privilege escalation from payload operations to flight control.
Threats identified:
- THR-016: Payload-to-bus escape via flight software vulnerability
- THR-017: ISL compromise propagating to flight systems
STRIDE Analysis: Ground Station Systems
Spoofing
Ground stations authenticate to the SOC and to satellites. Compromising either authentication path enables attack escalation.
Threats identified:
- THR-018: SOC impersonation to ground station
- THR-019: Ground station credential theft enabling unauthorized command transmission
- THR-020: Insider with valid credentials performing unauthorized operations
Tampering
Ground station software processes customer traffic and generates commands. Tampering could affect either stream.
Threats identified:
- THR-021: Malicious command injection via compromised ground station software
- THR-022: Customer traffic manipulation at ground station
- THR-023: RF equipment misconfiguration causing interference
Repudiation
Ground stations are geographically distributed, some operated by third parties. Audit trail integrity varies.
Threats identified:
- THR-024: Insufficient logging at leased teleport facilities
- THR-025: Log integrity attacks at remote ground stations
Information Disclosure
Ground stations handle customer traffic in clear text during baseband processing before encryption for satellite uplink.
Threats identified:
- THR-026: Customer traffic interception at ground station
- THR-027: TT&C key exposure from ground station compromise
- THR-028: Network topology disclosure via ground station reconnaissance
Denial of Service
Ground stations are single points of failure for their coverage areas.
Threats identified:
- THR-029: Physical destruction of ground station antenna
- THR-030: DDoS against ground station network connectivity
- THR-031: RF jamming of ground station uplink
- THR-032: Power grid attack affecting ground station
Elevation of Privilege
Ground station compromise could enable escalation to satellite control.
Threats identified:
- THR-033: Ground station to SOC lateral movement
- THR-034: Ground station operator privilege escalation
STRIDE Analysis: User Terminals
Spoofing
Terminals authenticate to the network. A spoofed terminal could gain free service or attack the network.
Threats identified:
- THR-035: Cloned terminal credentials for unauthorized access
- THR-036: Rogue terminal performing network reconnaissance
Tampering
Terminals in customer environments may be physically accessible to attackers.
Threats identified:
- THR-037: Malicious terminal firmware installation
- THR-038: Terminal hardware modification (wiretapping, backdoor)
- THR-039: Supply chain attack on terminal manufacturing
Repudiation
Terminal usage attribution enables billing and abuse tracking.
Threats identified:
- THR-040: Terminal identity spoofing for abuse attribution evasion
Information Disclosure
Terminals process customer traffic and may store credentials.
Threats identified:
- THR-041: Customer traffic interception via terminal compromise
- THR-042: Credential extraction from terminal storage
- THR-043: RF emissions analysis revealing traffic patterns
Denial of Service
Terminals could be attacked to disrupt customer connectivity or as part of broader attacks.
Threats identified:
- THR-044: Mass terminal disabling via firmware attack (Viasat-style)
- THR-045: Terminal RF jamming
- THR-046: Terminal resource exhaustion via malformed traffic
Elevation of Privilege
A compromised terminal could attack the broader network.
Threats identified:
- THR-047: Terminal to satellite attack (unlikely but considered)
- THR-048: Terminal as pivot point to customer network
Attacker Persona Analysis
Satellite systems face a broader range of threat actors than typical IT systems.
| Persona | Capabilities | Motivation | Target Focus |
|---|---|---|---|
| Script Kiddie | Public tools, RF equipment for sale online | Curiosity, notoriety | Exposed web services, terminal vulnerabilities |
| Cybercriminal | Ransomware, data theft, established infrastructure | Financial gain | Ground systems, customer data |
| Competitor | Corporate espionage, market intelligence | Business advantage | Customer data, operational details |
| Hacktivist | Disruption, message delivery | Political statement | Service availability, public-facing systems |
| Nation-State (Non-kinetic) | Advanced persistent threat, zero-days, RF expertise | Intelligence, disruption | All segments, particularly TT&C |
| Nation-State (Kinetic) | ASAT weapons, ground-based lasers, cyber-kinetic | Military advantage | Satellites directly |
| Insider | Legitimate access, operational knowledge | Financial, ideological, coerced | Based on role (SOC insider most dangerous) |
The nation-state kinetic threat is unique to space systems. While traditional cybersecurity cannot defend against missiles, threat modeling should acknowledge this threat class and consider:
- Redundancy and constellation resilience
- Geopolitical risk assessment for orbit selection
- Integration with space domain awareness
Threat Summary (Top 25 by Risk Score)
| ID | Threat | Category | L | I | Risk |
|---|---|---|---|---|---|
| THR-044 | Mass terminal firmware attack (Viasat-style) | DoS | 4 | 5 | 20 |
| THR-001 | TT&C key compromise enabling command spoofing | Spoofing | 3 | 5 | 15 |
| THR-006 | Thruster command injection | Tampering | 3 | 5 | 15 |
| THR-019 | Ground station credential theft | Spoofing | 4 | 4 | 16 |
| THR-021 | Malicious command injection via ground station | Tampering | 3 | 5 | 15 |
| THR-027 | TT&C key exposure from ground station | Info Disc | 3 | 5 | 15 |
| THR-050 | SOC ransomware attack | DoS | 4 | 4 | 16 |
| THR-020 | Malicious insider at SOC | Spoofing | 3 | 5 | 15 |
| THR-033 | Ground station to SOC lateral movement | Elevation | 3 | 5 | 15 |
| THR-039 | Terminal supply chain attack | Tampering | 3 | 4 | 12 |
| THR-013 | TT&C link jamming | DoS | 4 | 3 | 12 |
| THR-029 | Physical ground station attack | DoS | 3 | 4 | 12 |
| THR-026 | Customer traffic interception | Info Disc | 3 | 4 | 12 |
| THR-031 | Ground station uplink jamming | DoS | 4 | 3 | 12 |
| THR-037 | Malicious terminal firmware | Tampering | 3 | 4 | 12 |
| THR-051 | Cloud infrastructure compromise (AWS) | Various | 3 | 4 | 12 |
| THR-052 | Customer portal SQLi/data breach | Info Disc | 4 | 3 | 12 |
| THR-004 | Malicious satellite firmware update | Tampering | 2 | 5 | 10 |
| THR-035 | Cloned terminal credentials | Spoofing | 4 | 2 | 8 |
| THR-012 | Thruster exhaustion attack | DoS | 2 | 5 | 10 |
| THR-009 | Telemetry interception | Info Disc | 4 | 2 | 8 |
| THR-053 | ISL mesh compromise propagation | Elevation | 2 | 4 | 8 |
| THR-007 | SOC log tampering | Repudiation | 3 | 3 | 9 |
| THR-023 | RF misconfiguration causing interference | Tampering | 3 | 3 | 9 |
| THR-054 | Nation-state kinetic attack | DoS | 1 | 5 | 5 |
Additional Documented Threats (THR-055 through THR-075):
The complete threat model documents 75 threats across categories:
| Category | Count | Examples |
|---|---|---|
| Space Segment | 18 | Command spoofing, firmware attacks, ISL compromise |
| Ground Segment | 22 | SOC compromise, ground station attacks, lateral movement |
| User Segment | 15 | Terminal attacks, supply chain, credential theft |
| Support Systems | 12 | Cloud compromise, customer portal, billing |
| Physical/Kinetic | 8 | Ground station destruction, ASAT, sabotage |
Stage 5: Vulnerability and Weakness Analysis
Stage 5 maps concrete weaknesses to identified threats.
Space Segment Weaknesses
| Finding | Weakness | Related Threat |
|---|---|---|
| TT&C encryption uses 2010-era algorithm | Potential cryptanalytic weakness | THR-001, THR-002 |
| Limited satellite-side command validation | Relies heavily on ground-side security | THR-006 |
| Firmware update verification incomplete | Only checks signature, not payload integrity | THR-004 |
| ISL authentication uses shared constellation key | Single key compromise affects all ISLs | THR-053 |
| No satellite-side command logging | Recovery relies on ground logs | THR-007, THR-008 |
The satellite flight software was designed in 2018 and cannot be substantially redesigned. Security improvements must work within existing software architecture constraints.
Ground Segment Weaknesses
| Finding | Weakness | Related Threat |
|---|---|---|
| SOC network segmentation incomplete | TT&C systems reachable from corporate network | THR-033, THR-050 |
| Ground station VPN configuration varies | Inconsistent security posture across 12 sites | THR-019 |
| Third-party teleport facilities | Limited visibility into physical security | THR-024, THR-029 |
| Legacy SCADA systems at some sites | Unpatched control systems | THR-021 |
| Privileged access management gaps | Shared accounts for some operations | THR-020 |
The Viasat attack exploited exactly this type of ground segment weakness—VPN misconfiguration that allowed lateral movement to terminal management systems.
User Segment Weaknesses
| Finding | Weakness | Related Threat |
|---|---|---|
| Terminal firmware update mechanism | Insufficient authentication for updates | THR-044 |
| Physical terminal security varies | Maritime installations particularly exposed | THR-038 |
| Terminal credential storage | Keys stored in software, extractable | THR-042 |
| Supply chain visibility limited | Multiple contract manufacturers | THR-039 |
Configuration Issues
| Issue | Risk | Severity |
|---|---|---|
| AWS IAM policies overly permissive | Blast radius if credentials compromised | Medium |
| SOC workstations have internet access | Potential malware vector | High |
| Some ground stations lack redundant connectivity | Single point of failure | Medium |
| Backup systems not air-gapped | Ransomware could affect backups | High |
| Key rotation manual and infrequent | Key compromise window extended | Medium |
Penetration Testing Results
| Status | Findings |
|---|---|
| Critical (Fixed) | SQL injection in legacy billing system |
| High (In Progress) | SOC network segmentation bypass via printer |
| High (Pending) | Ground station VPN using deprecated cipher suite |
| Medium | Customer portal session management weaknesses |
| Medium | Several terminals have debug interfaces enabled |
Weakness-to-Threat Mapping
| Threat | Root Weakness | Fix Approach |
|---|---|---|
| THR-044 (Mass terminal attack) | Insufficient firmware update authentication | Cryptographic signing with per-terminal verification |
| THR-033 (Lateral movement) | Incomplete network segmentation | Redesign SOC network architecture |
| THR-050 (SOC ransomware) | SOC internet access, backup not isolated | Air-gap critical systems, immutable backups |
| THR-019 (Credential theft) | Inconsistent ground station security | Standardize VPN configuration, zero trust |
| THR-001 (TT&C key compromise) | Key management, algorithm age | Key rotation automation, crypto agility roadmap |
Stage 6: Attack Modeling
Stage 6 creates detailed attack trees showing how adversaries could achieve high-value goals.
Attack Tree 1: Satellite Constellation Control Compromise
Goal: Gain ability to send commands to any satellite in the constellation
| Path | Description | Difficulty | Prerequisites | Detection |
|---|---|---|---|---|
| A | SOC network compromise → TT&C system access → Command capability | Medium-High | Initial access to corporate network | SIEM, network monitoring |
| B | Ground station compromise → Credential theft → SOC impersonation | Medium | Physical or remote ground station access | Ground station monitoring, anomaly detection |
| C | Insider threat → Legitimate access abuse → Unauthorized commands | Medium | Recruitment/coercion of SOC operator | Command validation, two-person integrity |
| D | TT&C key theft → Rogue ground station → Direct satellite command | High | Key extraction, RF equipment | Frequency monitoring, command validation |
| E | Supply chain → Compromised SOC hardware/software → Backdoor access | High | Supply chain access | Supply chain verification, monitoring |
Path A Deep Dive: SOC Network Compromise
| Stage | Activities | Controls | Gaps |
|---|---|---|---|
| Initial Access | Phishing SOC employee, exploit public-facing service | Email filtering, patching, training | Spearphishing effectiveness varies |
| Establish Foothold | Deploy RAT, persist via scheduled task | EDR, application whitelisting | EDR bypass possible |
| Lateral Movement | Escalate to admin, move to TT&C network | Network segmentation, PAM | Segmentation incomplete (known gap) |
| Command Access | Access TT&C workstation, authenticate to system | MFA, command validation | MFA fatigue, operator bypass |
| Command Execution | Send malicious commands to satellites | Command rate limiting, anomaly detection | Anomaly detection requires baseline |
Critical Chokepoint Analysis:
Network segmentation between corporate and TT&C systems appears in multiple attack paths. Properly implementing this segmentation would disrupt paths A, C (partially), and E.
Command validation requiring two-person integrity would disrupt paths A, C, and D. Even with TT&C access, an attacker would need to compromise two separate accounts.
Attack Tree 2: Mass Terminal Disabling (Viasat-Style Attack)
Goal: Disable thousands of customer terminals simultaneously
| Phase | Activities | Detection Points |
|---|---|---|
| 1. Initial Access | Compromise terminal management network (VPN exploit, phishing) | VPN monitoring, authentication logs |
| 2. Reconnaissance | Map terminal management systems, identify push mechanism | Unusual queries, access patterns |
| 3. Weaponization | Develop destructive firmware or configuration | N/A (off-network) |
| 4. Staging | Position for simultaneous deployment | Unusual file transfers, staging behavior |
| 5. Execution | Push malicious update to all terminals | Update volume anomaly, terminal behavior |
| 6. Persistence | Terminals bricked, require physical replacement | Too late for prevention |
Disruption Controls:
| Phase | Disruption Mechanism |
|---|---|
| Initial Access | VPN hardening, zero trust network access, MFA |
| Reconnaissance | Honeypots, access logging, behavior analytics |
| Staging | File integrity monitoring, change management |
| Execution | Rate limiting on updates, staged rollout requirements, cryptographic verification |
| Post-Execution | Rapid incident response, replacement terminal inventory |
The Viasat attack demonstrated that execution-phase controls were insufficient. Rate limiting and staged rollouts would have limited blast radius even after initial compromise.
Attack Tree 3: Ransomware Attack on Ground Operations
Goal: Encrypt SOC and ground station systems, demand ransom
| Stage | Kill Chain Phase | Activities |
|---|---|---|
| 1 | Reconnaissance | Research OrbitLink infrastructure, identify targets |
| 2 | Initial Access | Spearphishing, exploit public services |
| 3 | Establish Foothold | Deploy Cobalt Strike, establish persistence |
| 4 | Privilege Escalation | Kerberoasting, credential harvesting |
| 5 | Lateral Movement | Move to ground stations, SOC systems |
| 6 | Data Exfiltration | Steal data for double extortion |
| 7 | Preparation | Disable backups, stage ransomware |
| 8 | Execution | Simultaneous encryption across infrastructure |
Impact Analysis:
| Scenario | Impact |
|---|---|
| SOC encrypted, backups intact | 24-48 hour recovery, SLA penalties |
| SOC encrypted, backups compromised | 1-2 week recovery, $30-50M loss |
| SOC + ground stations encrypted | 2-4 week recovery, customer loss, potential satellite safe-mode |
| Satellite commanded to safe mode before encryption | Extended recovery, potential satellite loss if timing critical |
If attackers command satellites to safe mode before encrypting ground systems, recovery becomes more complex because safe mode commands may need ground infrastructure to reverse.
Kill Chain Disruption Priority
| Phase | Controls | Investment Priority |
|---|---|---|
| Initial Access | Email security, patching, attack surface reduction | High |
| Establish Foothold | EDR, application whitelisting | High |
| Lateral Movement | Network segmentation, zero trust | Critical |
| Privilege Escalation | PAM, credential hygiene | High |
| Data Exfiltration | DLP, network monitoring | Medium |
| Backup Destruction | Air-gapped/immutable backups | Critical |
| Execution | Detection and response | High |
Stage 7: Risk and Impact Analysis
Stage 7 prioritizes threats and creates an actionable remediation plan.
Risk Priority Summary
| Priority | Score Range | Count | Timeline | Key Threats |
|---|---|---|---|---|
| Critical | 15-20 | 8 | Immediate | THR-044 (terminal attack), THR-050 (ransomware), THR-001/006 (TT&C compromise) |
| High | 10-14 | 18 | 30 days | Ground station security, lateral movement, customer data |
| Medium | 5-9 | 30 | 90 days | Various component-level threats |
| Low | <5 | 19 | Monitor | Lower-probability or lower-impact threats |
Business Impact Quantification
THR-044 (Mass Terminal Attack)
The Viasat attack provides a real-world benchmark. Assuming similar scope:
- 50% of terminals affected: ~125,000 terminals
- Replacement cost per terminal: $2,000 (including logistics)
- Terminal replacement: $250M
- Service outage (2 weeks average): $32M revenue loss
- SLA penalties: $15M
- Customer churn (government contracts): $50M+ annually
- Total: $350M+ immediate, ongoing revenue impact
THR-050 (SOC Ransomware)
| Component | Cost |
|---|---|
| Ransom payment (if made) | $10-50M |
| Recovery (without payment) | $20M |
| Revenue loss during outage | $2.3M/day × 14 days = $32M |
| SLA penalties | $15M |
| Insurance implications | Premium increases, coverage questions |
| Total | $70-120M |
THR-001/006 (Satellite Control Compromise)
Worst-case: attacker commands satellites into collision courses, generating debris.
| Component | Cost |
|---|---|
| Lost satellites | $60M × 10-180 = $600M-10B |
| Launch replacement | $60M × satellites |
| Liability for debris | Potentially unlimited |
| Business closure | Probable |
Even partial control compromise leading to a single satellite loss would cost ~$120M (satellite + launch) plus insurance and regulatory implications.
Mitigation Plan
Immediate Actions (Week 1-2)
| Threat | Mitigation | Owner | Cost |
|---|---|---|---|
| THR-044 | Cryptographic verification for terminal updates, staged rollout enforcement | VP Engineering | $500K |
| THR-050 | Air-gap critical SOC systems, implement immutable backups | VP Space Ops | $300K |
| THR-033 | Emergency network segmentation for TT&C systems | CISO | $200K |
30-Day Actions
| Threat | Mitigation | Owner | Cost |
|---|---|---|---|
| THR-001/006 | Two-person integrity for critical commands, enhanced command validation | VP Space Ops | $800K |
| THR-019 | Ground station VPN standardization, zero trust pilot | CISO | $600K |
| THR-020 | Privileged access management implementation | CISO | $400K |
| THR-039 | Terminal supply chain audit, enhanced verification | VP Engineering | $300K |
90-Day Actions
| Threat | Mitigation | Owner | Cost |
|---|---|---|---|
| SOC architecture | Complete network redesign, TT&C isolation | VP Space Ops | $2M |
| Ground station security | Consistent security controls across all sites | CISO | $1.5M |
| Crypto agility | Plan for TT&C encryption upgrade path | VP Engineering | $500K |
| ISL security | Per-link encryption key implementation | VP Engineering | $800K |
| Incident response | Satellite-specific IR playbooks, tabletop exercises | CISO | $200K |
Long-Term Actions (Year 1-2)
| Initiative | Description | Cost |
|---|---|---|
| Next-gen TT&C encryption | Prepare for quantum-resistant cryptography | $3M |
| Ground station redundancy | Eliminate single points of failure | $10M |
| Constellation resilience | Plan for graceful degradation if satellites lost | $2M |
| Security operations center | 24/7 security monitoring capability | $2M/year |
Risk Treatment Decisions
| Decision | Threat | Rationale |
|---|---|---|
| Mitigate | All critical/high threats | Per mitigation plan |
| Transfer | General liability, business interruption | $50M cyber insurance, $2B space insurance |
| Accept | THR-054 (Nation-state kinetic) | Cannot defend against missiles; rely on deterrence and constellation design |
| Accept | Some ground station physical threats | Cost of hardening all sites exceeds benefit; focus on redundancy |
Risk Acceptance: Nation-State Kinetic Attack
OrbitLink cannot defend against ASAT weapons. This risk is accepted with the following conditions:
- Constellation design allows continued service with 20% satellite loss
- Geographic distribution of ground stations limits single-point vulnerability
- Integration with Space Force space domain awareness for warning
- Review trigger: geopolitical situation changes significantly
Residual Risk Assessment
| Threat | Before | After | Justification |
|---|---|---|---|
| THR-044 (Terminal attack) | 20 | 8 | Cryptographic verification + staged rollout limits blast radius |
| THR-050 (Ransomware) | 16 | 8 | Air-gapped backups, network segmentation enable recovery |
| THR-001 (TT&C compromise) | 15 | 6 | Two-person integrity, enhanced validation |
| THR-033 (Lateral movement) | 15 | 5 | Network segmentation, zero trust |
| THR-019 (Credential theft) | 16 | 8 | Standardized VPN, PAM, monitoring |
Summary: Critical threat count drops from 8 to 2. High threat count drops from 18 to 7. Remaining critical risks relate to highly sophisticated nation-state attacks and physical threats where full mitigation is impractical.
Budget Summary
| Phase | Cost |
|---|---|
| Immediate (Week 1-2) | $1M |
| 30-Day Actions | $2.1M |
| 90-Day Actions | $5M |
| Year 1-2 Long-Term | $17M |
| Ongoing Annual (Security Ops) | $2M |
| First-Year Total | $10.1M |
| Two-Year Total | $27.1M |
ROI Analysis:
A mass terminal attack (Viasat-style) would cost $350M+. The terminal security mitigations cost $500K immediate plus ongoing costs. ROI is clear even at low attack probability.
SOC ransomware would cost $70-120M. The mitigation investment of $2.5M over 90 days provides strong protection. Even a 5% annual attack probability justifies the investment.
Total security investment of $27M over two years protects against potential losses of $500M+ for the most likely attack scenarios.
Key Findings Summary
| Finding | Implication |
|---|---|
| Ground segment is the weakest link | Most attacks don’t require space capabilities; ground/terminal compromise sufficient |
| Viasat attack pattern directly applicable | Terminal management security requires immediate attention |
| Network segmentation gaps are critical | SOC compromise enables catastrophic outcomes |
| Satellite firmware cannot be easily patched | Prevention more important than response for space segment |
| Nation-state threats are real but manageable | Focus on non-kinetic nation-state threats; accept kinetic risk with design mitigations |
Unique Satellite Considerations
This threat model highlighted several concerns unique to space systems:
| Consideration | Implication for Threat Modeling |
|---|---|
| Irreversibility | Satellite damage/loss is permanent; prevention emphasis critical |
| Long timelines | Security decisions made today affect assets for 15+ years |
| RF attack surface | Jamming and spoofing threats have no IT equivalent |
| Geographic distribution | Ground stations in multiple jurisdictions with varying security |
| Constellation interdependence | ISL compromise could propagate across constellation |
| Launch windows | Replacement satellites can’t be deployed instantly |
| Limited bandwidth | Security controls must work within severe bandwidth constraints |
| Regulatory obligations | FCC, ITU, ITAR requirements constrain some security options |
Appendix: Comparison with Healthcare Threat Model
| Dimension | Healthcare (Part 3) | Satellite Infrastructure |
|---|---|---|
| Primary asset | PHI (data) | Command and control (capability) |
| Irreversibility | Data breach recoverable (with difficulty) | Satellite loss permanent |
| Attacker sophistication | Script kiddie through targeted | Includes nation-state kinetic |
| Physical attack surface | Limited (facilities) | Extensive (ground stations, terminals, RF) |
| Regulatory focus | HIPAA (privacy) | FCC/ITU (interference), ITAR (export) |
| Recovery options | Restore from backup, rebuild | Launch replacement, manage constellation |
| Time sensitivity | Breach notification timelines | Orbital mechanics, fuel constraints |
Both threat models use PASTA methodology but highlight how domain context shapes threat analysis. The healthcare model focuses heavily on data protection and privacy. The satellite model focuses on command integrity and availability because the consequences of losing satellite control are more severe and irreversible than data breach.
Part 3b Complete | Satellite Infrastructure Threat Model