Characterizing Cyber Attacks against Space Infrastructures with Missing Data: Framework and Case Study

TL;DR

This paper proposes a framework to analyze and characterize cyber attacks on space infrastructures using incomplete data, extrapolating missing information to reconstruct plausible attack sequences and improve cybersecurity understanding.

Contribution

It introduces a novel framework combining metrics and methodologies like SPARTA and ATT&CK to address missing data in space cybersecurity incident analysis.

Findings

Cyber attacks on space infrastructures are becoming more sophisticated.

Protecting the link between space and user segments could prevent nearly half of the attacks.

The framework extrapolated 6,206 attack techniques from limited data.

Abstract

Cybersecurity of space infrastructures is an emerging topic, despite space-related cybersecurity incidents occurring as early as 1977 (i.e., hijacking of a satellite transmission signal). There is no single dataset that documents cyber attacks against space infrastructures that have occurred in the past; instead, these incidents are often scattered in media reports while missing many details, which we dub the missing-data problem. Nevertheless, even ``low-quality'' datasets containing such reports would be extremely valuable because of the dearth of space cybersecurity data and the sensitivity of space infrastructures which are often restricted from disclosure by governments. This prompts a research question: How can we characterize real-world cyber attacks against space infrastructures? In this paper, we address the problem by proposing a framework, including metrics, while also addressing the missing-data problem by leveraging methodologies such as the Space Attack Research and Tactic Analysis (SPARTA) and the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) to ``extrapolate'' the missing data in a principled fashion. We show how the extrapolated data can be used to reconstruct ``hypothetical but plausible'' space cyber kill chains and space cyber attack campaigns that have occurred in practice. To show the usefulness of the framework, we extract data for 108 cyber attacks against space infrastructures and show how to extrapolate this ``low-quality'' dataset containing missing information to derive 6,206 attack technique-level space cyber kill chains. Our findings include: cyber attacks against space infrastructures are getting increasingly sophisticated; successful protection of the link segment between the space and user segments could have thwarted nearly half of the 108 attacks. We will make our dataset available.