Cybersecurity Risk Assessment for CubeSat Missions: Adapting Established Frameworks for Resource-Constrained Environments

TL;DR

This paper develops a tailored cybersecurity risk assessment framework for resource-limited CubeSat missions, introducing novel heuristics and paradigms to improve security while respecting power and connectivity constraints.

Contribution

It adapts existing enterprise security frameworks to CubeSats by creating a lightweight, context-specific assessment method with innovative constructs like SpW and DSP.

Findings

Risks mainly concentrate in communication and ground segments.

Adapted controls increase security efficiency by up to 2.7 times.

Distributed incident response improves security performance within resource constraints.

Abstract

CubeSats have democratised access to space for universities, start-ups and emerging space nations, but the same design decisions that reduce cost and complexity introduce distinctive cybersecurity risks. Existing risk assessment frameworksNIST SP 800-37/53 [1, 2], ISO/IEC 27001/27005 [3, 4] and supply-chain guidance such as NIST SP 800-161 [5]assume abundant computational resources, centralised monitoring and mature governance structures that do not hold for power-limited, intermittently connected CubeSat missions. This paper develops a contextually appropriate risk assessment framework tailored to CubeSat environments, grounded in a 42-entry vulnerability register coded using STRIDE [6], MITRE ATT&CK [7] and CVSS v3.1 [8]. The register reveals that risks concentrate in communication and ground segments (mean CVSS 8.08.2) rather than distributing uniformly across subsystems. The framework introduces two constructs: a Security-per-Watt (SpW) heuristic that quantities security benefit per unit power, and a Distributed Security Paradigm (DSP) that reconceptualises incident response as an autonomous, constellation-level function rather than a purely ground-centric process. Scenario-based analysis demonstrates that adapted controls and distributed incident handling can achieve up to 2.7X higher SpW for cryptographic choices and 1.98X higher SpW for incident-response strategies compared with naive terrestrial transpositions, while remaining feasible for typical CubeSat power and governance constraints. The approach provides mission designers, operators and regulators with proportionate, auditable guidance, and offers a reusable pattern for adapting enterprise security frameworks to other severely constrained cyber-physical systems.