Threats to the space vehicle (SV) itself are in all cases a threat to the SV itself and likely to disrupt the mission of that SV as well. Threats to mission on the other hand have little to do with the type of SV the mission is being conducted from and are likely to be more specific to aspects of the mission itself and the onboard components of the SV utilized to carry out that mission. This means that threats to mission are as diverse and numerous as there are types of missions that can be executed aboard SVs in space. Despite a threat to the SV posing a subsequent threat to the mission of the SV, I am covering them differently because a cyber attack might target the SV on the whole or the mission specifically. An effect that goes after a mission and not the SV will be potentially tailored to surgically and perhaps surreptitiously impact the mission itself.
On the other hand, a threat to mission or even a partially realized threat to the SV may make the mission impossible to carry out or all together useless. Cyber attacks against the SV itself in an effort to deny, degrade, disrupt, destroy, or otherwise impede the SV would almost certainly be noticeable by the operators of that space system. Cyber attacks seeking to affect the mission by realizing threats which are specific to that mission may be much more surreptitious in nature and not realized by those operating the SV for long periods of time following the attack, if ever.
Cyber and Safeguards
Before we get into the specific missions and their related threats, I would like to take a quick moment to cover some of the onboard safeguards that many SVs including LEO smallsats may have on-board. I want to do so because those somewhat or very familiar with space systems, after reading Chapter 5, “Threats to the Vehicle,” might argue that many of these cyber attacks aimed at such threats would be mitigated or nullified by already present and non-cyber-specific safeguards.
Unfortunately, most cyber attacks aimed at realizing both threats to the vehicle and threats to the mission will likely be carried out by well-resourced well-informed attackers who will be able to use their access to the space system to not only realize such threats but prevent organic mitigations from being triggered or manifesting themselves. I will cover a few of the more predominant ones, but hopefully the trend and pattern that would be iterated following the placement of an attack effect on a SV becomes obvious.
Watchdogs
Watchdogs are scripts or code that are triggered by various situational characteristics of the spacecraft to invoke a feature that will attempt to automatically solve whatever issue it was that triggered the watchdog. One example of a trigger and solution that a watchdog might involve could be a navigation issue where the onboard GPS of the satellite is failing to work properly. Without the ability to point accurately toward a ground station or a mission target, the SV would essentially be dead in the water.
In such a scenario, we would want the satellite to behave on its own in a way which might overcome the challenge of a defective or disabled GPS chip. Therefore, if after so long without an ability to read appropriate data from a GPS chip, a SV may have watchdog code that forces it to start relying on some other form of pointing such as a star tracker or solar sensor. This way there is a chance the vehicle will be able to point back to a ground station and provide the operators of the space system with the information necessary to potentially fix or mitigate the broken GPS.
As an attacker, this means that any attack against navigation of a SV must also account for the watchdogs that may be in place to try and save the SV from such an issue. If the cyber attacker were only an insider executing commands from a ground station to disrupt the GPS, a watchdog may take over at some point and the operators of the space system may be able to regain control of the SV. On the other hand, if a cyber attacker gained some access and privilege on board the SV’s computers themselves, outside of normal tasking, such watchdogs could be disabled. This could happen in a few ways. The attacker may delete the watchdog, change its trigger mechanism or threshold, or even alter the course of action taken by watchdog code.
Gold Copies
Gold copies are a copies of the operating system or settings for the SV that are stored on board and allow the return to a known good configuration in cases of catastrophic failure of installed software or other software-based issues. In this way a gold image is a way to revert the SV to a known good state in the event of an issue. SVs may revert upon issuing of a command from an operator via a ground station or at the direction of something like a watchdog script. This means that nearly any software attack against a SV could be overcome as long as the operator or a watchdog tasked the vehicle to re-install operating systems and settings off a gold copy.
This again disrupts a simple insider threat where a malicious space system operator tries to execute commands that are unhealthy to the SV. If caught by another operator or triggering a watchdog, the gold image will be re-installed and normal SV function reinstated. An attacker with an ability to execute operating system commands on board the SV, though, could use such access to overwrite a copy of the gold image with one which contained malicious code allowing for access to be regained or even kill the SV upon rolling back to a gold image.
Fallback Encryption
Fallback encryption is essentially just a gold image for encryption keys. In some cases, such keys are potentially less secure or they are just pre-programmed backup options that are used in failure recover situations based on predetermined logic. Such logic likely involves a certain number of unsuccessful communication attempts from a ground station where the satellite assumes something has happened to the current key and will then try with a fallback option. This safeguard prevents an attacker from preventing communications if they were to manipulate the key in memory on the device as upon enough failed communications attempt, the SV would rotate to a key the ground station is also prepared to fall back to.
Once again, if a malicious cyber actor has access to execute actual commands on the SV operating system, fallback encryption keys can be deleted or worse changed. If current and fallback keys are deleted, the SV simply becomes unresponsive, but at least the space system operators would know something was amiss. In a scarier scenario, an attacker could overwrite existing and fallback encryption keys with something only they knew, and now any time the SV passes over a ground station owned by the attacker, they are able to operate it as their own, to include pulling down any existing intelligence such as payload data like pictures or signal captures.
Resource Limits
Resource limits are hard-coded values in the operating system of the SV that support the ongoing operation of the space system and are also intended to prolong its longevity. Resource budgets constrain things like power usage and other executions on board the spacecraft in an effort to preserve battery life or make more effective use of limited power budgets.
An attacker with the proper access could simply alter these values, making the SV susceptible to self-inflicted damage, or write values so miniscule that the SV no longer allows itself to function. An attacker could also perform less sophisticated attacks against the SV by issuing it normal commands in a repetitive or nonintuitive manner that could consistently cause the SV to hit resource limits which might cause watchdogs to execute extremely often and hamper SV operation.
Sensing Missions
Now we will get on to the meat of the chapter where we discuss various missions of SVs and how those missions are uniquely threatened by normal happenstance of space system operations as well as purposeful malicious cyber operations. Sensing missions are those SV payload missions which receive or sense something about the area of interest.
In my book Waging Cyber War (Apress, 2019), I discuss at length cyber attacks and their anatomy. What is important to draw from that literature is the discussion of the two types of cyber attacks which manipulate an enemy sensor system. There are attacks that alter the human user perception and there are those that alter the sensor perception. When the human perception is altered by a cyber attack, it means that the sensor still collected or observed whatever it was supposed to in the correct fashion but that the data being sent back to the human does not accurately reflect what the sensor saw. A cyber attack against the sensor perception is one which alters the ability of the sensor to see what it is supposed to. In this instance, the human user may notice that something is going on with the sensor and be more suspicious of the data than if the sensor was operating normally but sending the user false information.
Radio Signal
One type of sensing mission on board a SV would be one that listened for radio signals and recorded certain data based on that mission. Though radio signals run the gamut of frequencies, a sensing mission could be tailored to one specifically at all times or several over a course of time thanks in no small part to the digitization of the equipment used like software defined radios.
Non-cyber Threat to Mission
A non-cyber threat to a radio signal sensing mission on board a SV is unexpected emanations from the SV itself. Without appropriate testing in something like an anechoic chamber with all of the components turned on, the operators would not know that once in space, the vehicle itself would put out such strong signal pollution that it would impact the ability of the sensing payload to accurately do its job. Emanation issues could also come when vibrations during launch shift some of the components or even slightly unseat a fastener or screw on board. This could lead to signals that would otherwise remain trapped within the SV leaking out and polluting the spectrum around the sensing payload.
Cyber Threat to Mission
Malicious cyber actors are probably the second most happy individuals regarding the digitization of things like radios as the space system operators themselves. With access gained via a cyber attack, an attacker could simply alter the filtering or frequency settings on board the SV such that the sensing mission can no longer be accomplished. The attacker could even make the SV think it still had the correct settings but still impede the software defined radio’s ability to recognize signals appropriately. In this situation the SV is still operating seemingly normally, but its mission payload is unable to perform its functions. In a scarier situation, the cyber attacker could also start altering the files storing signal recordings themselves so that when they are downloaded by the space system operators, they show whatever the attacker wants.
Terrestrial Photo-Imagery
Terrestrial photo-imagery is a pretty self-explanatory type of sensing mission on board a SV. This payload is going to use cameras to take pictures of things within an area of interest on Earth. It is important to keep even things like cameras on board a SV as being a sensor and attackable in all the ways a sensor is.
Non-cyber Threat to Mission
There is a common occurrence in the operation of a photo-imagery in space for long durations at a time, especially a cheaper one. Small satellites with imaging capabilities, sometimes even something as simple as a GoPro camera, will after a time in space produce yellowing images. After longer durations of exposure to the constant radiation and light from our sun, such sensors can become almost blind, producing images that are almost unrecognizable from those that were taken when the mission began years earlier.
Cyber Threat to Mission
A cyber attack could produce almost an identical issue with imaging if the attacker intended to do so. Once interactively accessing the SV, an attacker could simply skew the color properties of images already captured and stored on the SV’s hard drive, waiting to be offloaded, such that they looked to be yellowed as if by a sun-damaged camera. This is a rather meaningless attack against an imagery mission from a cyber perspective though because there are many more potential ways to impact a photo-imagery mission such as changing the way the camera thinks it is supposed to focus so it can no longer take clear pictures.
Terrestrial Thermal Imagery
Terrestrial thermal imagery is a similar mission set to photo-imagery where the mission payload is a sensor intent on capturing an image of something within an area of interest on Earth. The difference is that instead of visual imagery, it is capturing varied heat sensing from the area of interest to generate a thermal image of something or somewhere on Earth.
Non-cyber Threat to Mission
Something as sensitive as thermal imagery can actually suffer non-cyber threats from something as uncontrollable and hard to mitigate as a wildfire. Thick hot smoke and raging flames could prevent something like a thermal imager from detecting something beneath the ground or on it. Imagine a satellite trying to capture heat signatures of people in an area. Wildfires within the area of interest would not only be a threat to those people’s lives but also prevent such a mission payload from being useful for the duration of the fire or fires.
Cyber Threat to Mission
In the case of thermal imaging payloads, taking them out of focus would be done in a different way but essentially introduce the same issue to the SV’s payload as it did with a camera payload. Where a camera with malicious code ran by an attacker can’t focus on certain areas or at all, the thermal payload can be similarly impacted. If an attacker were able to alter filters and the way the sensor perceived temperature and ultimately output it to a thermal image, all sorts of things could be manipulated. Carrying on the human detection mission of such a thermal payload, an attacker could make anything between 95 and 102 degrees Fahrenheit show up in the same thermal color on the resulting output image as what the ground typically is for a given time of day. In this way the sensor is still capturing the heat signature of humans on the ground, but the output seen by the space system operators would show empty areas of ground.
Terrestrial Monitoring
Where image-based sensing payloads are attempting to sense snapshots in time as the satellite passes over certain areas of interest on the Earth’s surface, a monitoring payload is instead sensing all the time looking for a triggering event to then record the related data. As onboard computing and storage capabilities continue to evolve with time and given a persistent enough tasking and mission capability, there will eventually be space systems where terrestrial monitoring is almost a constant feed of a field of view or focused area of the Earth’s surface.
Non-cyber Threat to Mission
Where such a monitoring sensor payload was running a mission to record video imagery of the Earth’s surface, natural phenomena such as weather or fallout from volcanic eruptions would hinder the ability of the mission to be successful as normal photo-imagery recordings would not have the ability to view the Earth’s surface below dense cloud cover or smoke. Terrestrial monitoring might also actually be for the purpose of identifying and monitoring different weather phenomena such as real-time tracking of things like hurricanes or tsunamis across the Earth’s oceans.
Cyber Threat to Mission
Imagining a terrestrial-based space photo sensor for monitoring purpose like a giant security camera faced at the Earth, it is easy to understand the ways in which an attacker may attempt to disrupt this specific mission. An attacker could prevent the feed or video recordings from being sent down to ground stations and consumed by the space system users by having the camera output sent to a non-existent location on the SV operating system file table so that it is actually never written anywhere in nonvolatile memory like the hard drive. More sophisticated would be an attack where older imagery collection is written over more current collection at certain points to hide ground activity and make it look like something is or is not happening despite what is actually transpiring within the area being monitored.
Space Monitoring
Space monitoring shares similar characteristics with terrestrial monitoring in that it is more than just a single snapshot collected but rather recordings or ultimately a stream of information sensed from a target area out in space.
Non-cyber Threat to Mission
Such space monitoring systems face threats from other elements out in space that would pollute or confuse the sensor doing the recording. One example might be a satellite aimed at a binary pulsar, reading the flashes of radiation from that system as a way to tell time and frame other images and the like in outer space. Any event which overpowers the regular signal being transmitted by the pulsar has the potential to disrupt the time keeping of the sensor and thus impact that SV’s mission. The same goes for a sensor potentially faced at the sun monitoring solar flares and other dangerous emissions from our nearest star to attempt to give warning and time for protective measures of terrestrial electronics and infrastructure. Stronger radiation bursts from further out in space would have the potential to impact readings around the time of the event or, as discussed earlier, even damage to sensor or SV due to high radiation exposure.
Cyber Threat to Mission
A cyber attack against such a monitoring sensor could either change triggers in the sensor that cause it to record events like solar flares or again attack the data at rest postrecording while it is stored on the SV. An attack like this might mean significant events out in space are missed or false positives become so numerous the mission cannot be run. In more warlike terms, such a cyber attack might be against a satellite used to detect jamming or other signals from other SVs orbiting the Earth. A cyber attack that impacted the sensor or data dissemination of sensed data from such SVs would mean that the space system operators might be blind to other nefarious acts such as jamming or other signal emissions out in space.
Space Imaging
Space imaging is one last type of sensing payload with specific threats. It is similar to the thermal and photo-imagery sensor payloads facing the Earth except that the threats faced are often space based and not necessarily originating from Earth.
Non-cyber Threat to Mission
The perfect example of a non-cyber threat to such a system is what happened with the Hubble Space Telescope where uncalibrated imagery equipment like a lens is misconfigured or improperly fabricated on Earth, and once it makes it into space, it becomes readily apparent that it will not be able to perform its mission. Famously, the Hubble telescope was put into orbit around the Earth with a lens that was unable to focus on the areas of interest it was intended to image, and an astronaut mission had to be launched to deploy corrective equipment to the device in an effort to preserve the mission. It was successful and to this day the Hubble telescope still images the stars as intended.
Cyber Threat to Mission
For complex missions on board space-based imaging systems like Hubble, if a malicious attacker were able to alter its ability to focus properly or identify locations properly it would be next to useless. Altering the way such a device processed target location inputs to flip bits and make it take long exposures of unintended targets or altering the way exterior light sources are filtered to get appropriate images would almost entirely impede the space imaging mission of such a payload.
Emitting Missions
Emitting payloads are those which send signals instead of collecting them in the form of radio or light waves. Something unique to emitting missions over the sensing counterpart is that it often takes more energy to send a signal than to receive it, and as such SVs with emitting missions are potentially more constrained by power budgets or have greater impact to system design to support adequate power production and storage.
Positioning
The first type of emitting payload we will discuss is one known by many which is a positioning payload. SVs that provide the North American GPS signal, European Galileo signal, Russian GLONASS, or Chinese BeiDou positioning signals are all emitter payloads which provide positioning signals to receivers which can view enough of them to provide good triangulation and location data.
Non-cyber Threat to Mission
A non-cyber threat to positioning satellites could be anything that prohibits enough of them being available and broadcasting in the field of view of a receiver to provide strong enough and numerous enough signals to enable triangulation. It requires at least three and often more points of reference (which are the satellites) to allow for a receiver to determine its relative location. Such an issue could be from one or more of the satellites being disabled by any number of the space based threats or simply that the receiver has moved too close to the edge of the positioning constellation footprint on Earth to reliably and continuously get a location determination. For instance, in Northeastern Russia, a GPS receiver may be able to at times determine a location based on triangulating off the GPS constellation which has an intended area of focus over North America. However, if it travels further away from that intended area of persistence for the GPS signals, it may less and less often get adequate signal strength or numbers to perform geolocation.
Cyber Threat to Mission
Worse than the failures discussed earlier and the threat they pose to positioning systems in space, malicious adversaries launching cyber attacks can do something far more dangerous. Where non-cyber threats typically make positioning emitters unavailable or unusable, a cyber attack could make them provide false data. Triangulation off of multiple SVs in a positioning payload constellation is what is used for a receiver to determine location. If the SVs have incorrect data on their own position, there is no way for accurate triangulation and any position information would be off. Worse yet would be an attack where incorrect data is manipulated with a purpose, say over a shipping lane, and causes many commercial and military vessels to run into each other or aground.
Jamming
Another example of an emitting payload is one we have touched on already in a jammer. A SV with this sort of payload emitter is attempting to impede the communications of another SV or even ground-based system. The reason for jamming could be to stop the detection of something or communications or to prevent certain weapon systems from being able to locate their intended target.
Non-cyber Threat to Mission
In a non-cyber sense, the greatest threat to successful jamming of another receiver by an emitting payload is that once jamming begins, the target can take steps to mitigate the jamming and potentially continue to operate as needed. Jamming can either be omnidirectional or directional. When the jamming signal is omnidirectional, it is not going to be as strong, and moving over the horizon or simply further away from the jamming source could allow a receiver to operate and be a threat to the jamming mission. When directional, the signal is stronger but still moving out of line of sight of the directional jamming will probably allow the receiver to function. Lastly, simply overpowering the jamming signal with a stronger send signal in a communications stream might allow for the jamming to be inadequate.
Cyber Threat to Mission
A cyber attack that alters onboard code to pose a threat to a jamming mission will do so in a similar fashion to the signal sensing mission payloads’ threats. With a dependence on software defined radios to operate, jamming payloads are just as susceptible to having their settings altered by an attacker. Utilizing a software defined radio to send jamming signals means that a single satellite payload could be modified at any given time to jam a diverse set of signals. This same fact means that an attack could slightly alter the jamming signal such that the jamming is essentially ineffective against the target. This is also a scenario where the operators of the jamming payload are unlikely to be able to verify easily whether or not their jamming is effective and may waste long periods of mission payload life span thinking they are jamming their target when they are not.
Communication Missions
Communication payloads come in two typical forms but are largely different than what communications may be assumed to be. The satellite communicates in a potentially bidirectional fashion with ground stations during operation. In this sense it receives communications that give the SV tasking for flight operations for the bus or mission operations for the payload. In response the SV will communicate down payload data to be consumed by the customers of the space system operator once on the ground. This two-way communication relationship is not a mission itself though and more a function of the SV.
Broadcast
One of the two mission types for communication is a broadcast payload. In this mission, the SV receives tasking or a communications stream from the ground station of the space system operators, but the resulting outbound communication is either for all or some SVs within signal view or a large area of interest on the ground.
Non-cyber Threat to Mission
One example of such a payload would be satellite radio. In this mission there is a radio signal sent from an Earth ground station to the SV, and it sends the same signal down to a wide area, for example, North America, so that any satellite radio receivers within the area can receive the signal and output the music. This is very similar to how GPS satellites send their GPS positioning data signal out to entire areas of North America to allow for positioning across the continent. Threats to this type of payload are going to be any non-cyber issue that prevents the satellite from receiving the signal from the ground or sending it back out to the area of interest where customers have their receivers. This type of mission payload is different from many others as it does not require much mission processing or activity on board the SV besides what is required to provide the one-to-many medium for the satellite radio signal.
Cyber Threat to Mission
Similar to how a cyber attack against GPS satellites involved having improper data for positioning so that receivers deduced incorrect location, an attack against a broadcast communications satellite can also leverage receiver-specific actions via the cyber domain. An attacker with access to the satellite operating system could broadcast at any given interval an unsubscribe signal to all radio receivers where they think they are inactive due to their owner failing to pay. If this is achieved with enough frequency, all users of the satellite radio signal would not be able to listen to their radios, and the mission payload for those satellites would be essentially nonfunctioning as far as its consumers were concerned. Both satellite radio payloads and even satellite television payloads could also be abused by a cyber attack to spread disinformation, potentially causing panic in a country by saying cities were being nuked or otherwise destroyed or attacked.
Pipe
Where the broadcast communication payload is a one to many, a communication pipe payload is a pass-through communication mission. This is the typical mission of communications satellites where they provide a satellite hop for a line of communications between two points on Earth. This is beneficial where undersea cables are not available to interconnect distant landmasses or even as fallbacks to such communication mediums.
Non-cyber Threat to Mission
Similar to the other communication payload, any non-cyber threat that prevents the satellite from communicating with the intended ground stations it is acting as a pipe between will prevent the communication mission from being successful. Where in a broadcast mission, a receiver has to be within the area of emission from the transmitter to be useful, a pipe payload requires both ground stations it is allowing communication between to be in view at all times. This means either a high orbiting satellite with a wide field of view or a mesh of satellites that the pipes allow the signal to traverse across to be effective.
Cyber Threat to Mission
This pipe communication payload is essentially a routing device between two satellite ground station communications where it receives bidirectional signals from both to enable communication between them. An attacker with access to the satellite could certainly prevent such actions by altering any number of attributes of the SV. On the other hand, the attacker could also have the communications between the two parties also sent off to a third malicious ground station and allow for that attacking party to eavesdrop. Short of noticing this change in settings on board the satellite, it would also be extremely difficult if not impossible for the space system operators on the ground to notice that their communication pipe had a purposeful leak.
Weapon Missions
Weapon missions for systems that include a SV may seem like it is closer to science fiction than reality, but it is a fast-approaching fact that the space domain will be increasingly weaponized. There are essentially two kinds of weapon missions for space systems—those which traverse space but begin and end their mission terrestrially. The classic example here would be the intercontinental ballistic missile (ICBM), and the new age example would be hypersonic weapons. Where an ICBM launches from a point on Earth, enters the space domain, and then returns, a hypersonic weapon may orbit multiple times before returning to Earth and striking a target.
There are also weapon systems which are space resident and target terrestrial targets as well as space systems with SVs weaponized against other space systems. Historically the latter two examples, with the weapon on board, would be jammers, which are a part of the electronic warfare class of warfighting activities. It is important to note that kinetic in nature or not, weapons capable of carrying out warfighting activities which are based in space or pass through it will increasingly be the target of cyber attacks as will all systems. The fact that they spend part of all of their life cycle in space means that at least some of the time, physical intervention to prevent the results of a cyber attack against such a system may be impossible.
Non-cyber Threat to Mission
The easy example of a threat to a space system that has the mission of performing a warfighting action, thus making it a weapon, would be an interceptor which stops and destroys the weapon before it completes its mission. Almost simultaneous to the development of ICBMs was the development of weapon systems that can strike them along their course of flight between launch and target. Other types of weapons have threats of their own; as we have already discussed, jammers can become ineffective due to anti-jam technologies, and any weapon, kinetic or electronic, which is based on an orbital SV is at risk of being targeted by other space-based or terrestrial kinetic systems.
Cyber Threat to Mission
Similar to how a kinetic effect like an anti-satellite missile would end the weapon payload mission aboard a satellite, so too would any cyber attack which went after the vehicle itself and did not focus on the mission. Scarier is a weapon system payload on a satellite or other SVs where the attacker has leveraged onboard controls to alter targeting and launch and locked out other ground-based entities from preventing such actions. In this scenario, a malicious cyber attack could launch warfighting capabilities against the will of the owning nation and at another, in essence carrying out what would be perceived as an act of war and having far-reaching repercussions.
Life Support
What was once a unique mission to organizations like NASA and its foreign counterparts, human life in space is now in the hands of private corporations providing space tourism services. Where there were government liable, tested and evaluated space shuttles, and a space station, there will now also be corporately and potentially privately owned spacecraft responsible for safeguarding human life.
Non-cyber Threat to Mission
Tragic examples of death on board SVs are readily available from history and range in cause from launch issues, reentry issues, and the plethora of challenges the space environment presents. What is somewhat unique to space systems with a human life payload mission is the requirement to bring that payload back to Earth in exactly the same state as it left the planet. Some weapon payloads of space systems that return to Earth do not intend to preserve the SV upon the end of the mission. A space shuttle on the other hand or space tourism vehicle must return to the Earth as they left it, intact and with live humans aboard. These examples range from a space shuttle and all aboard destroyed during launch to a cosmonaut killed on reentry into Earth’s atmosphere or the deaths of those cosmonauts who were the only to die in space when their SV decompressed.
Cyber Threat to Mission
All of the non-cyber examples were due to a failure of a physical system responsible for preventing catastrophe. The truly terrifying thing about both the digitization of space systems and the burgeoning space tourism industry is that all those computing devices responsible for keeping people alive aboard SVs and returning them safely to Earth are a potential threat for those lives as well if a cyber attack compromises one or multiple systems on a SV. Science fiction is rife with examples of spaceship computers being turned against the crew in one way or another, and we are approaching a time where that could be a possibility and should be addressed sooner or later by cybersecurity and space professionals together.
Other Mission Threats
Where all previous examples so far in this chapter have focused on how the mission payload itself can be at risk to cyber and non-cyber threats, there are also several mission agnostic threats that would impact the ability of the mission payload to be successful without necessarily impacting the operational life span of the SV.
Watchdog Abuse
We have already discussed watchdogs and their purpose in automatically helping a SV recover or respond to threats. A cyber attack which elicits watchdog responses at a rate that will prevent a payload mission from being conducted would be easy to accomplish with the right access to the SV. Continuously triggering the operating system to be re-installed on the flight computer will not prevent it from being able to at times communicate with the ground or perform some flight functionality but may prevent a mission from being able to gain information or positioning necessary to execute.
Bus/Payload Communications
The communications between the bus and payload of the SV are also a potential threat to the mission payload itself, regardless of the mission type, and also do not pose a threat to the bus and its flight computer and hardware. Any issue, cyber-induced or non-cyber in nature, that prevents communications between or through the bus from the payload would mean that even if the payload mission was executing as intended, the data from that mission may never make it down to Earth to be consumed by the space system operators or their customers. This would effectively negate the ability of the mission to be carried out for most of the missions discussed so far.
Conclusion
This chapter has covered a long list of missions run by space systems and shown that there are threats to missions that are specific to their payload hardware and software. There are non-cyber threats to missions and one or many ways a malicious cyber actor with the right access could also attack the mission capability. The key takeaway from this chapter is that essentially any mission type can be affected by cyber attacks and that for each threat posed to a SV mission, there is a way to induce similar effects via the cyber domain to these space domain systems.