Understanding Space-Cyber Threats with the SPARTA Matrix

The Space Attack Research and Tactic Analysis (SPARTA) matrix serves to ensure the space-cyber community is empowered to continually educate engineers and system defenders so they can overcome the unique cyber-threats they face in the domain.
AdobeStock_243112971,_Security global network.jpeg

Cybersecurity matrices serve as robust resources of collective knowledge that have benefited many security professionals to better understand Tactic, Techniques, and Procedures (TTP). The Aerospace Corporation developed SPARTA to help developers and network defenders alike to understand the types of space-cyber TTPs they need to be resilient against.

While matrices like MITRE ATT&CK have become effective industry standards for cyber threats, there remained a gap to address challenges emerging in the space environment.  SPARTA serves to ensure the space-cyber community is empowered to continually educate engineers and system defenders so they can overcome the unique cyber-threats they face in the domain.

To best utilize the matrix, it is important to understand what TTPs are:

Tactics: Represent the “why” of a SPARTA technique or sub-technique. It is the threat actor’s tactical goal and the reason they are performing a technique. For example, a threat actor may want to achieve initial access on a spacecraft via cyber means.

Techniques: Represent “how” a threat actor achieves a tactical goal by performing a threat action. For example, a threat actor may exploit trusted relationships to achieve initial access.

Sub-techniques: Represent a variation or more specific instance of the threat actor’s behavior used to achieve a goal. Sub-techniques typically describe behavior at a lower level than a technique and are considered children of the parent technique. For example, a threat actor may compromise mission collaborators (academia, international, etc.) to achieve their initial access.

Procedures: Represent specific implementation the threat actor uses for techniques or sub-techniques. Procedures are the step-by-step descriptions of how the threat actor plans to go about achieving their purpose. It details how the general techniques/sub-techniques will be carried out.

SPARTA intends to document the “art of the possible” as it relates to TTPs that could be used on spacecraft, and will continually evolve as new TTPs are identified.

The matrix aims to aggregate unclassified research from academia, Federally Funded Research, and Development Centers (FFRDCs), and space-cyber professionals into a single pane of glass to better educate the space community on TTPs while also identifying associated countermeasures. Aerospace's goal is to document these TTPs so that spacecraft developers understand how threat actors could attempt to attack their spacecraft. SPARTA can be used as the basis for testing the efficacy of security solutions in the development environments, ground systems, and on-board the spacecraft. SPARTA can also serve as the common taxonomy for both offense and defense operations to communicate space-related TTPs.

While SPARTA focuses on the spacecraft, there are likely “pre-SPARTA” TTPs that an adversary may use to position themselves to execute SPARTA-defined TTPs. Space system engineers and developers who build and defend the system-of-systems will ultimately have to understand multiple cybersecurity matrices — SPARTA, MITRE ATT&CK for Enterprise, ICS, Microsoft Kubernetes matrix, etc. — and how threat actors can potentially leverage a variety of TTPs from each depending on their design.

Aerospace believes in defense-in-depth to secure space systems. However, the defenses must be threat-informed because offense is the best driver for defense. A space system’s ability to detect and stop a cyber-attack improves immensely by strong collaboration between offense and defense teams.

Many of the TTPs identified within SPARTA have been proven in laboratories, in on-orbit exercises, and/or capture-the-flag/hacking events; however, some are theoretical but within the realm of the possible given the technology and known capability of threat actors. Aerospace aspires to improve SPARTA through community participation and for SPARTA to become the industry standard taxonomy for the space-cyber tabletops as well as the defensive cyber operator teams to verify their capabilities.