Safety and Security Risk Mitigation in Satellite Missions via Attack-Fault-Defense Trees
Reza Soltani, Pablo Diale, Milan Lopuhaä-Zwakenberg, Mariëlle Stoelinga
TL;DR
The paper tackles the challenge of jointly managing safety, security, and defense risks in complex cyber-physical satellite systems. It introduces Attack-Fault-Defense Trees (AFDT) as a unified modeling framework that combines fault trees, attack trees, and defender countermeasures to enable holistic risk analysis. The authors apply AFDT to Ascentio's Ground Segment as a Service (GSaaS) platform, identifying failure pathways in telecommand/telemetry and mapping them to defenses, with both qualitative Minimal Cut Set analysis and defense effectiveness evaluation. The study demonstrates that a joint analysis of attacks, failures, and defenses enhances resilience and provides actionable guidance for risk mitigation in cloud-based ground infrastructures for satellite missions.
Abstract
Cyber-physical systems, such as self-driving cars or digitized electrical grids, often involve complex interactions between security, safety, and defense. Proper risk management strategies must account for these three critical domains and their interaction because the failure to address one domain can exacerbate risks in the others, leading to cascading effects that compromise the overall system resilience. This work presents a case study from Ascentio Technologies, a mission-critical system company in Argentina specializing in aerospace, where the interplay between safety, security, and defenses is critical for ensuring the resilience and reliability of their systems. The main focus will be on the Ground Segment for the satellite project currently developed by the company. Analyzing safety, security, and defense mechanisms together in the Ground Segment of a satellite project is crucial because these domains are deeply interconnected--for instance, a security breach could disable critical safety functions, or a safety failure could create opportunities for attackers to exploit vulnerabilities, amplifying the risks to the entire system. This paper showcases the application of the Attack-Fault-Defense Tree (AFDT) framework, which integrates attack trees, fault trees, and defense mechanisms into a unified model. AFDT provides an intuitive visual language that facilitates interdisciplinary collaboration, enabling experts from various fields to better assess system vulnerabilities and defenses. By applying AFDT to the Ground Segment of the satellite project, we demonstrate how qualitative analyses can be performed to identify weaknesses and enhance the overall system's security and safety. This case highlights the importance of jointly analyzing attacks, faults, and defenses to improve resilience in complex cyber-physical environments.