Threat Vector–Hierarchical Attack Representation Model-Based Threat Modeling and Security Assessment for Satellite Networks

Abstract

The rapid expansion of satellite networks has enabled the widespread deployment of satellite-based services across various sectors. However, these networks often prioritize cost-effectiveness over security considerations, leading to inherent architectural vulnerabilities. The complex architecture, comprising heterogeneous devices, operating systems, and communication protocols, exacerbates security risks and broadens the attack surface. Attackers can exploit these threat vectors to compromise system availability and data integrity. Prior research has primarily focused on specific security improvements, providing limited comprehensive evaluations and systematic threat modeling. This study proposes a systematic approach for modeling and analyzing satellite network security. A security framework originally developed for traditional networks has been adapted for satellite environments. Utilizing the Threat Vector–Hierarchical Attack Representation Model (TV-HARM), this study comprehensively models and analyzes threat vectors and network security. Key attack paths are identified, and vulnerabilities are quantitatively assessed using three refined security metrics. The experimental results reveal residual threats despite existing security measures, underscoring the need for robust defense strategies. This study presents a systematic framework for evaluating satellite network security, demonstrating the applicability and effectiveness of the proposed methodologies. These findings contribute to enhanced threat mitigation strategies and the overall improvement of satellite network security by addressing critical vulnerabilities.

1. Introduction

Satellite networks have become an indispensable technology in modern society, leveraging low-Earth-orbit (LEO), medium-Earth-orbit (MEO), and geostationary-Earth-orbit (GEO) satellites to deliver diverse global services, including communications, exploration, navigation, and meteorological observations [1,2,3]. Compared with traditional terrestrial networks, satellite networks provide reliable connectivity over vast areas without requiring substantial ground station infrastructure or internet connectivity [4,5]. This capability enables global coverage and ensures effective operation in critical environments, such as disaster-stricken regions, thus overcoming geographical constraints. Additionally, the architecture of satellite networks, including inter-satellite links (ISLs) and data flows between ground stations, satellites, and users, facilitates communication services independent of the terrestrial infrastructure [6].

SpaceX’s Starlink exemplifies the potential of satellite networks [7]. Starlink deploys thousands of LEO satellites to provide high-speed internet to regions where traditional ground networks are unavailable. As of 2023, Starlink has expanded its services to over 60 countries, serving more than 2 million users worldwide. With an estimated investment exceeding USD 10 billion, this large-scale project highlights the commercial and technological significance of satellite networks [8]. However, this rapid expansion has simultaneously intensified security challenges, raising critical concerns regarding their cybersecurity [9,10].

Several incidents have exposed critical security vulnerabilities in satellite networks. In 2022, attackers compromised the ViaSat KA-SAT network by injecting malicious signals into modems and transmitting unauthorized commands to satellites [11]. This attack rendered over 5800 satellite communication modems inoperable, disrupting network operations across Ukraine and Europe. The Russia–Ukraine war underscored the strategic importance of satellite networks, demonstrating that these systems serve not only as communication infrastructures but also as critical assets in modern warfare [12]. Similarly, the 2020 Intelsat cyberattack exposed the susceptibility of satellite management systems to cyberthreats [13]. Malware-laden phishing emails compromised Intelsat’s management servers, resulting in service disruptions and unauthorized data exfiltration. Satellite networks exhibit distinct characteristics that differentiate them from terrestrial networks, significantly influencing their threat landscape and security requirements [5,14]. These networks comprise heterogeneous devices, diverse operating systems (OSs), and multiple communication protocols, creating a highly complex attack surface [1,4]. The space segment frequently relies on commercial off-the-shelf (COTS) components, which often lack timely security patches, making them prone to exploitation. Additionally, real-time operating systems (RTOSs), such as VxWorks, which are commonly deployed in satellite systems, contain vulnerabilities that attackers can exploit for targeted cyberattacks [15]. The user segment includes devices such as global navigation satellite systems (GNSSs) [16], Internet-of-Things (IoT) devices, and unmanned aerial vehicles (UAVs). These devices utilize various communication protocols, each with inherent vulnerabilities that attackers can exploit via routing attacks, malware injections, or data manipulation [17,18,19]. Consequently, satellite networks face an expanded attack surface and heightened security risks compared with traditional networks, necessitating advanced security strategies and a comprehensive defense approach [1,3].

Several studies have examined security vulnerabilities in satellite networks, analyzing security measures through empirical research. Various approaches, including hierarchical security models and AI-driven methodologies, have been explored to enhance satellite network protection and refine existing security frameworks [4,5,6]. Furthermore, research has identified vulnerabilities in satellite communication networks, focusing on the use of automated security analyzers to strengthen satellite communication interfaces [20]. However, several key challenges remain underexplored, including distributed attacks across multiple segments, vulnerability interdependencies, and the absence of standardized quantitative risk assessments. Although existing models provide valuable insights, they often fail to fully capture attack propagation between segments and the cascading impact of vulnerabilities. Moreover, most studies rely on qualitative assessments, limiting their capacity to systematically evaluate security risks and compare mitigation strategies. Additionally, much of the existing research focuses on satellite communication systems, leaving a gap in the broader satellite network security landscape. A structured security assessment framework is crucial for addressing these gaps and enhancing the overall understanding of satellite network security risks. To overcome these limitations, this study systematically analyzes vulnerabilities in the satellite network and employs threat-modeling techniques to quantitatively assess the overall security posture of the network [21]. Specifically, the Threat Vector–Hierarchical Attack Representation Model (TV-HARM) [22] is utilized to systematically analyze the multilayered architecture and diverse attack vectors. TV-HARM, an enhanced model that integrates the concept of a threat vector with the widely used Hierarchical Attack Representation Model (HARM) [23], enables the structured and precise analysis of network attack paths [24,25]. Furthermore, this study extends the TV-HARM-based security framework to reflect the distinct characteristics of satellite networks and refines security evaluation metrics to align with their operational constraints. The improved framework provides a systematic methodology for assessing satellite network security. By modeling multisegment attack propagation, it enables a detailed evaluation of inter-segment attack paths and incorporates vulnerability interdependencies by analyzing interactions among operating systems, communication protocols, and hardware platforms. By leveraging this security framework, threat modeling and integrated countermeasure analysis are conducted to evaluate security risks. This approach ultimately enhances the overall security posture of satellite networks [26,27].

The structure of this article is as follows: Section 2 reviews prior research on satellite network security and highlights its limitations. Section 3 examines security threats to satellite networks and defines attack scenarios. This section also describes the application of TV-HARM and the redefinition of security metrics for quantitative evaluation. Section 4 presents the experimental results, discussing the effectiveness of mitigation strategies based on the analyzed metrics. This section also includes a discussion of the findings and highlights future work to address remaining challenges. Section 5 concludes the article with a summary of the key findings, emphasizing their implications for satellite network security.

2. Related Works

Satellite network security has advanced continuously through various studies. In this work, we systematically categorize prior research on satellite network security into three key areas for analysis and reference. On the basis of this categorization, we review prior studies, identify their limitations, and establish the research direction for our study.

2.1. Threats in Satellite Networks

Traditional satellite communication systems (SCSs) are vulnerable to security threats and highly susceptible to various attack vectors [28]. Yue et al. [3] critically evaluated the characteristics, vulnerabilities, and security and reliability issues of LEO communication systems, discussing potential security attacks and reliability risks while proposing design guidelines and solutions. Tedeschi et al. [5] conducted a comprehensive study on the security threats, solutions, and challenges of SCSs, categorizing the existing literature into two main areas—physical-layer security and cryptographic schemes—and identifying specific research domains within each category. Kang et al. [1] focused on the critical security vulnerabilities that have emerged alongside the rapid advancement of SCSs. This study criticized the limitations of previous research and emphasized the need for a systematic classification of attacks and defenses based on confidentiality, integrity, and availability (CIA) through a comprehensive investigation of the SCS security landscape. Willbold et al. [12] examined the security risks associated with the growing reliance on commercial hardware and software. Lee et al. [29] analyzed the cybersecurity vulnerabilities of end-of-life (EOL) satellites. That study highlighted the increased risk of cyberattacks during periods when operators lower their security vigilance after mission completion and discussed how inactive satellites negatively impact space sustainability. Toubi et al. [30] investigated the susceptibility of SCSs to distributed denial-of-service (DDoS) attacks. Given the crucial role of SCSs in global connectivity, that study assessed their potential vulnerabilities to cyberthreats and suggested strategies for mitigating these risks.

2.2. Security Analysis for Satellite Networks

Several studies have investigated the overall security landscape of satellite systems and systematically categorized attack techniques to facilitate the security analysis of satellite networks. Salim et al. [4] conducted an in-depth analysis of the architecture and cybersecurity landscape of SCSs, categorizing them into three primary segments: space, ground, and link. Meanwhile, Peled et al. [31] expanded the MITRE ATT&CK framework to systematically classify adversarial tactics and techniques targeting satellites. However, they identified significant challenges, such as the difficulty in deploying advanced security solutions because of limitations in computing resources, as well as the obstacles in implementing new security measures stemming from restrictions on upgrading satellite systems. Willbold et al. [17] analyzed firmware vulnerabilities, an area that is relatively underexplored in satellite security research. Three satellite firmware images were subjected to an experimental security analysis, which revealed serious flaws and insufficient access control measures. Yu et al. [20] investigated the security vulnerabilities of satellite modems, a critical component of satellite communication networks. Falco et al. [32] examined security vulnerabilities in CubeSat systems and explored potential attack vectors through attack tree analysis. The overall security posture of CubeSat systems, including spacecraft, GCS, and communication signals, was evaluated in their study. However, different CubeSat models’ unique configurations and functionalities create a challenge, as a single attack tree cannot universally apply to all CubeSat systems.

2.3. Security Enhancement Strategies for Satellite Networks

A number of strategies have been investigated to improve satellite network security. The implementations of security protocols, threat mitigation techniques, and security assessment methods are some of the ways that prior research suggests for enhancing security. Zhang et al. [15] analyzed cascading failures in LEO networks and proposed a model to enhance network resilience. However, the model primarily focused on satellite failures and did not fully account for other factors influencing network robustness. Lai et al. [33] utilized space digital twin (SDT) technology to create a virtual ISTN environment, which served as a foundation for security assessments and vulnerability detection. However, the complexity of the SDT model development limited its ability to reflect network characteristics accurately. Jiang [34] conducted a comprehensive study on software-defined satellite networks (SDSNs) and leveraged SDNs’ centralized management and reconfiguration capabilities to address the dynamic topology challenges of satellite networks. Wang et al. [35] applied blockchain technology to satellite networks, while Hosseinidehaj et al. [36] integrated quantum technologies, and Tang et al. [37] implemented federated learning. However, these studies lack a detailed security-focused approach, limiting their applicability from a cybersecurity perspective. Researchers have also proposed various strategies for enhancing security, providing valuable insights into different aspects of satellite network protection. These studies have made significant contributions to the field, particularly in qualitative security assessments and the analysis of individual threat vectors. However, systematic threat modeling and quantitative security evaluation for satellite networks remain relatively underdeveloped. Although existing research has provided fundamental advancements, a structured framework for analyzing multisegment attack propagation and risk quantification has yet to be fully established. To advance these efforts, this study introduces a TV-HARM-based threat modeling approach and conducts a quantitative security assessment to comprehensively evaluate the security posture of satellite networks. By incorporating multisegment interactions, protocol-level vulnerabilities, and structured security metrics, our approach establishes a systematic framework for security evaluation, enabling a more precise and practical assessment of satellite network security risks. This structured methodology not only builds upon existing research but also enhances security analysis by integrating multilayered-attack propagation modeling and quantitative risk evaluation.

3. Materials and Methods

This section presents the proposed security framework for systematically evaluating satellite network security. It outlines the satellite network architecture, analyzes vulnerabilities, and applies TV-HARM for threat modeling. Additionally, security metrics are introduced to quantify risks and assess the overall security posture.

3.1. Security Framework for Threat Modeling and Assessment

This subsection details a four-step security framework tailored to address the unique characteristics of satellite networks. The framework defines a network’s architecture, identifies vulnerabilities, models potential attack scenarios, and evaluates security to design effective countermeasures, as shown in Figure 1. The first step involves defining the key components and data flow of the satellite network. The architecture is categorized into the ground, space, and user segments, with an analysis of the data flow that includes the roles of each node and their interactions with protocols. The second step focuses on identifying security vulnerabilities and threat vectors [38]. Utilizing Common Vulnerabilities and Exposures (CVEs) and the Common Vulnerability Scoring System (CVSS) [39], potential vulnerabilities in key nodes and protocols within the satellite network are identified. Based on these vulnerabilities, potential threat vectors are developed, and specific attack scenarios are defined. The third step involves performing threat modeling to systematically represent and analyze threat vectors [40]. The final step encompasses the evaluation of security and the design of countermeasures. This evaluation begins by assessing the satellite network’s security posture prior to the application of any security patches.

3.2. Satellite Network Architecture

A satellite network consists of three segments: the ground segment, the user segment, and the space segment. Each segment employs distinct protocols for data transmission, message exchange, and communication between nodes. As shown in Figure 2, the network adopts a structured architecture, where node connections are categorized based on the protocols used. In this network, communication follows a structured process, where each segment interacts through predefined protocol pathways. The ground segment consists of a ground control station (GCS), which generates control signals and receives telemetry data from satellites. Communication between the GCS and satellites, including LEO and MEO satellites, primarily relies on the Consultative Committee for Space Data Systems (CCSDS) for secure and reliable data transmission. The GCS also interacts with ground-based components, such as routers (RTs) and gateways (GWs), through the Transmission Control Protocol/Internet Protocol (TCP/IP), facilitating routing and security enforcement via a firewall. The space segment functions as an intermediary, relaying commands and data between the GCS and user devices. MEO satellites process GPS data, while LEO satellites forward IoT and UAV telemetry using the CCSDS and MIOTY. The user segment consists of IoT devices, UAVs, and global navigation satellite system (GNSS) receivers, which communicate with satellites and ground stations through MIOTY and National Marine Electronics Association (NMEA) protocols. IoT data are transmitted via GW₁, while UAV and GNSS data are processed through GW₂. This structured data flow enables the efficient transmission of commands, telemetry, and sensor data across network components, ensuring reliable satellite network operations. Figure 2 illustrates the structured data flow and communication pathways among the network segments.

The CCSDS [41] is an international standard protocol offering error recovery capabilities and high data reliability for satellite-to-ground communications. This protocol facilitates the reception of status information and the transfer of data from the GCS to MEO and LEO satellites. MIOTY [42], a low-power wide-area network (LPWAN) technology, is used for data communication between IoT devices, UAVs, and gateways. Although it operates at a low transmission rate, it provides long-range communications and robust error recovery, making it effective for large-scale IoT networks. Optimized for low-power environments, MIOTY minimizes energy consumption in IoT devices. The NMEA [43] standard defines protocols for exchanging navigation data between GNSS receivers and external devices. It facilitates the transmission of GPS data collected by GNSS receivers to external systems using a compact data format. However, actual communication between GNSS receivers and satellites does not rely on NMEA but instead utilizes GPS L1 and L2 signals [44]. These L1 and L2 signals serve fundamentally different functions in GNSS communication, focusing on satellite-based communication, while NMEA is primarily concerned with data formatting and exchange. This study prioritizes the security analysis of the NMEA, excluding the wireless communication vulnerabilities of L1 and L2 signals, as these fall outside the scope of this research. The TCP/IP is another standard protocol used for managing data transmission within terrestrial networks, ensuring stable communication and efficient data exchange between the key components, such as the GCS, RTs, and GWs.

3.2.1. Ground Segment

The ground segment is a key terrestrial component of the satellite network, consisting of a GCS, GW₁, GW₂, an RT, and an FW (Figure 2). This segment processes command and status data between satellites and user devices while managing network traffic to ensure efficient communication. The GCS is responsible for satellite operations and control, including orbit management, data collection, command execution, and communication link establishment. Incoming packets from external networks pass through the FW for filtering before being forwarded to the GCS via the RT. The GCS analyzes the received data and generates command data, which it transmits to MEO and LEO satellites using CCSDS. In actual satellite networks, each satellite connects to a dedicated GCS. However, for security modeling and experimental purposes, this study assumes a scenario where two satellites connect to a single GCS. Under this assumption, the GCS can transmit satellite control commands to LEO satellites or send status data request commands to MEO satellites. GW₁ facilitates data transmission between the IoT and a UAV using the MIOTY protocol and exchanges data with LEO satellites via the CCSDS. It collects environmental sensor data from the IoT and forwards it to LEO satellites while transmitting data from LEO satellites back to the IoT. GW₂ transmits data collected from the UAV to MEO satellites using the CCSDS and relays GPS data from MEO satellites back to the UAV. The RT receives packets filtered by the FW and routes them to the GCS or GWs based on their destination addresses.

3.2.2. Space Segment

The space segment represents the satellite communication layer within the network and consists of MEO and LEO satellites (Figure 2). MEO satellites transmit high-precision positioning and timing data to GNSS user terminals using GPS L1 and L2 signals. Upon reception, the GNSS converts these signals to the NMEA format and delivers the data to users’ devices. Additionally, MEO satellites exchange communication data, including GNSS information, with GW₂. Through this connection, MEO satellites relay the GNSS data to the ground network and process the command data received from ground stations for satellite operations. LEO satellites primarily function as data relays, collecting information from the IoT and UAV and transmitting it to the ground. The data are first transferred to GW₁ via the MIOTY and subsequently sent to the GCS via the CCSDS.

In satellite networks, inter-satellite links (ISLs) are typically used for communication between satellites, primarily employing radio-frequency (RF) or laser communication methods. However, this study focuses on security vulnerability analysis and threat modeling to assess the security of satellite networks, with a particular emphasis on threat analysis at the node and protocol levels.

3.2.3. User Segment

The user segment represents the end-user layer of the satellite network and consists of the GNSS, IoT, and UAV (Figure 2). The GNSS receives GPS L1 and L2 signals from MEO satellites, which it uses to provide high-precision timing and positioning data. After being transformed to the NMEA format, the received signals are sent to users’ applications, supporting various industries, such as vehicle navigation, maritime, and aviation. The IoT collects sensor data for various applications, including environmental monitoring, smart agriculture, and wildfire detection. These data are transmitted to GW₁ via the MIOTY and relayed to LEO satellites using the CCSDS. In actual communication, the IoT interacts with gateways through a user terminal; however, for simplicity in the architecture and modeling structure, this study integrates the IoT into a unified representation.

3.3. Vulnerability and Threat Analysis

This section systematically analyzes security vulnerabilities in key nodes and protocols within satellite networks using CVE and CVSS data. The findings from this analysis serve as a foundation for threat modeling and attack scenario design [45,46].

3.3.1. Operating Systems and Vulnerabilities

Satellite networks consist of multiple segments, each comprising various nodes that operate on distinct operating systems (

Table 1. Operating systems in satellite network hosts.

Segment	Host	Operating System
Ground Segment	FW	Red Hat Enterprise Linux
	RT	Red Hat Enterprise Linux
	GCS	Red Hat Enterprise Linux
	GW1	Red Hat Enterprise Linux
	GW2	Red Hat Enterprise Linux
Space Segment	LEO	VxWorks
	MEO	VxWorks
User Segment	GNSS	Red Hat Enterprise Linux
	UAV	PX4
	IoT	Contiki OS

). In the ground segment, the FW, RT, GCS, GW₁, and GW₂ all run on Red Hat Enterprise Linux (RHEL). The space segment, consisting of MEO and LEO satellites, operates on VxWorks, an RTOS designed for high-reliability aerospace and mission-critical applications. VxWorks is particularly well suited for satellite networks because of its lightweight architecture, enabling efficient utilization of limited system resources while ensuring reliable orbit control and data transmission. In the user segment, the GNSS operates on Red Hat Enterprise Linux, leveraging its proven stability in satellite ground systems and aerospace applications. UAVs run on PX4, while the IoT operates on the Contiki OS, which is optimized for low-power and resource-constrained environments.

The security vulnerabilities in each operating system are summarized in

Table 2. Vulnerabilities in satellite network hosts.

ID	Host	CVE ID	CVSS BS	Impact
$v_1$	FW	CVE-2022-34918	7.8	5.9
$v_2$	RT	CVE-2023-28432	7.5	3.6
$v_3$	GCS	CVE-2023-2319	9.8	5.9
$v_4$	GW1	CVE-2023-32233	7.8	5.9
$v_5$	GW2	CVE-2022-40684	9.8	6.0
$v_6$	MEO	CVE-2023-38346	7.5	6.2
$v_7$	LEO	CVE-2022-23937	7.5	6.3
$v_8$	GNSS	CVE-2023-2203	8.8	5.9
$v_9$	IoT	CVE-2024-47181	7.5	6.5
$v_{10}$	UAV	CVE-2023-46256	9.8	5.9

. The vulnerability analysis for Linux-based operating systems in the ground and user segments was conducted using Nessus [47] and Nmap, while the VxWorks RTOS was analyzed with Wind River Security Tools [48]. Additionally, the PX4 operating system used in UAVs was systematically evaluated at both the network and application levels using Metasploit [49] and Nessus. The vulnerability analysis was performed based on CVE and CVSS data, and the key vulnerabilities for each node are summarized in Table 2.

3.3.2. Protocol Vulnerabilities

Table 3. Protocol vulnerabilities in the satellite network.

ID	Protocol	CVE ID	CVSS BS	Impact
$p{v}_1$	TCP/IP	CVE-2024-47659	8.8	5.9
$p{v}_2$	CCSDS	CVE-2019-11815	7.5	3.6
$p{v}_3$	MIOTY	CVE-2020-11901	9.0	6.0
$p{v}_4$	NMEA	CVE-2018-17174	9.8	5.9

summarizes the security vulnerabilities of the protocols used in satellite network threat modeling, and

Table 4. Protocol connection paths in the satellite network.

ID	Protocol	Connection Path
$p{v}_1$	TCP/IP	FW ↔ RT
		RT ↔ GCS, GW1, GW2
$p{v}_2$	CCSDS	GCS ↔ MEO, LEO
		GW1 ↔ LEO
		GW2 ↔ MEO, LEO
$p{v}_3$	MIOTY	GW1 ↔ UAV, IoT
		GW2 ↔ IoT
$p{v}_4$	NMEA	MEO → GNSS 1

¹ L1/L2 data conversion via NMEA. ↔ represents duplex communication, and → simplex unidirectional communication.

outlines the key communication paths that may be affected by these vulnerabilities. Based on this, the key vulnerabilities and communication paths of each protocol are analyzed as follows: The TCP/IP vulnerability ($p{v}_1$), CVE-2024-47659, is a vulnerability in which improperly labeled packets during the connection process allow unauthorized nodes to modify data transmitted between other nodes. The CCSDS vulnerability ($p{v}_2$), CVE-2019-11815, is a use-after-free vulnerability caused by memory management errors, and it can compromise system integrity or lead to data loss. The MIOTY vulnerability ($p{v}_3$), CVE-2020-11901, is a memory management vulnerability that can make a system vulnerable to denial-of-service (DoS) attacks. The NMEA vulnerability ($p{v}_4$), CVE-2018-17174, is a vulnerability that exposes GNSS receivers to DoS attacks through maliciously crafted data.

The CVSS base scores (CVSS BSs) and impact values for each vulnerability were obtained from publicly available records in the National Vulnerability Database (NVD) and official CVE documentation. The CVSS scores follow the standard CVSS v3.1 scoring system, which assesses vulnerabilities based on their exploitability, impact on system security, and potential risk to affected components. The impact values correspond to the CVSS impact subscore, reflecting the severity of each vulnerability in terms of confidentiality, integrity, and availability.

3.3.3. Threat Analysis

Each threat addresses potential attack paths across the ground, user, and space segments, incorporating security vulnerabilities specific to the satellite network environment. The three identified threats are as follows:

(1) Threats via the Ground Segment. The first threat in the satellite network exploits vulnerabilities in the ground segment and extends to the space segment (MEO, LEO) (Figure 3). The attacker can systematically exploit vulnerabilities at each node, potentially gaining control over the key network nodes.

First, the attacker exploits the FW vulnerability to gain initial access to the network. This exploitation may facilitate a privilege escalation attack, bypassing the firewall’s protections and providing a pathway to the RT. Next, the attacker exploits the RT vulnerability to control network traffic, enabling the injection of malicious data or tampering with data paths. During this stage, a packet injection attack can occur, allowing the attacker to establish a foothold for further access to the GCS and gateways. Subsequently, the attacker targets the GCS to access sensitive data or manipulate the command structure. By exploiting vulnerabilities in the GCS, the attacker can execute a man-in-the-middle (MITM) attack, intercepting transmitted data or modifying commands sent to satellites. The vulnerabilities in GW₁ and GW₂ can also be exploited by the attacker. At GW₁, the attacker may inject malicious packets or perform a DoS attack, disrupting data transmission or blocking communication. At GW₂, an authentication bypass attack could occur, enabling the attacker to block or modify commands sent to satellites. Finally, the attacker targets MEO and LEO satellites in the space segment. At MEO satellites, the attacker may exploit memory management vulnerabilities to disrupt the satellite command system or manipulate orbital data. During this process, a command injection attack may occur, allowing the attacker to alter the satellite’s control commands. At LEO satellites, the attacker may exploit data integrity vulnerabilities to perform data tampering, potentially resulting in communication distortion and control disruption.

However, to execute an actual satellite attack, the attacker must first compromise the command system, which requires compromising the satellite’s physical layer and data link layer. Additionally, satellites incorporate security mechanisms, including encryption, rendering real-world attacks significantly more challenging. Nevertheless, this study assumes potential vulnerabilities in satellites to conduct a comprehensive security modeling of a satellite network.

(2) Threats via the User Segment. The second threat in satellite networks originates from the user segment and later expands into the space segment (MEO, LEO) (Figure 4). The attacker exploits vulnerabilities in UAV and IoT systems to infiltrate the network and, through this intrusion path, ultimately gains access to MEO and LEO satellites, the core components of the satellite network [50]. First, the attacker exploits IoT vulnerabilities to obtain initial access. During this process, a privilege escalation attack enables the penetration of the IoT network. Similarly, UAVs contain vulnerabilities that attackers can exploit to launch a DoS attack, disrupting communication between the IoT and UAVs or turning off the UAV network entirely. Next, the attacker can extend the threat to GW₁ and GW₂. At GW₁, the attacker can exploit TCP/IP vulnerabilities to inject malicious packets or manipulate traffic routes. Additionally, at GW₂, there is a risk of authentication bypass or data manipulation attacks, allowing the attacker to alter commands and data transmitted to MEO and LEO satellites. Finally, the threat can propagate to MEO and LEO satellites as it expands into the space segment. In MEO satellites, memory management vulnerabilities may be exploited to disrupt the satellites’ command control systems or compromise the integrity of the orbital data, potentially leading to a command injection attack. In LEO satellites, attackers can exploit the CCSDS vulnerability to intercept satellite communications or manipulate control signals, posing a severe risk to satellite operations.

(3) Threats via the Space Segment. Threats originating in the space segment can extend to the ground segment and user segment by exploiting vulnerabilities in MEO and LEO satellites (Figure 5). In reality, directly attacking MEO satellites from the outset requires advanced capabilities and significant resources. Therefore, this scenario assumes either that the space segment has already been compromised because of threats described in (1) Threats via the Ground Segment and (2) Threats via the User Segment or that attackers have exploited inherent satellite security vulnerabilities.

First, in MEO satellites, one potential threat involves exploiting vulnerabilities in the satellites’ command control systems and memory management, leading to a buffer overflow attack. By exploiting this vulnerability, an attacker could compromise an MEO satellite, manipulate orbital data, or distort data relay paths of MEO satellites. As a result, data and commands transmitted to the ground segment and user segment may be disrupted, delayed, or altered. Second, in LEO satellites, attackers can establish an initial base by exploiting operating system vulnerabilities. By exploiting memory management vulnerabilities in the authentication system, an attacker can execute a privilege escalation attack and a command injection attack. An attack exploiting MEO and LEO vulnerabilities can further propagate to the ground segment and user segment, similarly to the methods described in (1) Threats via the Ground Segment and (2) Threats via the User Segment, thus affecting the entire satellite network.

3.4. Threat Modeling Using TV-HARM

3.4.1. Overview of TV-HARM

In this study, we applied TV-HARM [22], an extension of HARM [23], to perform threat modeling for satellite networks. To systematically assess the improvements introduced by TV-HARM, it is necessary to first examine its foundational models and their limitations.

Attack graphs (AGs) and attack trees (ATs) are widely used for attack path analysis, with AGs visualizing primary attack paths using key nodes and edges, while an AT hierarchically links node and protocol vulnerabilities to assess specific attack scenarios. However, both models lack probabilistic risk assessment and real-time threat response, limiting their applicability in dynamic environments, such as satellite networks. To address these limitations, HARM integrates AGs and ATs, enhancing hierarchical threat analysis while preserving a structured attack path representation [51,52]. Despite these improvements, HARM still lacks probabilistic risk modeling and real-time threat updates, necessitating further advancements for comprehensive security assessment. Bayesian attack graphs (BAGs) and Markov models incorporate probabilistic analysis to mitigate these limitations. BAGs extend AGs by calculating attack success probabilities, enabling quantitative risk assessment. However, they rely on static probability estimations and predefined datasets, reducing adaptability in dynamic environments. Similarly, Markov models utilize state-transition analysis to estimate risk levels dynamically but lack hierarchical threat modeling and vulnerability correlation analysis, both of which are essential for evaluating inter-segment dependencies in satellite networks.

TV-HARM, an extension of HARM, was initially developed for SDN environments to analyze complex data flows and diverse attack vectors. However, its focus on SDN-specific architectures and host vulnerabilities restricts its applicability to satellite networks, which involve multilayered infrastructures, diverse communication protocols, and unique operational constraints. To bridge this gap, this study extends TV-HARM by integrating the concept of the threat vector, incorporating probabilistic risk assessment, real-time threat updates, and hierarchical threat modeling to better represent the characteristics of satellite networks. A key enhancement of TV-HARM is its ability to unify host vulnerabilities ($v_1$, $v_2$, …) and protocol vulnerabilities ($p{v}_1$, $p{v}_2$, …) into a correlated threat analysis framework, enabling multisegment security assessment. Unlike AGs and ATs, TV-HARM correlates vulnerabilities across multiple network segments, facilitating hierarchical threat modeling while dynamically updating attack probabilities based on real-time vulnerability changes and security countermeasures. This structured and probabilistic approach enhances multisegment attack propagation analysis, improves risk estimation, and strengthens security countermeasures against evolving threats in satellite communication systems. Compared with BAGs and Markov models, TV-HARM provides a more comprehensive vulnerability correlation analysis, supporting a detailed assessment of cascading attack effects across satellite network layers. A comparative analysis of these models is summarized in

Table 5. Comparison of threat modeling approaches for security analysis in satellite networks.

Model	Attack Path Analysis	Probabilistic Risk Assessment	Real-Time Threat Update	Vulnerability Correlation Analysis	Hierarchical Threat Modeling
Attack Graph	Tree-Based Visualization	✗	✗	✗	✗
Attack Tree	Formalized Logical Tree	✗	✗	✗	✗
Markov Model	State-Transition-Based Analysis	✓	▲	✗	✗
Bayesian Attack Graph	Probability-Based Analysis	✓	▲	▲	✗
HARM	AT + AG Integration	▲	▲	▲	▲
TV-HARM	HARM + Threat Vector Analysis	✓	▲	✓	✓

✓: fully supported; ▲: partially supported; ✗: not supported.

.

3.4.2. Application of TV-HARM in Satellite Networks

To enhance the applicability of TV-HARM to satellite networks, we extend its framework by integrating protocol vulnerabilities ($p{v}_1,p{v}_2,\dots$) and adapting its hierarchical structure to accommodate multisegment architectures. Originally designed for SDN environments and focused on host-based vulnerabilities, TV-HARM’s current framework is limited in its ability to assess security risks in satellite networks, which involve diverse communication protocols and cross-layer dependencies. To address these challenges, we propose a refined TV-HARM that incorporates protocol vulnerabilities and multisegment threat modeling. The formal mathematical definitions, including the model’s hierarchical structure and mapping functions, are provided in Appendix A.

The key advancements introduced in this study are as follows:

• Incorporating protocol vulnerabilities: Unlike the original TV-HARM, which considered only host vulnerabilities ($v_1,v_2,\dots$), the proposed model integrates protocol vulnerabilities ($p{v}_1,p{v}_2,\dots$), broadening the scope of security analysis to include multilayered-attack interactions;
• Multisegment threat modeling: The framework is specifically adapted for satellite network architectures, incorporating security assessments across the terrestrial, space, and user segments to capture multisegment threats;
• Refined hierarchical mapping: The hierarchical mapping between the AG and AT is improved to better correlate vulnerabilities across multiple network layers, enhancing the accuracy of cross-layer risk assessments.

These modifications significantly enhance TV-HARM’s applicability to satellite networks by enabling more precise security evaluations and realistic attack propagation analysis. Figure 6 and Figure 7 illustrate the extended TV-HARM framework, demonstrating its capability in analyzing multisegment attack vectors and interdependencies among vulnerabilities.

To systematically evaluate the security posture of satellite networks, TV-HARM was applied to predefined threat vectors and vulnerabilities derived from real-world CVE-documented security risks. This process involved multiple stages to ensure a structured security assessment. First, threat vectors were defined and mapped to their respective vulnerabilities. These threat vectors, denoted as $t{v}_1,t{v}_2,\dots$, represent specific attack scenarios targeting the key components of the satellite network. Each threat vector was associated with host vulnerabilities ($v_1,v_2,\dots$) and protocol vulnerabilities ($p{v}_1,p{v}_2,\dots$), ensuring a comprehensive representation of attack surfaces. The selected vulnerabilities reflect known security weaknesses in GCS, IoT, and satellite communication protocols, such as the CCSDS and NMEA. Once the vulnerabilities were mapped, each vulnerability ($v_i$ or $p{v}_i$) was assigned an attack success probability and an impact score based on CVSS metrics. These parameters served as input for TV-HARM, facilitating a structured analysis of attack propagation, cross-layer dependencies, and the overall network risk. The full mathematical definitions and hierarchical mappings of TV-HARM, including its probability calculations, are provided in Appendix A. Next, TV-HARM was executed to compute the overall attack probability and network risk levels. The evaluation process involved computing the attack success probability for each threat vector, $t{v}_i$, followed by an analysis of the hierarchical structure of TV-HARM to assess how vulnerabilities propagate across different network layers. Finally, security metrics, including the overall network risk score, were derived based on the probability-weighted impacts of multiple attack paths.

To assess the effectiveness of mitigation strategies, countermeasures were applied in different experimental phases. These countermeasures included the following:

• OS Patches (Enterprise Linux Security Updates). Security updates were applied to critical system components running Enterprise-Linux-based distributions to address vulnerabilities, such as CVE-2023-2319 (the GCS privilege escalation). The patches mitigated local privilege escalation risks by restricting the unauthorized execution of high-privilege processes and enforcing access control policies. Additionally, kernel-level security patches were deployed to prevent memory corruption exploits and unauthorized process injections;
• Protocol Patches (Satellite Communication Protocol Updates). Security patches were applied to critical satellite communication protocols, including TCP/IP, NMEA, CCSDS, and MIOTY, to address known vulnerabilities. The TCP/IP patch mitigated risks related to improper input validation, reducing the susceptibility to packet injection attacks. The NMEA update incorporated additional message validation to prevent spoofing and unauthorized command execution. The CCSDS patch strengthened authentication mechanisms to prevent unauthorized data manipulation. Finally, the MIOTY patch enhanced error correction and integrity verification to minimize the impact of data corruption attacks;
• CFR (Creating Filtering Rules for Anomalous Traffic Detection). Custom filtering rules were defined and implemented to restrict unauthorized satellite control commands and prevent the exploitation of known vulnerabilities. Real-time access control policies were established to monitor and block anomalous traffic patterns, limiting adversarial access to critical satellite operations. This approach was designed to mitigate CVE-2023-38346 (the MEO data corruption attack) by preventing unauthorized modifications of satellite data and tampering with critical telemetry logs. CFR was applied exclusively to the GCS and gateways to enhance access control and minimize unauthorized command execution.

Each countermeasure was applied iteratively in different simulation phases, and TV-HARM was re-executed following the implementation of patches to measure their impacts on attack probability reduction and risk mitigation. To further illustrate how TV-HARM is applied in satellite networks, the following examples are presented.

Example 1: Mapping the Upper and Lower Layers: Figure 7b illustrates the TV-HARM structure specifically for the satellite network scenario involving $t{v}_{123}$_-LEO. In this example, the combination of threat vectors is defined as $C_4=$$t{v}_{123}$_-LEO, encompassing threat vectors from the ground segment ($t{v}_1$), user segment ($t{v}_2$), and space segment ($t{v}_3$). TV-HARM for $C_4$ is expressed as $TV{H}_{C_4}=(U_{C_4},L_{C_4},M_{C_4})$, where $M_{C_4}$ serves as a mapping function that connects the upper layer, $U_{C_4}$, to the lower layer, $L_{C_4}$. This one-to-one mapping ensures that each element in the upper layer is uniquely associated with its corresponding structure in the lower layer, forming a hierarchical attack representation.

Example 2: The Upper Layer: The AG shown in Figure 7b represents the upper layer, formally defined as $U_{C_4}=(H_{C_4},E_{C_4})$, where $H_{C_4}$ is the set of hosts, and $E_{C_4}$ is the set of directed edges representing their relationships. $H_{C_4}$ includes $\{\mathit{A},\mathit{LEO},\mathit{GCS},\mathit{RT},{\mathit{GW}}_{\mathit{1}},{\mathit{GW}}_{\mathit{2}}$, $\mathit{MEO},\mathit{UAV},\mathit{IoT}\}$, while $E_{C_4}$ includes connections, such as $(A\to \mathit{LEO}),(\mathit{LEO}\to \mathit{GCS}),(\mathit{LEO}\to {\mathit{GW}}_{\mathit{1}}),(\mathit{LEO}\to {\mathit{GW}}_{\mathit{2}}),(\mathit{GCS}\to \mathit{RT}),(\mathit{RT}\to {\mathit{GW}}_{\mathit{1}}),(\mathit{RT}\to {\mathit{GW}}_{\mathit{2}}),({\mathit{GW}}_{\mathit{1}}\to \mathit{MEO}),({\mathit{GW}}_{\mathit{1}}\to \mathit{UAV}),({\mathit{GW}}_{\mathit{1}}\to \mathit{IoT}),({\mathit{GW}}_{\mathit{2}}\to \mathit{UAV}),({\mathit{GW}}_{\mathit{2}}\to \mathit{IoT})$. The attacker initiates at A, leveraging LEO satellites to propagate threats into the ground and user segments, ultimately compromising the IoT and UAV.

Example 3: Lower Layer: The AT shown in Figure 7b focuses on threats originating from the $\mathit{GCS}$. The attack conditions leveraging the vulnerabilities of the $\mathit{GCS}$ are defined as follows: $L_{C_4}^{\mathit{GCS}}=(A_{C_4}^{\mathit{GCS}},B_{C_4}^{\mathit{GCS}},c_{C_4}^{\mathit{GCS}},g_{C_4}^{\mathit{GCS}},roo{t}_{C_4}^{\mathit{GCS}})$, where $A_{C_4}^{\mathit{GCS}}=\{v_3,p{v}_1\}$ includes host-based vulnerabilities ($v_3$) and protocol-based vulnerabilities ($p{v}_1$) within the $\mathit{GCS}$. Because no logical gates are present, $B_{C_4}^{\mathit{GCS}}=\varnothing$, $c_{C_4}^{\mathit{GCS}}=\varnothing$, and $g_{C_4}^{\mathit{GCS}}=\varnothing$. The root node is defined as $roo{t}_{C_4}^{\mathit{GCS}}=root$, representing the ultimate attack target within the $\mathit{GCS}$. The union of $A_{C_4}^{\mathit{GCS}}$ and $B_{C_4}^{\mathit{GCS}}$ encompasses all the threat elements contributing to $roo{t}_{C_4}^{\mathit{GCS}}$. The host vulnerability ($v_3$) and protocol vulnerability ($p{v}_1$) associated with the $\mathit{GCS}$ form the primary focus of the AT analysis, defining the interactions among these threat elements.

Security threats can originate from specific nodes or segments in the satellite network and propagate across the system. Based on the identified threat vectors, four attack scenarios are defined to analyze threat paths and their potential impacts.

Attack Scenario 1 ($t{v}_{13}$): The attacker exploits a vulnerability in the FW in the ground segment, bypassing authentication to insert malicious packets and gain access to the RT. Using a privilege escalation vulnerability in the RT, pathways to GW₁ and GW₂ are established, where TCP/IP vulnerabilities are used to tamper with commands or inject malicious packets. At the gateways, CCSDS vulnerabilities are exploited to manipulate data and commands directed to the space segment, allowing malicious commands to disrupt orbit control and data transmission in MEO and LEO satellites. This compromises satellite communication pathways, impacting network reliability and data integrity. The interconnected nature of the space and user segments enables these threats to propagate, amplifying the attack’s overall impact across the network.

Attack Scenario 2 ($t{v}_{23}$): The attacker exploits vulnerabilities in the IoT and UAVs within the user segment to propagate threats into the space segment via GW₁ and GW₂, targeting MEO and LEO satellites. The attack begins with the IoT, leveraging a MIOTY vulnerability to inject malicious data into GW₁. Unauthorized access to GW₁ is then used to embed the malicious data. Simultaneously, a UAV is exploited to manipulate data flows toward GW₂. At GW₁ and GW₂, the attacker uses TCP/IP and CCSDS vulnerabilities to propagate malicious data and alter commands sent to satellites. This disrupts orbital control and data transmission in MEO and LEO satellites, destabilizing the space segment.

The interconnected nature of the space and user segments amplifies the impact, as threats originating in space can reverberate back to the user segment. For example, GNSS services could disseminate inaccurate location data, leading to widespread disruptions in the satellite network. This scenario highlights severe compromises in data integrity and service reliability across the network.

Attack Scenario 3 ($t{v}_{123}$_-MEO): The attacker exploits a vulnerability in MEO satellites within the space segment, initiating threats that propagate to the ground and user segments and causing widespread network disruption.

The attack begins by leveraging a CCSDS vulnerability in MEO satellites to inject malicious instructions into critical nodes in the ground segment, such as the GCS and GW₂. Malicious data transmitted to the GCS exploit host vulnerabilities and use TCP/IP pathways to access GW₁ and GW₂. Within these gateways, the attacker manipulates data flows, corrupting transmissions to LEO satellites and user segment nodes, such as UAVs, the IoT, and the GNSS. In particular, commands to the GNSS are compromised via an NMEA vulnerability, resulting in inaccurate location data. These errors cascade through dependent services in the user segment, disrupting operational stability and data integrity. This scenario illustrates how an attack originating from the space segment can cascade into the ground and user segments, destabilizing satellite and terrestrial communications.

Attack Scenario 4 ($t{v}_{123}$_-LEO): The attacker exploits a vulnerability in the space segment, specifically targeting LEO satellites, to propagate threats across the ground and user segments, disrupting the satellite network.

The attack initiates with malicious data generated in LEO satellites, which are transmitted to the GCS and GW₁. As a central node, the GCS becomes a focal point for host vulnerabilities, allowing the manipulation of command structures and data flows. Exploiting TCP/IP vulnerabilities, the attack spreads further to GW₁ and GW₂, propagating malicious instructions to the user segment. In the user segment, the UAV and the IoT are targeted, leveraging NMEA vulnerabilities to corrupt commands transmitted from GW₂ to the GNSS. Consequently, inaccurate location data compromise dependent services. The RT facilitates the spread of malicious data from LEO satellites to GW₁, causing the initial attack to cascade through the ground segment and affect the user segment. This corruption of the data and command structures, originating in LEO satellites, disrupts communication across all the segments, undermining the reliability and stability of satellite communications and user services. These cascading effects underscore the interdependencies among the ground, space, and user segments, highlighting the importance of comprehensive threat modeling to analyze vulnerabilities and enhance satellite network security. Future work will focus on quantitatively assessing these scenarios to develop effective security measures.

3.5. Security Metrics for Satellite Networks

This study utilizes three evaluation methods from TV-HARM to assess the security posture of satellite networks. The network centrality measure evaluates the importance of the nodes linked to threat vectors, while the vulnerability score, using CVSS/CVE data, assesses the risks and impacts of vulnerabilities for a quantitative security evaluation. Finally, attack impact metrics comprehensively assess the network’s overall security state.

3.5.1. Network Centrality Measure

The network centrality measure evaluates the importance of the nodes within a network using a graph-based model [53]. This study utilizes the degree centrality and betweenness centrality to analyze the key nodes in the satellite network.

The degree centrality measures the number of edges connected to a node, representing its connectivity. For instance, in the satellite network AG, the GCS node has a degree centrality value of 0.667, as it is connected to four nodes, highlighting its critical role in network connectivity. Conversely, nodes such as the GNSS, which have fewer connections, exhibit lower degree centrality values, indicating comparatively less importance.

The betweenness centrality assesses a node’s role as a bridge along the shortest paths, signifying its impact on the network connectivity. For example, GW₁ has the highest betweenness centrality value of 0.429, underscoring its importance as a data transmission intermediary and a potential target for attacks. In contrast, the FW node has a lower betweenness centrality value, indicating a less significant role in network communication.

3.5.2. Vulnerability Score

The vulnerability score, which is widely used as a metric for assessing network security, provides a quantitative evaluation based on known vulnerabilities and related metrics (e.g., CVSS and CVE) [39]. In this study, the vulnerability scoring method used in TV-HARM was adjusted to adapt to the unique characteristics of the satellite network environment.

The attack success probability and risk were calculated based on host and protocol vulnerabilities in the satellite network. Herein, an individual vulnerability, $v_i$, represents a specific security vulnerability identified in a network node, where $p_{v_i}$ denotes the probability of a successful attack, and $r_{v_i}$ indicates the risk resulting from the vulnerability.

$$p_{v_i}={\displaystyle \frac{\mathrm{CVSS}{\mathrm{BS}}_{v_i}}{10}},p_{p{v}_i}={\displaystyle \frac{\mathrm{CVSS}{\mathrm{BS}}_{p{v}_i}}{10}}$$

(1)

$$r_{v_i}=Impac{t}_{v_i}\times p_{v_i},r_{p_{v_i}}=Impac{t}_{p_{v_i}}\times p_{p_{v_i}}$$

(2)

Equation (1) defines the attack success probability ($p_{v_i}$), normalizing it based on the CVSS base score within a range from 0 to 1. Herein, CVSSCVSS ${\mathrm{BS}}_{v_i}$ represents the CVSS base score of a host vulnerability ($v_i$), while $\mathrm{CVSS}{\mathrm{BS}}_{p{v}_i}$ represents the CVSS base score of a protocol vulnerability ($p{v}_i$). The CVSS base score quantifies exploitability on a scale from 0 to 10, and normalization ensures its usability as an attack success probability within a range from 0 to 1. The risk ($r_{v_i}$) is calculated as the product of the attack success probability and the impact, as shown in Equation (2). Herein, $Impac{t}_{v_i}$ denotes the impact score from the CVSS metric, quantifying a successful exploit’s potential consequences. Applying Equations (1) and (2), $p_{v_i}$ and $r_{v_i}$ numerically express the likelihood of exploitation and the risk for each specific vulnerability.

The next step involves computing security metrics for hosts. By analyzing the vulnerabilities associated with a host, the model determines its attack success probability ($p_h$) and risk ($r_h$). Equations (3) and (4) formally define these metrics.

$$\begin{array}{c}\hfill p_h=\left\{\begin{array}{cc}1-\prod _{v\in A_h}(1-p_v),\hfill & \mathrm{if}\mathrm{only}\mathrm{host}\mathrm{vulnerability}\mathrm{exists}\hfill \\ 1-\prod _{pv\in P_h}(1-p_{pv}),\hfill & \mathrm{if}\mathrm{only}\mathrm{protocol}\mathrm{vulnerability}\mathrm{exists}\hfill \\ 1-\prod _{v\in A_h}(1-p_v)·\prod _{pv\in P_h}(1-p_{pv}),\hfill & \mathrm{if}\mathrm{both}\mathrm{exist}\hfill \end{array}\right.\end{array}$$

(3)

$$\begin{array}{c}\hfill r_h=\left\{\begin{array}{cc}\sum _{v\in A_h}{p}_v·r_{v_i},\hfill & \mathrm{if}\mathrm{only}\mathrm{host}\mathrm{vulnerability}\mathrm{exists}\hfill \\ \sum _{pv\in P_h}{p}_{pv}·r_{p_{v_i}},\hfill & \mathrm{if}\mathrm{only}\mathrm{protocol}\mathrm{vulnerability}\mathrm{exists}\hfill \\ \sum _{v\in A_h}{p}_v·r_{v_i}+\sum _{pv\in P_h}{p}_{pv}·r_{p_{v_i}},\hfill & \mathrm{if}\mathrm{both}\mathrm{exist}\hfill \end{array}\right.\end{array}$$

(4)

Equation (3) defines the attack success probability ($p_h$), which is categorized into three cases based on host and protocol vulnerabilities: Host vulnerabilities: The attack success probability ($p_h$) for host-based vulnerabilities ($v\in A_h$) in a node (h) is calculated by determining the combined failure probability ($(1-p_v)$) for all the vulnerabilities and subtracting it from 1. This calculation assumes independent effects, representing the probability that at least one host vulnerability is successfully exploited.

Protocol vulnerabilities: When a node (h) has only protocol vulnerabilities, the attack success probability is determined similarly. The failure probabilities ($(1-p_{pv})$) of all the protocol vulnerabilities are multiplied, and the result is subtracted from 1, indicating the probability that at least one protocol vulnerability is exploited. Independent effects of vulnerabilities are assumed.

Host and protocol vulnerabilities: When both host and protocol vulnerabilities are present, the probabilities of failure for each set are computed independently, multiplied together, and subtracted from 1. This yields the overall attack success probability for the node.

The risk ($r_h$) is quantified by combining the attack success probability and the impacts of the vulnerabilities, enabling a detailed assessment of the network’s security state. Risk calculations are categorized into three cases based on the presence of host and protocol vulnerabilities:

Host vulnerabilities: The risk for a host (h) with host-based vulnerabilities ($v\in A_h$) is calculated by multiplying the success probability ($p_v$) of each vulnerability by its corresponding risk ($r_{v_i}$) and then summing the results;

Protocol vulnerabilities: The risk is determined by multiplying the success probability ($p_{pv}$) of each protocol vulnerability ($pv\in P_h$) by its corresponding risk ($r_{p_{v_i}}$) and summing all the values;

Host and protocol vulnerabilities: The overall risk is computed by separately evaluating the risk contributions from the host vulnerabilities and protocol vulnerabilities and then summing them. This approach combines the individual evaluations to reflect the total security state of the node.

Next, security metrics at the attack-path level are evaluated by incorporating the security status of each node in the path. The attack success probability ($p_{ci}^{ap}$) for a specific attack path ($ap$) is calculated by multiplying the attack success probabilities of all the nodes (h) along the path. Relevant formulae are provided in (5) and (6).

$$p_{ci}^{ap}=\prod _{h\in ap}{p}_h^{ci},ap\in A{P}_{ci}$$

(5)

Additionally, the risk of the attack path ($r_{ci}^{ap}$) is calculated by summing the risk of each node within the path.

$$r_{ci}^{ap}=\sum _{h\in ap}{r}_h^{ci},ap\in A{P}_{ci}$$

(6)

$A{P}_{ci}$ represents all the possible attack paths for a specific threat vector ($c_i$). This calculation allows for a quantitative assessment of the security status not only of individual nodes but also of the entire attack path.

Finally, the overall system security metric was evaluated by aggregating the security states of all the attack paths. The total attack success probability ($p_{ci}$) for a specific threat vector ($c_i$) is calculated based on the success probabilities of individual attack paths, as defined in Equation (7). Similarly, the system’s total risk ($r_{ci}$) was evaluated by summing the risks of all the attack paths, as shown in Equation (8).

$$p_{ci}=1-\prod _{ap\in A{P}_{ci}}(1-p_{ci}^{ap})$$

(7)

$$r_{ci}=\sum _{ap\in A{P}_{ci}}{r}_{ci}^{ap}$$

(8)

This model provides a more complex analysis than traditional security evaluation models by incorporating the interaction between host and protocol vulnerabilities.

3.5.3. Attack Impact Metrics

Attack impact metrics assess the overall security posture of the system by expanding upon the original TV-HARM methodology. In this study, an adjusted vulnerability score that was tailored to the characteristics of satellite networks was employed to evaluate both the attack success probability and attack impact. Figure 8 depicts the application of these metrics. The attack success probability, $p_{ci}$, represents the system-wide probability derived from both host and protocol vulnerabilities across all the attack paths. The attack impact is measured by the cumulative system-wide risk, $r_{ci}$, aggregated across these paths. $r_{ci}$ is classified into five categories: negligible, minor, moderate, significant, and critical. For example, when $p_h=75\%$, the node is categorized as likely, and if $r_h=5.8$, it is classified as significant. In such cases, the attack impact for the corresponding threat vector is classified as high.

4. Experimental Results and Discussion

In this section, we experimentally evaluate the effectiveness of mitigation measures using three security metrics—the network centrality measure, vulnerability score, and attack impact metrics—to analyze the impacts of vulnerabilities on the security state of satellite networks. The experiments focus on the key threat vectors ($t{v}_{13}$, $t{v}_{23}$, $t{v}_{123}$_-MEO, and $t{v}_{123}$_-LEO) with three mitigation strategies applied. First, OS patches target host vulnerabilities at critical nodes, such as the GCS, GW₁, and IoT, by implementing operating-system-level updates. Second, the protocol patches address vulnerabilities in protocols, including the TCP/IP and CCSDS, to enhance the security of data transmission paths. Third, Creating Filtering Rules (CFR) leverages real-time packet filtering technologies, such as Suricata [54] and Snort [55], deployed at the GCS, GW₁, and GW₂ to detect and block malicious packets along the key network paths.

4.1. Network Centrality Metrics

This section presents the results of the network centrality measure analysis for the four threat vectors ($t{v}_{13}$, $t{v}_{23}$, $t{v}_{123}$_-MEO, and $t{v}_{123}$_-LEO). The analysis used the degree centrality and betweenness centrality, and we evaluated the network characteristics of each scenario while using five patch strategies: no patch, OS patch, protocol patch, both patches, and CFR.

Table 6. Security assessment using the degree centrality metric.

(a) Targeting the space segment
Threat Vector	Node	Degree Centrality
		No Patch	OS Patch	Protocol Patch	Both Patches	CFR	Average
$t{v}_{13}$	FW	2	1	2	1	2	1.6
	RT	4	3	3	2	4	3.2
	GCS	3	3	3	2	2	2.6
	GW1	3	3	2	2	2	2.4
	GW2	2	2	1	1	1	1.4
$t{v}_{23}$	UAV	2	1	2	1	2	1.6
	IoT	3	2	3	1	3	2.4
	GW1	3	3	1	1	1	1.8
	GW2	3	3	2	2	2	2.4
(b) Originating in the space segment
Threat Vector	Node	Degree Centrality
		No Patch	OS Patch	Protocol Patch	Both Patches	CFR	Average
$t{v}_{123}$-MEO	MEO	3	3	1	1	3	2.2
	GCS	2	2	2	2	2	2.0
	RT	3	2	2	2	3	2.0
	GW1	3	3	2	1	2	2.2
	GW2	3	3	2	1	2	2.2
$t{v}_{123}$-LEO	LEO	4	4	3	3	4	3.6
	GCS	2	2	2	2	2	2.0
	RT	3	2	3	2	3	2.6
	GW1	5	5	4	2	4	4.0
	GW2	4	4	3	2	3	3.2

presents the degree centrality analysis results. The experimental evaluation quantitatively assessed the impacts of network nodes and each patch strategy on the degree centrality. This analysis quantitatively explains how security patch application influences the network structure.

In scenario $t{v}_{13}$, the RT emerged as the node with the highest average degree centrality, consistently serving as a key hub in the network. Both the OS patch and protocol patch reduced the centralities of the FW and RT, and when applying both patches and CFR, the centrality of the RT further decreased, contributing to a reduction in the attack surface. This indicates that the RT acts as a critical traffic hub in the network, and specific patch strategies help to distribute the load more effectively. In $t{v}_{23}$, the IoT and GW₂ recorded the highest centrality values, playing crucial roles as central connecting nodes within the user segment. Notably, the protocol patch and both patches reduced the centrality of GW₁, making the network structure more balanced and effectively reducing exposure to potential attacks. In $t{v}_{123}$_-MEO, MEO satellites, the RT, GW₁, and GW₂ maintained similar centrality values, indicating balanced network importance between the space segment and ground segment. When applying both patches, the centrality values for all the nodes tended to decrease, which suggests that the patching strategy helps to reduce the attack surface while maintaining the network connectivity. In $t{v}_{123}$_-LEO, GW₁ exhibited the highest centrality, followed by LEO satellites and GW₂. Both patches and CFR significantly reduced the centralities of GW₁ and GW₂, reducing exposure along the key network paths and strengthening the overall security of the network.

Next, as shown in

Table 7. Security assessment using the betweenness centrality metric.

(a) Targeting the space segment
Threat Vector	Node	Betweenness Centrality
		No Patch	OS Patch	Protocol Patch	Both Patches	CFR	Average
$t{v}_{13}$	FW	0.14	0.17	0.25	0.25	0.25	0.21
	RT	0.36	0.33	0.25	0.17	0.17	0.26
	GCS	0.21	0.25	0.33	0.42	0.42	0.33
	GW1	0.14	0.17	0.08	0.08	0.08	0.11
	GW2	0.14	0.08	0.08	0.08	0.08	0.10
$t{v}_{23}$	UAV	0.14	0.10	0.14	0.07	0.10	0.11
	IoT	0.29	0.20	0.29	0.13	0.20	0.22
	GW1	0.19	0.17	0.10	0.05	0.10	0.12
	GW2	0.19	0.17	0.14	0.14	0.15	0.15
(b) Initiated in the space segment
Threat Vector	Node	Betweenness Centrality
		No Patch	OS Patch	Protocol Patch	Both Patches	CFR	Average
$t{v}_{123}$-MEO	MEO	0.21	0.17	0.25	0.25	0.21	0.22
	GCS	0.36	0.33	0.25	0.25	0.36	0.29
	RT	0.43	0.42	0.33	0.25	0.43	0.37
	GW1	0.21	0.25	0.08	0.08	0.21	0.17
	GW2	0.21	0.17	0.08	0.08	0.21	0.15
$t{v}_{123}$-LEO	LEO	0.36	0.36	0.25	0.17	0.36	0.32
	GCS	0.21	0.21	0.17	0.17	0.21	0.20
	RT	0.43	0.33	0.33	0.25	0.43	0.37
	GW1	0.50	0.50	0.42	0.17	0.42	0.40
	GW2	0.43	0.43	0.33	0.17	0.33	0.34

, we analyzed the impacts of the network nodes and patch strategies on the betweenness centrality, which indicates how often a node serves as a bridge in data transmission paths. Higher betweenness centrality values indicate that a node is important in routing traffic within the network. This analysis allows us to quantitatively assess the effects of specific patch strategies on the traffic distribution and attack path blocking. In $t{v}_{13}$, the RT and the GCS showed the highest betweenness centralities, acting as the key intermediaries within the network. The application of the OS patch and protocol patch decreased the RT’s betweenness centrality, facilitating a more even network traffic distribution. In contrast, applying both patches and CFR further reduced the RT’s centrality, leading to more effective balancing of the traffic load and reducing the attack surface. In $t{v}_{23}$, the IoT and GW₂ exhibited the highest betweenness centralities, playing a crucial intermediary role within the user segment. When applying both patches, the betweenness centralities for GW₁ and GW₂ notably decreased, mitigating the concentration of the traffic on specific nodes and distributing attack paths more effectively. In $t{v}_{123}$_-MEO, the RT maintained the highest betweenness centrality, serving as a critical intermediary in the network’s main data paths. The application of both patches led to reductions in the betweenness centralities of GW₁ and GW₂, effectively isolating the key nodes and decreasing the likelihood of attacks targeting specific nodes. Finally, in $t{v}_{123}$_-LEO, GW₁ showed the highest betweenness centrality, followed by the RT. The application of the protocol patch and both patches significantly decreased GW₁’s betweenness centrality, preventing specific nodes from becoming major attack paths within the network.

Through this analysis, we were able to quantitatively assess the impacts of specific nodes on the data flow within the satellite network and evaluate the effectiveness of each patch strategy with respect to the security posture. In particular, the application of both patches or CFR emerged as the most effective method for restricting attack paths and optimizing the traffic flow. The application of both patches decreased the betweenness centralities of the key nodes, leading to a more balanced distribution of the data flow within the network. The application of CFR played a crucial role in dispersing traffic across the key intermediary nodes, helping to mitigate the risk of specific nodes becoming concentrated attack surfaces. The protocol patch effectively reduced the betweenness centralities of specific nodes in the user segment, preventing threat vectors from focusing on particular nodes. This analysis confirmed that a multipatch strategy is the most effective way to enhance the satellite network security.

4.2. Vulnerability Score Metric

In this study, we utilized the vulnerability score to evaluate the security states of satellite networks quantitatively. From this, we derived seven key metrics from attack scenarios for each threat vector and conducted an analysis. No. of paths indicates the number of attack paths available for an attacker to reach the target in a given model. A higher value implies a more significant number of potential attack possibilities. The shortest path length represents the length of the shortest attack path that an attacker must take to reach the target. Shorter paths suggest a higher likelihood of network vulnerability. The mean path length refers to the average length of all the attack paths within the model and is used to assess the overall security level of the network. The max probability is the value of the attack path with the highest success rate. This indicates the most vulnerable point in the network for the attacker. The total probability is the sum of all the attack path success probabilities, calculated using the logical sum method. It provides a comprehensive evaluation of the likelihood of an attack succeeding within the network. The max risk refers to the value of the attack path with the highest risk. It helps to identify the specific nodes or paths the most exposed to security threats. The total risk is the sum of the values of all the attack paths, serving as a metric for evaluating the overall security threat level of the network. These metrics provide a comprehensive framework for evaluating the potential vulnerabilities in satellite networks and the effectiveness of different security strategies.

This study initially conducted a security assessment of threat vectors ($t{v}_{13},t{v}_{23}$) targeting the space segment of a satellite network. The experimental results are presented in

Table 8. Security assessment using the vulnerability score.

(a) Targeting the space segment
Threat Vector	Countermeasure	No. of Paths	Path Length		Probability		Risk
			Short	Mean	Max	Total	Max	Total
$t{v}_{13}$	No Patch	5	2	2.50	0.88	0.99	5.5	25.2
	OS Patch	5	2	2.40	0.85	0.97	4.8	22.5
	Protocol Patch	5	2	2.30	0.86	0.98	5.0	24.0
	Both Patches	3	3	3.00	0.78	0.95	4.5	21.0
	CFR	5	2	2.40	0.88	0.98	5.0	24.2
$t{v}_{23}$	No Patch	4	3	2.75	0.88	0.99	5.8	25.5
	OS Patch	3	3	2.67	0.85	0.98	5.4	23.0
	Protocol Patch	3	3	2.67	0.88	0.98	5.6	24.2
	Both Patches	2	3	3.00	0.78	0.95	4.9	19.8
	CFR	4	3	2.75	0.88	0.98	5.6	24.2
(b) Originating in the space segment
Threat Vector	Countermeasure	No. of Paths	Path Length		Probability		Risk
			Short	Mean	Max	Total	Max	Total
$t{v}_{123}$-MEO	No Patch	5	3	2.80	0.98	0.99	6.3	30.5
	OS Patch	5	3	2.80	0.95	0.99	6.0	28.2
	Protocol Patch	4	4	3.25	0.88	0.99	5.6	24.2
	Both Patches	3	4	4.00	0.78	0.95	5.0	21.3
	CFR	5	3	2.80	0.95	0.99	6.0	28.2
$t{v}_{123}$-LEO	No Patch	8	2	2.75	0.88	0.99	5.9	24.8
	OS Patch	7	2	2.50	0.85	0.97	5.8	22.5
	Protocol Patch	6	3	3.00	0.78	0.95	5.7	21.0
	Both Patches	5	3	3.20	0.75	0.94	5.4	19.2
	CFR	7	2	2.50	0.85	0.97	5.8	22.5

a, while Figure 9 provides a radar chart visualization of the vulnerability scores, illustrating the relative changes in the security metrics through max normalization. The analysis shows that in the no-patch scenario, the total risk scores for $t{v}_{13}$ and $t{v}_{23}$ were measured at 25.2 and 25.5, respectively. The analysis of the effects of the patch application demonstrated that applying the OS patch or protocol patch resulted in either maintaining or reducing the average path length, with a corresponding decrease in the total risk. For instance, in $t{v}_{23}$, the total risk decreased to 23.0 after applying the OS patch. When both patches were applied, the average path length increased, and the total risk was reduced to 21.0 for $t{v}_{13}$ and 19.8 for $t{v}_{23}$, marking the lowest levels observed. This suggests that extending attack paths effectively reduces the probability of the attack success, highlighting the application of both patches as an effective threat mitigation strategy. Meanwhile, with the CFR strategy, the average path length and total risk remained at 2.40 and 24.2, respectively. This indicates that CFR is effective at blocking specific critical paths but does not substantially improve the overall network security posture. Therefore, although CFR may address certain types of threats, it underscores the necessity for additional security measures to optimize the entire network structure.

Next, Table 8 presents the security assessment results for a scenario where threats originate from the space segment and propagate across the entire network. Figure 9 employs a radar chart to visually analyze these results, applying max normalization to effectively illustrate the relative variations among the security metrics. According to the analysis, the total risk of $t{v}_{123}$_-MEO in the no-patch scenario was the highest, at 30.5. This indicates that without the implementation of security measures, $t{v}_{123}$_-MEO is highly susceptible to severe security threats. In contrast, when both patches were applied, the total risk decreased to 21.3, demonstrating that applying both patches is an effective strategy for mitigating threats.

For $t{v}_{123}$_-LEO, the total risk was evaluated at 24.8 in the no-patch scenario but decreased to 22.5 after applying the OS patch. When the protocol patch and both patches were applied, the total risk decreased to 21.0 and 19.2, respectively, demonstrating that patch applications contribute to enhancing the security of the satellite network. Meanwhile, with the CFR strategy, the total risk for both scenarios was measured at 28.2 and 22.5, respectively, suggesting that blocking major attack paths can partially mitigate security threats. Additionally, increases in the shortest path and average path lengths were observed after the application of patches. This indicates that attackers would need to traverse longer paths to reach target systems, thereby validating the effectiveness of the implemented security measures. For instance, in the case of $t{v}_{123}$_-MEO, the shortest path length was 3, and the average path length was 2.80 in the no-patch scenario. After applying both patches, both metrics increased to 4.00. This demonstrates that the strategy of applying both patches effectively blocks or reroutes specific attack paths, thereby reducing the likelihood of the attack success. In conclusion, by increasing the shortest path length and significantly reducing the total risk, both patches can be evaluated as the most effective security strategy.

4.3. Attack Impact Metrics

According to the security assessment results, we analyzed $t{v}_{123}$_-LEO, which represents the general attack trends observed across multiple scenarios. The key impact metrics, including the path length, probability, and risk, are summarized in Table 8b.

Table 9. Security assessment using attack impact metrics.

(a) Targeting the space segment
ThreatVector	Countermeasure	Rating	Impact	Evaluation
$t{v}_{13}$	No Patch	Almost Certain	Significant	Extreme
	OS Patch	Almost Certain	Moderate	High
	Protocol Patch	Almost Certain	Moderate	High
	Both Patches	Likely	Moderate	Medium
	CFR	Almost Certain	Moderate	High
$t{v}_{23}$	No Patch	Almost Certain	Significant	Extreme
	OS Patch	Almost Certain	Moderate	High
	Protocol Patch	Almost Certain	Moderate	High
	Both Patches	Likely	Moderate	Medium
	CFR	Almost Certain	Moderate	High
(b) Originating in the space segment
ThreatVector	Countermeasure	Rating	Impact	Evaluation
$t{v}_{123}$-MEO	No Patch	Almost Certain	Significant	Extreme
	OS Patch	Almost Certain	Significant	Extreme
	Protocol Patch	Almost Certain	Moderate	High
	Both Patches	Likely	Moderate	Medium
	CFR	Almost Certain	Significant	Extreme
$t{v}_{123}$-LEO	No Patch	Almost Certain	Significant	Extreme
	OS Patch	Almost Certain	Moderate	High
	Protocol Patch	Almost Certain	Moderate	High
	Both Patches	Likely	Moderate	Medium
	CFR	Almost Certain	Moderate	High

presents the security assessment of each threat vector based on attack impact metrics. To systematically assess the security improvements introduced by different countermeasures, we evaluated their impacts on attack probability reduction and risk mitigation.

• OS Patch: Applying the OS patch mitigates host-based exploitation risks by addressing software vulnerabilities. The max probability decreases from 0.88 to 0.85, and the max risk is lowered from 5.9 to 5.8, leading to a partial reduction in security threats. However, as this does not mitigate network-layer threats, vulnerabilities such as CVE-2023-2319 (the GCS privilege escalation) remain critical risks. This vulnerability allows unauthorized system control, increasing the likelihood of command manipulation. Furthermore, protocol-layer vulnerabilities, including unauthorized command injection via the CCSDS, remain exploitable, highlighting the OS patch’s limitation in securing communication channels within satellite networks. Despite a marginal reduction in attack probability, the overall risk classification remains high;
• Protocol Patch: The protocol patch addresses communication-based vulnerabilities, reducing the max probability to 0.78 and the max risk to 5.7 and demonstrating higher effectiveness against network-layer threats. This patch effectively mitigates CVE-2019-11815 (CCSDS stack overflow) and CVE-2018-17174 (NMEA injection), preventing attackers from exploiting protocol weaknesses to manipulate satellite transmissions. However, as it does not protect against host-based threats; adversaries can still exploit OS vulnerabilities to compromise ground stations or satellite control systems. Because of this limitation, the overall risk classification improves from high to medium;
• Both Patches: The approach of combining the OS and protocol patches yields the most significant security improvement, reducing the max probability to 0.75 and the max risk to 5.4. This dual-layer protection mitigates multilayered-attack scenarios, where adversaries exploit both host and protocol vulnerabilities. A critical example is CVE-2022-23937 (LEO satellite command injection), which enables unauthorized satellite command execution through weaknesses in OS-based access control and protocol authentication mechanisms. By mitigating both host- and network-layer vulnerabilities, this strategy substantially reduces attack success rates. The overall risk classification improves from high to medium, confirming its effectiveness in mitigating satellite network threats;
• CFR: CFR enhances network security by filtering malicious traffic and restricting unauthorized data flows within satellite communication channels. However, it does not eliminate underlying vulnerabilities, maintaining the max probability at 0.85 and the max risk at 5.8. For instance, attackers can still exploit CVE-2023-38346 (the MEO data corruption attack) to manipulate stored satellite data, bypassing filtering mechanisms. This demonstrates that although CFR effectively reduces the attack surface by blocking certain vectors, it does not fully mitigate risk. Consequently, the overall risk classification remains high.

These findings highlight the necessity of a layered security strategy that integrates OS hardening, protocol-layer protections, and access control enforcement for effective threat mitigation. The analysis confirms that both patches provide the most effective mitigation, offering multisegment protection against host-based, protocol-based, and hybrid attack vectors. Although CFR enhances the access control, it is insufficient for mitigating advanced threats in satellite networks.

4.4. Discussion and Future Work

This study evaluated mitigation strategies for satellite network security using three metrics: the network centrality measure, vulnerability score, and attack impact metrics. The results show that the strategy using both patches, which combines the OS and protocol patches, was the most effective. It reduced the centralities of critical nodes, such as the RT, GW₁, and the IoT, disrupting attack paths and minimizing the network’s attack surface. The CFR strategy blocked specific paths but had limited impact on the overall security, highlighting the need for its combination with the strategy of applying both patches for comprehensive defense. Further exploration of the OS patch, protocol patch, and CFR is needed for optimal deployment in satellite environments. OS patching requires secure update mechanisms to reduce downtime and prevent attacks, while protocol patching provides robust protection but may require firmware modifications. CFR restricts high-risk commands but should be optimized to suit space-borne system limitations. Future research could focus on balancing security with operational efficiency to minimize performance impacts. Implementing these measures requires careful consideration of costs, power consumption, and system maintenance. OS patching demands secure update channels and monitoring, while protocol patching may incur additional certification and redesign costs. CFR’s computational overhead may affect the system performance, requiring optimization for real-time processing in satellite systems.

Compared with previous studies that have focused primarily on host-based vulnerabilities or isolated attack scenarios, such as jamming and satellite hijacking, this study provides a multisegment security evaluation by integrating host and protocol-layer assessments. Prior research has often lacked structured security metrics to quantify risk reductions after countermeasures, making it difficult to compare security strategies. Unlike conventional models, such as HARM and BAG, which focus on hierarchical attack representation and static risk estimation, TV-HARM incorporates multisegment dependencies and dynamic attack propagation. This approach allows for a more precise assessment of cascading threats across interconnected satellite, ground, and user segments. By leveraging TV-HARM and quantitative security metrics, this study enables a structured and comparative assessment of mitigation effectiveness, offering a systematic evaluation of real-world security threats in satellite networks. These findings highlight the need for structured security assessments that ensure that mitigation strategies are both effective and applicable in real-world scenarios.

TV-HARM offers a promising approach for enhancing satellite network security, but its deployment in commercial and government infrastructures presents additional challenges. Its feasibility depends on adaptability to mission-critical systems with strict latency and resource constraints. Compliance with international satellite security regulations, such as those set by the International Telecommunication Union (ITU) and 3GPP (Third-Generation Partnership Project)’s Non-Terrestrial Network (NTN) standards, is crucial for broader adoption and interoperability across global satellite systems. Unlike previous studies that have focused on qualitative risk assessments, TV-HARM provides a structured, quantitative method for evaluating security threats in satellite networks. Traditional security models often address isolated vulnerabilities or specific attack vectors, which are less effective in dynamic environments. By incorporating multisegment interactions and quantifying countermeasure impacts, TV-HARM offers a more comprehensive framework for security assessments, making it highly applicable to real-world satellite network defense strategies. To further enhance TV-HARM’s applicability, considerations such as bandwidth limitations, onboard computational constraints, and real-time security demands should be addressed. Refining the model to support lightweight threat detection mechanisms will improve its adaptability for resource-constrained satellite platforms. Future research should explore the tradeoff between security improvements and system performance, considering limitations in satellite payloads, real-time decision making, and ground station connectivity for updates. Additionally, large-scale simulations and real-world case studies will offer valuable insights into the model’s performance, reinforcing its potential as a scalable, adaptable security framework for next-generation satellite networks. Building upon these findings, several challenges remain for future work.

First, this study primarily focused on software and network vulnerabilities, while wireless-communication-specific threats, such as jamming and spoofing, were beyond the scope of this research. Future research should address radio-frequency (RF) attacks and signal manipulation techniques to achieve a more comprehensive evaluation of satellite network security. The implementation of anti-jamming strategies, GNSS-spoofing detection methods, and interference mitigation techniques will strengthen the security framework of satellite communications.

Second, the application of AI-based security mechanisms for real-time threat detection and mitigation requires further exploration. One potential direction is the use of large language models (LLMs) for packet-level anomaly detection in satellite networks. Future studies should investigate how LLM-based models can analyze telemetry data and communication logs to detect malicious patterns in network traffic. By training LLMs on extensive datasets of legitimate and anomalous satellite communications, these models could improve adaptive threat detection and reduce response times against emerging cyberthreats. Additionally, combining deep-learning techniques with LLM-based models may enhance protocol behavior analysis, enabling the automated identification of unauthorized command injections and spoofed control messages.

Finally, although the mitigation strategies evaluated in this study proved to be effective in a controlled test environment, their practical implementation in operational satellite networks presents additional challenges. The remote deployment of security patches is particularly challenging in space environments because of strict update validation requirements, limited downlink/uplink bandwidths, and the risk of service disruptions. Furthermore, protocol patching often requires firmware modifications, which may not be feasible for legacy satellite systems. Future research should investigate secure, lightweight update mechanisms that minimize operational overhead while ensuring the timely deployment of security patches.

5. Conclusions

This study extends the applicability of TV-HARM to satellite networks by integrating quantitative security assessment metrics and analyzing multisegment attack propagation. Unlike conventional security models that primarily rely on qualitative assessments, the proposed framework enables a structured and comparative evaluation of mitigation strategies. The experimental results demonstrate that a multilayered-defense approach, particularly the combined application of OS and protocol patches, is the most effective in reducing the attack probability and overall risk. By simultaneously mitigating host-based and protocol-based vulnerabilities, this approach effectively limits attack propagation across network segments. However, despite these countermeasures, residual security threats persist, underscoring the need for continuous security updates and proactive threat mitigation strategies.

Although this study primarily focuses on software and protocol vulnerabilities, future research should address wireless communication threats, including RF jamming and GNSS spoofing, which remain outside the current scope. Furthermore, the integration of AI-driven security mechanisms, such as large language models (LLMs) for anomaly detection, can improve automated threat analysis and response in satellite networks. Nevertheless, this study makes several key contributions to satellite network security. By introducing a structured methodology for threat modeling and security assessment, this study makes a significant contribution to satellite network security. It extends the applicability of TV-HARM beyond traditional SDN environments, demonstrating its effectiveness in satellite-specific threat modeling. Furthermore, the refinement of TV-HARM for multisegment attack analysis, combined with a systematic evaluation of security countermeasures using quantitative metrics, provides a comprehensive assessment of mitigation strategies. These contributions lay the foundation for expanding the framework’s applicability in real-world satellite environments and further improving security models to address the complexities of satellite-based communication systems.