A spacecraft launched with a compromised component cannot be recalled. The aerospace supply chain spans hundreds of organisations: prime contractors, sub-contractors, component manufacturers, software vendors, ASIC and FPGA designers, launch service providers, and ground station operators. SPARTA technique IA-0001 (Supply Chain Compromise) is one of the most dangerous initial access vectors in the framework, because it bypasses all perimeter defences. The threat is already inside the mission before launch.
SPARTA IA-0001 has three sub-techniques, each representing a distinct attack vector with different characteristics and countermeasures.
Malicious components, counterfeit parts, or hardware backdoors in ASICs and FPGAs. A compromised radiation-hardened processor could provide persistent, undetectable access for the entire mission lifetime. Radiation-hardened components have a very limited supplier base — often single-source — creating concentration risk. Counterfeit components entering the supply chain through grey-market distributors are a documented problem in defence procurement.
Malicious code inserted into third-party libraries, operating systems, or flight software components during development. The SolarWinds attack in 2020 demonstrated how a single compromised software build environment can affect thousands of organisations globally, the same vector applies directly to spacecraft flight software. A compromised open-source library embedded in flight software could activate post-launch, exfiltrating mission data or awaiting a trigger command.
SPARTA EXF-0008 describes attackers breaching development environments pre-launch to embed telemetry taps, extended logging, or data export features into flight builds. These activate post-launch, exfiltrating mission data through legitimate downlink channels. The attack is invisible until the data exfiltration is detected, which requires monitoring of telemetry anomalies at the Indicators of Behaviour level.
Spacecraft use COTS components at an unprecedented scale, particularly in small satellites and mega-constellations. Long development timelines of 3–7 years mean components sourced years ago may have unknown vulnerabilities that were discovered after procurement. Radiation-hardened components have a very limited supplier base, creating concentration risk that has no equivalent in commercial IT. Many aerospace suppliers are SMEs with limited cybersecurity maturity; they are the weakest link in a supply chain that feeds directly into national security assets.
The Space ISAC reported approximately 25 space-sector organisations targeted by ransomware in 2024, many via supply chain vectors. A January 2026 Crisis24 analysis noted that thousands of small satellites for logistics, broadband, and remote sensing increase the number of supply chain attack points exponentially.
A comprehensive supply chain security programme for space missions requires controls across the full lifecycle: from component procurement through launch and into operations.
Software Bill of Materials (SBOM): Know every component in your flight software stack — every library, every dependency, every version. An SBOM enables rapid assessment when a new CVE is disclosed in a component that may be embedded in your FSW.
Hardware provenance tracking: Chain of custody for every physical component, from manufacturer through integration. This is the hardware equivalent of an SBOM.
Developer environment security: CI/CD pipeline hardening, code signing, access controls, and anomaly monitoring for the build environment. SPARTA EXF-0008 attacks the build environment — securing it requires Zero Trust principles applied to the development workflow.
Contractor security assessments: Require all suppliers to meet minimum cybersecurity standards aligned to NIST SP 800-161 (Supply Chain Risk Management) and ISO 27001 Annex A.15.
Pre-launch security review: An independent assessment of the mission's supply chain risk posture before launch — the last opportunity to identify compromised components before they are permanently beyond reach.
SPARTA maps specific countermeasures to each IA-0001 sub-technique. Hardware compromise is addressed through hardware provenance controls and trusted supplier programmes. Software compromise is addressed through code signing, SBOM management, and developer environment security. Development environment compromise requires Zero Trust architecture for all development systems, with no implicit trust for any developer, vendor, or contractor.
These controls align to NIST SP 800-161 (Supply Chain Risk Management) and the UK MOD Defence Cyber Check supply chain requirements, which are increasingly applicable to space contractors in the UK defence sector.
The supply chain is the adversary's preferred route into a space mission; it is stealthy, persistent, and often impossible to detect post-launch. A vulnerability embedded pre-launch may not be exploited until years into the mission. Security must be built into the supply chain from the earliest design phase, not bolted on at launch readiness review.