UTC
01
FUNCTION 01 FUNCTION 02 FUNCTION 05 FUNCTION 04 CONVERGED DETECTION ENGINEERING FUNCTION 03
Function Three
CONVERGED DETECTION
ENGINEERING

Master Converged Detection Engineering.

“The adversary suffers when they cannot hide, and every move is seen.”

Two days in, the Space Cybersecurity Operations and Resilience department you are building has evidence to stand on: Kestrel Orbital’s three departments share a platform model and a threat catalogue written against it, and both came out of sessions the departments showed up for. Today you hand the pen to Satellite Design & Engineering: the engineers open their artifacts and walk each threat with you into the attacker’s likely route through the platform. You drive the organization to evolve into a converged data-and-signals approach that illuminates complex attack patterns and reduces adversary dwell time, and the paths you trace build toward the detection methods Executive Order 14144 requires.

MODULE THREE
01/11
00
DAY 3 · Converged Detection Engineering

DAY 3 START

Today you trace how an adversary would move through the telecommand path to realize each Day 2 threat, and name the data you would need to see each step. Yesterday the Security Operations Center grounded the threats; today Satellite Design & Engineering brings the build knowledge that turns each threat into a walkable path, the department’s first full working day inside the shared model. The paths and source inventory feed the detection methods Executive Order 14144 requires.

MODULE THREE
00/00
UTC
03
L1 · day 3 opens with Satellite Design & Engineering

MAP THE ATTACK PATHS

Six artifacts on the table. Satellite Design & Engineering owns the deepest knowledge of how the platform actually moves data and commands, and today the department lays that knowledge open: the six artifacts below, brought to the table because two days of shared work earned the ask. You walk them together for every attack path you enumerate today. Each one tells you something different about where an attacker could enter, where they could pivot, and what they would touch on the way.

ARCHITECTURE
▷ ARTIFACT · 01
ARCHITECTURE

System block diagrams: what subsystem connects to what, over which bus, with which authentication boundary.

COMMAND FLOWS
▷ ARTIFACT · 02
COMMAND FLOWS

How a single telecommand actually moves from operator console through C&DH to the receiving subsystem.

DATA FLOWS
▷ ARTIFACT · 03
DATA FLOWS

How mission data moves on-board, where it’s buffered, where it’s signed, where it’s downlinked.

INTERFACE SPECS
▷ ARTIFACT · 04
INTERFACE SPECS

Wire-level protocol specs: CCSDS framing, MIL-STD-1553 bus traffic, SpaceWire, internal handshakes.

FLIGHT SOFTWARE
▷ ARTIFACT · 05
FLIGHT SOFTWARE

What runs on the OBC, how commands are parsed and dispatched, what behaviors are hard-coded vs reconfigurable.

SUPPLY CHAIN
▷ ARTIFACT · 06
SUPPLY CHAIN

Vendor provenance for each firmware and hardware item: who built it, when, with which signing pipeline.

MODULE THREE
03/11
UTC
04
A2 · enumerating attack-path elements

CONVERGED DETECTION ENGINEERING PROCESS

Inputs. Yesterday’s enumerated threat set, fourteen threats anchored to the telecommand path, and a working session with Satellite Design & Engineering. Output. One AN-ATT element per attack path, with TOE listing every structural element the path traverses end-to-end. Six steps, fixed order. Set LAYER (always AN), identify the source, set TAG (ATT), assign the ORDINAL, enumerate the TOE chain, then build the detection-source inventory. Constraint. Every element must enumerate a complete TOE; an attack path with no structural traversal is a hypothesis, not a path.

01
Enumerate the LAYER
LAYER = AN (fixed; identifies this as an Analytic Layer element).
02
Identify the source
Adversary-behavior catalog (MITRE ATT&CK, MITRE ATLAS, SPARTA), internal red-team report, architecture review, or peer-shared attack-path documentation. The source is what makes the path citable and reproducible.
03
Set the TAG to ATT
The element identifies this as an Attack-Path element within the Analytic Layer (AN-ATT).
04
Assign an ORDINAL
Two-digit ordinal starting at 00 (AN:ATT:Attack Path:00, AN:ATT:Attack Path:01, and so on); one ordinal per distinct attack path.
05
Enumerate the TOE chain
Target of Exploitation: an ordered list of every structural element the path traverses end-to-end, written as fully-qualified populated instances (PCE, SEG, SVC, AST). One step per traversal; each step names the structural element it touches.
06
Build the source inventory
For each step in the TOE chain, enumerate the data or signal source a defender needs to observe the step happening. Mark the status of each source on the platform: Available with a source identifier, Partial, or Gap. Gaps are recorded explicitly and assigned an owner. The source inventory is the second CDE deliverable and is what Day 4 reads when authoring signatures and playbooks.
Repeat for the next attack path. When every catalogued threat has at least one realizable path enumerated, the AN-ATT enumeration is current.
MODULE THREE
04/11
UTC
05
B1 · attack paths traversing the user segment

USER SEGMENT ATTACK PATHS

Each row is one AN-ATT element enumerated with Satellite Design & Engineering. The path is driven by an AN-THR from yesterday's set. The TOE chain lists every structural element the attacker would touch in order. The Steps and Source Inventory block names, for each step on the path, the required data or signal source needed to observe it, plus the status of that source on the platform: Available with a source identifier, Partial, or Gap. The source inventory is the second deliverable of Converged Detection Engineering and is what Day 4 reads when authoring signatures and playbooks.

ID AN-ATT ETEN
AN:ATT:Attack Path:00
Operator-console credential theft via spear-phishing or credential stuffing: attacker harvests operator credentials, signs into the console workstation, and issues commands within the operator’s authority.
DRIVEN BY
AN:THR:Threat:01 (Console credential theft)
TOE CHAIN
SEG:US:User:00 → SVC:CP:Control Plane:13 (console ops) → AST:HW:Hardware:04 (console workstation) → AST:DA:Data:03 (HSM keys) → SVC:CP:Control Plane:15 (user-side ACA)
STEPS
  1. AST:HW:Hardware:04 · Compromise of console workstation via credential theft or session hijack.
  2. AST:SW:Software:04 · Console operator software is launched with attacker credentials.
  3. SVC:CP:Control Plane:15 · User-side access control authority issues a session with the stolen credentials.
  4. SVC:CP:Control Plane:13 · Console operations service accepts the issued session and the operator can command.
STEPS AND SOURCE INVENTORY
PATH STEP (TOE)REQUIRED DATA / SIGNAL SOURCESTATUS
AST:HW:Hardware:04Workstation authentication telemetry; console-host endpoint detection and response (EDR) events.Available; onboarded as src-edr-console-001.
AST:SW:Software:04Console operator software audit log; process-start events from the workstation EDR.Available; onboarded as src-console-sw-002.
SVC:CP:Control Plane:15User-side access control authority sign-in event stream; identity-provider session log.Available; onboarded as src-idp-user-003.
SVC:CP:Control Plane:13Console operations command audit; per-session command log.Available; onboarded as src-console-ops-004.
SOURCE Industry-reported credential-theft patterns against operator workstations.
CONFIDENCE Medium. Pattern is widely reported in enterprise IT; satellite-specific incidents underreported.
AN:ATT:Attack Path:01
End-user application tampering via supply-chain compromise: malicious update installed on the operator workstation alters displayed mission product or silently injects commands.
DRIVEN BY
AN:THR:Threat:00 (End-user application tampering)
TOE CHAIN
SEG:US:User:00 → AST:SW:Software:08 (end-user app SW) → SVC:DP:Data Plane:02 (mission product display) → AST:DA:Data:04 (mission product data)
STEPS
  1. AST:SW:Software:08 · Adversary replaces or modifies the end-user application binary.
  2. AST:DA:Data:04 · Tampered application produces or modifies mission product data.
  3. SVC:DP:Data Plane:02 · Modified product is presented to the user through the user application data plane.
STEPS AND SOURCE INVENTORY
PATH STEP (TOE)REQUIRED DATA / SIGNAL SOURCESTATUS
AST:SW:Software:08File-integrity-monitoring events on the end-user application path; code-signing verification result.Available; onboarded as src-fim-user-005.
AST:DA:Data:04Mission-product data integrity log; per-product hash record.Available; onboarded as src-mission-prod-006.
SVC:DP:Data Plane:02User application data-plane audit; presentation-layer event stream.Available; onboarded as src-user-dp-007.
SOURCE SolarWinds Orion compromise (2020, CISA AA20-352A) as supply-chain pattern reference.
CONFIDENCE Medium. Pattern documented in IT supply chains; satellite-app analogue is inferred.
2PATHS
MODULE THREE
05/11
UTC
06
B1 · attack paths traversing the ground segment

GROUND SEGMENT ATTACK PATHS

Each row is one AN-ATT element enumerated with Satellite Design & Engineering. The path is driven by an AN-THR from yesterday's set. The TOE chain lists every structural element the attacker would touch in order. The Steps and Source Inventory block names, for each step on the path, the required data or signal source needed to observe it, plus the status of that source on the platform: Available with a source identifier, Partial, or Gap. The source inventory is the second deliverable of Converged Detection Engineering and is what Day 4 reads when authoring signatures and playbooks.

ID AN-ATT ETEN
AN:ATT:Attack Path:02
Mass modem firmware-wipe via management-plane abuse: external VPN appliance compromise → management network access → abuse of the legitimate modem management interface → push of a wiper as a firmware update payload → modem flash and SPI EEPROM overwritten, modems bricked.
DRIVEN BY
AN:THR:Threat:02 (Long-dwell ground-network intrusion)
TOE CHAIN
SEG:GR:Ground:00 → SVC:CP:Control Plane:08 (ground crypto) → SVC:CP:Control Plane:09 (ground ACA) → AST:SW:Software:02 (ground ACA SW) → AST:DA:Data:01 (ACA credentials) → AST:DA:Data:02 (patch binaries) → AST:SW:Software:03 (patch deployment SW) → SVC:CP:Control Plane:12 (patch updates)
STEPS
  1. SEG:GR:Ground:00 · Compromise of an external VPN appliance facing the management network.
  2. SVC:CP:Control Plane:08 · Pivot into ground crypto and management control plane using VPN-derived credentials.
  3. SVC:CP:Control Plane:09 · Ground access control authority issues subscriber-modem command privileges.
  4. AST:SW:Software:03 · Patch deployment software stages the wiper as a firmware update payload.
  5. AST:DA:Data:02 · Patch binary store holds the malicious payload that will be pushed.
  6. SVC:CP:Control Plane:12 · The update service delivers the wiper payload and fielded terminals flash it over their firmware.
STEPS AND SOURCE INVENTORY
PATH STEP (TOE)REQUIRED DATA / SIGNAL SOURCESTATUS
SEG:GR:Ground:00VPN appliance authentication and session telemetry; egress NetFlow from the management subnet.Available; onboarded as src-vpn-008.
SVC:CP:Control Plane:08Ground-crypto authentication audit; management-plane authentication and authorization audit log.Available; onboarded as src-mgmt-cp-009.
SVC:CP:Control Plane:09Ground access control authority sign-in log; per-session command audit.Available; onboarded as src-ground-aca-010.
AST:SW:Software:03Patch-deployment software command audit; firmware-update API call log including payload hash and signing manifest reference.Available; onboarded as src-patch-sw-011.
AST:DA:Data:02Patch-binary hash audit; signed-manifest verification result.Available; onboarded as src-patch-bin-012.
SVC:CP:Control Plane:12Per-device flash-write event reported through the update service, with hash of the image actually written; signed-update verification result.Available; onboarded as src-modem-fw-013.
SOURCE Viasat post-incident report (30 March 2022); CISA AA22-110A; SentinelLabs AcidRain analysis. Path confirmed by post-incident analysis on the KA-SAT network (24 Feb 2022).
CONFIDENCE High. Path matches the public reconstruction of the KA-SAT outage.
AN:ATT:Attack Path:03
Operator credential theft via phishing or credential stuffing on ground-station service accounts → sign-in to mission ops console → commands issued within stolen account’s authority.
DRIVEN BY
AN:THR:Threat:03 (Operator credential theft)
TOE CHAIN
SEG:GR:Ground:00 → AST:DA:Data:01 (ACA credentials) → SVC:CP:Control Plane:09 (ground ACA) → SVC:CP:Control Plane:13 (console ops)
STEPS
  1. AST:DA:Data:01 · Operator credentials are stolen via phishing or replay.
  2. SVC:CP:Control Plane:09 · Ground access control authority authenticates the stolen credentials.
STEPS AND SOURCE INVENTORY
PATH STEP (TOE)REQUIRED DATA / SIGNAL SOURCESTATUS
AST:DA:Data:01Credential-store auth audit; impossible-travel detector input.Available; onboarded as src-cred-audit-014.
SVC:CP:Control Plane:09Identity-provider sign-in event stream; geolocation and device-fingerprint telemetry.Available; onboarded as src-idp-ground-015.
SOURCE MITRE ATT&CK T1078 (Valid Accounts); industry-reported satellite-operator phishing campaigns.
CONFIDENCE Medium. Pattern frequently observed; per-operator details non-public.
AN:ATT:Attack Path:04
Privileged insider with command authority issues unauthorized commands directly from a commanding workstation, bypassing peer review.
DRIVEN BY
AN:THR:Threat:04 (Privileged insider misuse)
TOE CHAIN
SEG:GR:Ground:00 → AST:HW:Hardware:04 (console workstation) → AST:SW:Software:04 (console SW) → SVC:CP:Control Plane:13 (console ops) → SVC:CP:Control Plane:09 (ground ACA)
STEPS
  1. AST:HW:Hardware:04 · Insider with legitimate access uses the operator console.
  2. AST:SW:Software:04 · Console operator software issues high-impact commands without peer review.
  3. SVC:CP:Control Plane:13 · Console operations service executes the commands against the platform.
STEPS AND SOURCE INVENTORY
PATH STEP (TOE)REQUIRED DATA / SIGNAL SOURCESTATUS
AST:HW:Hardware:04Per-operator console-usage stream; workstation endpoint detection and response baseline.Available; onboarded as src-console-baseline-016.
AST:SW:Software:04Console operator software command audit; peer-review tag stream on the commanding workflow.Partial; peer-review tag stream depends on workflow adoption. Owner: Security Operations.
SVC:CP:Control Plane:13Console operations command audit; per-command cadence baseline.Available; onboarded as src-console-ops-017.
SOURCE MITRE ATT&CK T1078.003 (Local Accounts); NIST SP 800-53 PS-7 insider-threat models.
CONFIDENCE Medium. Insider patterns well-documented; satellite-specific incidents underreported.
AN:ATT:Attack Path:05
Lateral movement from compromised operator workstation through the operator network into mission-control hosts.
DRIVEN BY
AN:THR:Threat:05 (Lateral movement to mission control)
TOE CHAIN
SEG:GR:Ground:00 → AST:HW:Hardware:04 (console HW) → AST:SW:Software:04 (console SW) → SVC:CP:Control Plane:13 (console ops) → SVC:CP:Control Plane:09 (ground ACA)
STEPS
  1. AST:HW:Hardware:04 · Compromised operator workstation initiates east-west connections.
  2. SVC:CP:Control Plane:13 · Console operations host receives connections from outside the documented allow-list.
STEPS AND SOURCE INVENTORY
PATH STEP (TOE)REQUIRED DATA / SIGNAL SOURCESTATUS
AST:HW:Hardware:04Workstation connection logs; endpoint detection and response process-network event stream.Available; onboarded as src-edr-net-018.
SVC:CP:Control Plane:13East-west network flow telemetry from operator subnet to mission-control subnet; allow-list configuration source.Available; onboarded as src-netflow-mc-019.
SOURCE MITRE ATT&CK TA0008 (Lateral Movement); composite from enterprise intrusion reporting.
CONFIDENCE Medium. Pattern enterprise-standard; satellite mission-control specifics platform-dependent.
AN:ATT:Attack Path:06
Ransomware against the launch-control / patch-deployment pipeline: criminal actor encrypts launch-control hosts and patch binaries, denying both launch ops and the ability to push corrective firmware.
DRIVEN BY
AN:THR:Threat:06 (Ransomware against launch infrastructure)
TOE CHAIN
SEG:GR:Ground:00 → SVC:CP:Control Plane:10 (launch control) → SVC:CP:Control Plane:12 (patch pipeline) → AST:DA:Data:02 (patch binaries) → AST:SW:Software:03 (patch deployment SW)
STEPS
  1. SEG:GR:Ground:00 · Ransomware actor obtains foothold on ground infrastructure.
  2. SVC:CP:Control Plane:10 · Mass-encryption activity hits launch-control file systems.
  3. AST:DA:Data:02 · Patch binary store is encrypted, breaking the deployment pipeline.
  4. SVC:CP:Control Plane:12 · Patch-update service cannot ship to the platform.
STEPS AND SOURCE INVENTORY
PATH STEP (TOE)REQUIRED DATA / SIGNAL SOURCESTATUS
SEG:GR:Ground:00Initial-access telemetry: VPN appliance auth, phishing-click event stream, public-facing service auth log.Available; onboarded as src-init-access-020.
SVC:CP:Control Plane:10Launch-control host file-integrity monitoring; entropy-shift indicator stream.Available; onboarded as src-fim-launch-021.
AST:DA:Data:02Patch-binary integrity stream; backup-system event audit.Available; onboarded as src-patch-integrity-022.
SVC:CP:Control Plane:12Patch-update service availability monitor; dispatch-failure event stream.Available; onboarded as src-patch-svc-023.
SOURCE CISA Stop Ransomware advisories; pattern observed in critical-infrastructure ransomware (2021–2024).
CONFIDENCE Medium. Ransomware well-documented; satellite launch-control incidents rare in public reporting.
5PATHS
MODULE THREE
06/11
UTC
07
B1 · attack paths traversing the link segment

LINK SEGMENT ATTACK PATHS

Each row is one AN-ATT element enumerated with Satellite Design & Engineering. The path is driven by an AN-THR from yesterday's set. The TOE chain lists every structural element the attacker would touch in order. The Steps and Source Inventory block names, for each step on the path, the required data or signal source needed to observe it, plus the status of that source on the platform: Available with a source identifier, Partial, or Gap. The source inventory is the second deliverable of Converged Detection Engineering and is what Day 4 reads when authoring signatures and playbooks.

ID AN-ATT ETEN
AN:ATT:Attack Path:07
Sustained RF noise injection across uplink/downlink bands to deny communications. May be paired with timing knowledge of overhead passes.
DRIVEN BY
AN:THR:Threat:07 (Jamming campaign)
TOE CHAIN
SEG:LI:Link:00 → SVC:CP:Control Plane:05 (link ACA) → SVC:HY:Hybrid:01 (FEC/ECC) → SVC:HY:Hybrid:02 (T2 tracking) → AST:SI:Signal:00 (uplink/downlink waveforms)
STEPS
  1. AST:SI:Signal:00 · Adversary radiates interference across uplink or downlink bands.
  2. SVC:HY:Hybrid:02 · Track-and-tracking service sees sustained noise-floor anomaly.
  3. SVC:CP:Control Plane:05 · Link access control authority logs degraded authentication outcomes.
STEPS AND SOURCE INVENTORY
PATH STEP (TOE)REQUIRED DATA / SIGNAL SOURCESTATUS
AST:SI:Signal:00Per-band signal-to-noise ratio and bit-error-rate telemetry from the ground receiver.Available; onboarded as src-rx-rf-024.
SVC:HY:Hybrid:02Tracking service noise-floor stream; out-of-band emission monitor.Available; onboarded as src-tnt-noise-025.
SVC:CP:Control Plane:05Link access control authority failure-rate stream; correlation with space-weather feed to rule out scintillation.Available; onboarded as src-link-aca-026.
SOURCE Jamming campaigns affecting satellite communications during the Russia–Ukraine conflict (2022–2024); ITU interference reports.
CONFIDENCE High. Patterns directly reported by multiple operators and governments.
AN:ATT:Attack Path:08
Replay-and-spoof against the uplink command waveform paired with stolen session keys to bypass authentication and issue commands the spacecraft accepts as legitimate.
DRIVEN BY
AN:THR:Threat:08 (Replay-and-spoof on uplink)
TOE CHAIN
SEG:LI:Link:00 → AST:SI:Signal:00 (uplink waveform) → AST:DA:Data:00 (link ACA credentials) → SVC:CP:Control Plane:05 (link ACA) → SVC:CP:Control Plane:09 (ground ACA)
STEPS
  1. AST:DA:Data:00 · Adversary captures a legitimate command waveform with valid authentication tags.
  2. AST:SI:Signal:00 · Captured waveform is replayed with altered timing.
  3. SVC:CP:Control Plane:05 · Link access control authority accepts the replayed command.
  4. SVC:CP:Control Plane:09 · Ground-side key-material audit shows session keys appearing where not expected.
STEPS AND SOURCE INVENTORY
PATH STEP (TOE)REQUIRED DATA / SIGNAL SOURCESTATUS
AST:DA:Data:00Link authentication credential sequence-number log; replay-window record.Partial; sequence-number persistence depends on retention policy. Owner: Satellite Design & Engineering.
AST:SI:Signal:00Uplink command-timing telemetry; on-board command-cadence baseline.Available; onboarded as src-uplink-timing-027.
SVC:CP:Control Plane:05Link access control authority auth audit; out-of-band command acknowledgement stream.Available; onboarded as src-link-aca-028.
SVC:CP:Control Plane:09Ground-side key-material audit; key-usage event correlation.Available; onboarded as src-key-mat-029.
SOURCE Aerospace Corp. SPARTA framework SPACE-T1428 (Replay Attacks).
CONFIDENCE Medium. Theoretically grounded; public attribution of successful replay-and-spoof against operational satellites is limited.
AN:ATT:Attack Path:09
Passive downlink interception: collector with sufficient antenna gain reads mission product and telemetry off the downlink waveform without active transmission.
DRIVEN BY
AN:THR:Threat:09 (Downlink interception)
TOE CHAIN
SEG:LI:Link:00 → AST:SI:Signal:00 (downlink waveform) → AST:SW:Software:01 (payload command encoder) → SVC:HY:Hybrid:02 (T2 tracking)
STEPS
  1. AST:SI:Signal:00 · Adversary collects downlink signal off-air.
  2. SVC:DP:Data Plane:00 · Intercepted mission product is later disclosed externally.
STEPS AND SOURCE INVENTORY
PATH STEP (TOE)REQUIRED DATA / SIGNAL SOURCESTATUS
AST:SI:Signal:00No on-platform observable: downlink interception is passive.GAP; primary mitigation is end-to-end downlink encryption (covered by AN-RES:09).
SVC:DP:Data Plane:00External: open-source-intelligence collection monitor; threat-intel feeds for leaked mission-product mentions.Available; onboarded as src-osint-disclosure-030.
SOURCE Long-standing SIGINT discipline. SPARTA SPACE-T1427 (Eavesdropping on Communications).
CONFIDENCE High. Eavesdropping on unencrypted satellite downlinks is widely documented.
3PATHS
MODULE THREE
07/11
UTC
08
B1 · attack paths traversing the space segment

SPACE SEGMENT ATTACK PATHS

Each row is one AN-ATT element enumerated with Satellite Design & Engineering. The path is driven by an AN-THR from yesterday's set. The TOE chain lists every structural element the attacker would touch in order. The Steps and Source Inventory block names, for each step on the path, the required data or signal source needed to observe it, plus the status of that source on the platform: Available with a source identifier, Partial, or Gap. The source inventory is the second deliverable of Converged Detection Engineering and is what Day 4 reads when authoring signatures and playbooks.

ID AN-ATT ETEN
AN:ATT:Attack Path:10
Destructive bus attack chained from a stolen command path: attacker reaches the command authority service, issues sequences ADCS/EPS/FTS will execute, ending the mission.
DRIVEN BY
AN:THR:Threat:10 (Destructive bus attack)
TOE CHAIN
SEG:SP:Space:00 → SVC:CP:Control Plane:00 (ADCS) → SVC:CP:Control Plane:02 (EPS) → SVC:CP:Control Plane:03 (FTS) → AST:HW:Hardware:00 (ADCS sensors) → AST:SW:Software:00 (ADCS FSW) → AST:HW:Hardware:01 (power chain) → AST:HW:Hardware:02 (FTS receiver) → AST:FW:Firmware:00 (FTS firmware)
STEPS
  1. SVC:CP:Control Plane:00 · Adversary issues attitude-control command that violates operational envelope.
  2. AST:SW:Software:00 · Attitude-control flight software accepts and executes the destructive command.
  3. SVC:CP:Control Plane:03 · Flight-termination service arms outside permitted window.
  4. AST:FW:Firmware:00 · Flight-termination firmware logs the destructive command sequence.
STEPS AND SOURCE INVENTORY
PATH STEP (TOE)REQUIRED DATA / SIGNAL SOURCESTATUS
SVC:CP:Control Plane:00Attitude control system command-acceptance log; envelope-check telemetry stream.Available; onboarded as src-adcs-cmd-031.
AST:SW:Software:00Attitude-control flight software command audit; runtime-state telemetry.Available; onboarded as src-adcs-fsw-032.
SVC:CP:Control Plane:03Flight-termination service arming-window state; arming-command telemetry.Available; onboarded as src-fts-arm-033.
AST:FW:Firmware:00Flight-termination firmware accepted-command log; envelope-violation telemetry.Available; onboarded as src-fts-fw-034.
SOURCE SPARTA SPACE-T1029 (Disrupt). Galaxy 15 (2010) drift event as illustrative bus-failure consequence.
CONFIDENCE Medium. Path elements technically grounded; no public attribution of a successful end-to-end destructive cyber attack on a Western commercial bus.
AN:ATT:Attack Path:11
Command-path integrity attack: attacker manipulates the C&DH command-processing pipeline or the space-side cryptographic service so subsequent commands are accepted as authorized.
DRIVEN BY
AN:THR:Threat:11 (Command-path integrity attack)
TOE CHAIN
SEG:SP:Space:00 → SVC:HY:Hybrid:00 (C&DH) → SVC:CP:Control Plane:01 (space-side crypto) → AST:HW:Hardware:06 (OBC/OBDH) → AST:FW:Firmware:01 (OBC firmware) → AST:SW:Software:06 (C&DH FSW)
STEPS
  1. SVC:HY:Hybrid:00 · Command and data handling service accepts a command-path modification.
  2. AST:HW:Hardware:06 · On-board computer state changes outside authorized command sequence.
  3. AST:FW:Firmware:01 · On-board computer boot firmware reports a modified attestation hash at next boot.
  4. AST:SW:Software:06 · Command and data handling flight software runs a modified image.
STEPS AND SOURCE INVENTORY
PATH STEP (TOE)REQUIRED DATA / SIGNAL SOURCESTATUS
SVC:HY:Hybrid:00Command and data handling command-acceptance audit; per-command attestation correlation.Available; onboarded as src-cdh-cmd-035.
AST:HW:Hardware:06On-board computer attestation report; runtime state-hash stream.Available; onboarded as src-obc-attest-036.
AST:FW:Firmware:01On-board computer boot firmware attestation hash; boot-cycle attestation event.Available; onboarded as src-obc-boot-037.
AST:SW:Software:06Running-image hash stream; correlation of flight-software state changes against accepted-command log.Available; onboarded as src-cdh-fsw-038.
SOURCE SPARTA SPACE-T1014 (Software Modification) and SPACE-T1042 (Compromise Software Supply Chain).
CONFIDENCE Medium. Technically grounded; specific Western on-orbit incidents are not publicly disclosed.
AN:ATT:Attack Path:12
Pre-launch firmware supply-chain compromise: malicious firmware reaches a vendor build pipeline, ships into a flight component, and runs in orbit after launch.
DRIVEN BY
AN:THR:Threat:12 (Supply-chain firmware compromise)
TOE CHAIN
SEG:SP:Space:00 → SVC:CP:Control Plane:03 (FTS) → SVC:CP:Control Plane:04 (TCS) → SVC:CP:Control Plane:02 (EPS) → AST:FW:Firmware:00 (FTS firmware) → AST:FW:Firmware:01 (OBC firmware) → AST:FW:Firmware:02 (payload firmware)
STEPS
  1. AST:FW:Firmware:00 · Adversary substitutes a tampered flight-termination firmware build during supply.
  2. AST:FW:Firmware:01 · Tampered on-board computer firmware is delivered through the same supply chain.
  3. AST:FW:Firmware:02 · Tampered payload firmware is delivered through the same supply chain.
STEPS AND SOURCE INVENTORY
PATH STEP (TOE)REQUIRED DATA / SIGNAL SOURCESTATUS
AST:FW:Firmware:00Hardware-integration-lab measured-boot attestation; vendor signed manifest.Available; onboarded as src-fts-supply-039.
AST:FW:Firmware:01Hardware-integration-lab attestation for on-board computer firmware; SLSA provenance attestation.Available; onboarded as src-obc-supply-040.
AST:FW:Firmware:02Hardware-integration-lab attestation for payload firmware; vendor signed manifest.Available; onboarded as src-pl-supply-041.
SOURCE SolarWinds (2020, CISA AA20-352A) and CCleaner (2017) as supply-chain references; SPARTA SPACE-T1041.
CONFIDENCE Medium. Supply-chain compromise well-documented in IT; satellite firmware analogue structurally identical.
AN:ATT:Attack Path:13
Payload-data tampering between the science instrument and the downlink encryptor: attacker with on-board execution alters mission product before it is signed and downlinked.
DRIVEN BY
AN:THR:Threat:13 (Payload-data tampering)
TOE CHAIN
SEG:SP:Space:00 → SVC:DP:Data Plane:00 (mission data plane) → SVC:DP:Data Plane:01 (payload data plane) → AST:HW:Hardware:07 (payload electronics) → AST:FW:Firmware:02 (payload firmware)
STEPS
  1. AST:HW:Hardware:07 · Payload electronics produce a mission product; on-board signing applies the platform signature.
  2. SVC:DP:Data Plane:01 · Payload data plane carries the signed product to the ground.
  3. AST:DA:Data:04 · Mission product data is delivered to consumers with the on-board signature.
STEPS AND SOURCE INVENTORY
PATH STEP (TOE)REQUIRED DATA / SIGNAL SOURCESTATUS
AST:HW:Hardware:07On-board mission-product signing log; per-product signature record.Available; onboarded as src-pl-sign-042.
SVC:DP:Data Plane:01Payload data plane signature-verification result at downlink; integrity-check audit.Available; onboarded as src-pl-dp-043.
AST:DA:Data:04Mission product service signature-verification event; consumer integrity-receipt log.Available; onboarded as src-mission-receipt-044.
SOURCE SPARTA SPACE-T1059 (Modify On-Board Values).
CONFIDENCE Low–Medium. Technically grounded; no public reports of a successful attack of this kind.
4PATHS
MODULE THREE
08/11
UTC
09
S1 · the day’s full enumerated attack-path set

DAY 3 COMPLETE · FOURTEEN ATTACK PATHS

One attack path per threat, walked with Satellite Design & Engineering. Every element’s TOE chain names the services and assets the attacker would traverse, and every element cites the public reporting or framework reference the path is anchored to. Written in the shared five-field form, the paths read the same to all three departments, and the strongest of them, like the KA-SAT reconstruction, are exactly the kind of runnable analysis the organization’s Space ISAC channel exists to exchange.

ID Description Driven by
AN:ATT:Attack Path:00 Operator-console credential theft via spear-phishing or credential stuffing: attacker harvests operator credentials, signs into the console workstation, and issues commands within the operator’s authority. AN:THR:Threat:01 (Console credential theft)
AN:ATT:Attack Path:01 End-user application tampering via supply-chain compromise: malicious update installed on the operator workstation alters displayed mission product or silently injects commands. AN:THR:Threat:00 (End-user application tampering)
AN:ATT:Attack Path:02 Mass modem firmware-wipe via management-plane abuse: external VPN appliance compromise → management network access → abuse of the legitimate modem management interface → push of a wiper as a firmware update payload → modem flash and SPI EEPROM overwritten, modems bricked. AN:THR:Threat:02 (Long-dwell ground-network intrusion)
AN:ATT:Attack Path:03 Operator credential theft via phishing or credential stuffing on ground-station service accounts → sign-in to mission ops console → commands issued within stolen account’s authority. AN:THR:Threat:03 (Operator credential theft)
AN:ATT:Attack Path:04 Privileged insider with command authority issues unauthorized commands directly from a commanding workstation, bypassing peer review. AN:THR:Threat:04 (Privileged insider misuse)
AN:ATT:Attack Path:05 Lateral movement from compromised operator workstation through the operator network into mission-control hosts. AN:THR:Threat:05 (Lateral movement to mission control)
AN:ATT:Attack Path:06 Ransomware against the launch-control / patch-deployment pipeline: criminal actor encrypts launch-control hosts and patch binaries, denying both launch ops and the ability to push corrective firmware. AN:THR:Threat:06 (Ransomware against launch infrastructure)
AN:ATT:Attack Path:07 Sustained RF noise injection across uplink/downlink bands to deny communications. May be paired with timing knowledge of overhead passes. AN:THR:Threat:07 (Jamming campaign)
AN:ATT:Attack Path:08 Replay-and-spoof against the uplink command waveform paired with stolen session keys to bypass authentication and issue commands the spacecraft accepts as legitimate. AN:THR:Threat:08 (Replay-and-spoof on uplink)
AN:ATT:Attack Path:09 Passive downlink interception: collector with sufficient antenna gain reads mission product and telemetry off the downlink waveform without active transmission. AN:THR:Threat:09 (Downlink interception)
AN:ATT:Attack Path:10 Destructive bus attack chained from a stolen command path: attacker reaches the command authority service, issues sequences ADCS/EPS/FTS will execute, ending the mission. AN:THR:Threat:10 (Destructive bus attack)
AN:ATT:Attack Path:11 Command-path integrity attack: attacker manipulates the C&DH command-processing pipeline or the space-side cryptographic service so subsequent commands are accepted as authorized. AN:THR:Threat:11 (Command-path integrity attack)
AN:ATT:Attack Path:12 Pre-launch firmware supply-chain compromise: malicious firmware reaches a vendor build pipeline, ships into a flight component, and runs in orbit after launch. AN:THR:Threat:12 (Supply-chain firmware compromise)
AN:ATT:Attack Path:13 Payload-data tampering between the science instrument and the downlink encryptor: attacker with on-board execution alters mission product before it is signed and downlinked. AN:THR:Threat:13 (Payload-data tampering)
14PATHS
MODULE THREE
09/11
UTC
10
Work role ability confirmation · what you are now able to perform at your work center

DAY 3 COMPLETE

What you built today. Fourteen AN-ATT elements enumerated with Satellite Design & Engineering. 2 USER, 5 GROUND, 3 LINK, 4 SPACE. Every element walks an end-to-end attacker traversal through real services and assets on the platform, anchored to public reporting or framework reference. No hypothetical paths; every element is grounded. Satellite Design & Engineering spent the day writing in the language it helped build, and the other two departments can read every path without a briefing. The paths and their source inventory feed the detection methods Executive Order 14144 requires on the command path.

Your role here. Detection engineering is the third of the five functions where a Full Spectrum professional drives change, and you don’t have to be the detection expert or the spacecraft engineer to lead it. Security Operations, Satellite Operations, and Satellite Design & Engineering can sometimes be provided by separate organizations, so your job is to build the cross-functional team and converge their data and signals into shared detections. That is what makes this function a deliberate point of insertion for transforming how those organizations defend the platform together.

From the field · policy evidence

DHS Science & Technology reports an on-board detection gap: most satellite detection today is telemetry-based, and many cyberattacks cannot be seen through telemetry alone. DHS and Aerospace Corp. built an on-board IDS prototype, SpaceCOP, around malware-agnostic Indicators of Behavior to close it. Converged detection engineering targets exactly this gap. Source: Air & Space Forces Magazine, Nov. 19, 2025.

DAY 3 COMPLETE · ATTACK PATHS ENUMERATED WITH SATELLITE DESIGN & ENGINEERING
Working session with Satellite Design & Engineering walking each threat into the attacker’s likely route through the platform
Full Spectrum Space Cybersecurity Professional briefing Security Operations, Satellite Operations, and Satellite Design and Engineering with the platform vocabulary on the wall, threat markers from yesterday still visible AND new blue attack-path traversal lines drawn through specific decomposed elements showing the chains an attacker would walk. Dark operations center setting with cyan task lighting on the board and warm amber ambient lighting.
MODULE THREE
10/11
00
DAY 3 COMPLETE · Converged Detection Engineering

DAY 3 COMPLETE

You enumerated fourteen attack paths against the command path and the data each one would expose, with Satellite Design & Engineering walking every chain beside you. Tomorrow, Day 4 turns them into the detection signatures and response playbooks the mandates’ detect-report-recover duties call for.

MODULE THREE
00/00
UTC
END
INCIDENT RESPONSE PREPAREDNESS FUNCTION 04
Function THREE complete · Function Four next

INCIDENT RESPONSE
PREPAREDNESS.

Day 3 done. Tomorrow (Day 4 / Mod 04 · Incident Response Preparedness), you turn today’s attack paths and data sources into the signatures that fire so IR knows which playbook to run, inside the reporting deadlines NIS2 sets.

STARTING POINT
A complete Concept of Operations structural decomposition and a mission-specific threat catalogue from Contextualized Threat Modeling. No attack paths enumerated yet; you know what threats apply but not how an adversary would traverse the platform to realize them.
FINISH LINE
A complete map of attack paths (AN-ATT) drawn from the Contextualized Threat Modeling threat catalogue, each spanning the chain of structural elements an adversary would touch from initial access to objective. Ready for Module 04 to enumerate the data and signal sources needed to detect each path step.
▷ MODULE 03 ASSESSMENT

A multiple-choice exam aligned with Module 03 KSAT areas. Drawn at random from a question bank covering Function THREE's taxonomy element (AN-ATT), its TARGET attachment (TOE), and the production flow into the next function. Exam scaffolding wired in next iteration.

END
MODULE THREE
11/11
REFERENCE LIBRARY

Standards, Policies & Sources

The instruments this course aligns to. Each element links to its primary source.

U.S. National Security Space Policy

CNSS Policy No. 12 (CNSSP-12)Information-assurance policy for national security space systems. CNSS Instruction 1200 (CNSSI 1200), Aug 2025Implementing requirements: on-board intrusion detection, hardware root-of-trust, patch management. DoDI 8581.01Information-assurance policy for space systems used by the DoD. Space Policy Directive 5 (SPD-5), 2020First comprehensive U.S. cybersecurity principles for space systems.

Executive Orders

EO 14144 (Jan 16, 2025)Strengthening and Promoting Innovation in the Nation’s Cybersecurity. EO 14306 (Jun 6, 2025)Sustaining select efforts, amending EO 13694 and EO 14144.

NIST Standards & FISMA

NIST SP 800-53 Rev. 5Security and privacy controls; IR-3 incident-response testing. NIST SP 800-37 Rev. 2Risk Management Framework; continuous monitoring and annual control assessment. NIST IR 8270Introduction to Cybersecurity for Commercial Satellite Operations. NIST IR 8401Satellite Ground Segment cybersecurity framework profile. NIST IR 8441Cybersecurity Framework Profile for Hybrid Satellite Networks. NIST SP 800-160 Vol. 2 Rev. 1Cyber resiliency goals: Anticipate, Withstand, Recover, Adapt. FISMAFederal Information Security Modernization Act; annual program review obligation.

Threat Frameworks (analytic layer)

MITRE ATT&CKAdversary tactics and techniques knowledge base. MITRE CAPECCommon Attack Pattern Enumeration and Classification; dictionary of attack patterns that exploit known weaknesses. MITRE D3FENDKnowledge graph of defensive countermeasures and techniques, mapped to ATT&CK (NSA-funded, maintained by MITRE). SPARTASpace Attack Research and Tactic Analysis (The Aerospace Corporation). ESA Space ShieldEuropean Space Agency space-system threat framework.

EU & Global

NIS2 Directive (EU 2022/2555)Risk management and 24h/72h incident reporting; space sector in scope. EU Space Act (proposal, 25 Jun 2025)Space-specific resilience and cybersecurity obligations; extraterritorial scope. ENISA Space Threat LandscapeEuropean threat landscape and recommendations for space operators. Cyber Resilience Act (CRA)Connected hardware/software requirements; applies from December 2027.

Open-Source Vocabulary & Tooling

METEORSTORM MISP taxonomyThe course vocabulary, live and open source in the MISP taxonomy repository. MISP / CIRCLComputer Incident Response Center Luxembourg, maintainers of MISP. RootAPublic-domain open detection language (YAML) used in Module 04 to write portable signatures. (github.com/UncoderIO/Roota) Uncoder.IOOpen-source IDE and translation engine that ports RootA rules across SIEM, EDR, and XDR formats. SpaceCOP & Indicators of BehaviorDHS S&T + Aerospace Corp. on-board intrusion-detection prototype. CROO (Cyber Resilience On-Orbit)Proof Labs on-board IDS for the Space Force.

Community & Reporting

Space ISACSpace Information Sharing and Analysis Center. Air & Space Forces MagazineWaterman, “New Cybersecurity Rules for Pentagon’s Commercial Satellite Vendors,” Nov 19, 2025. Via Satellite“DHS Wants Satellite Volunteers to Test New Cyber Tools,” Nov 17, 2025. Defense Daily“New National Space Cybersecurity Policy Emphasizes Intrusion Detection,” Nov 18, 2025. Mayer Brown legal analysis“Securing the Final Frontier,” Dec 11, 2025 (US and EU regulatory map).