Master Converged Detection Engineering.
“The adversary suffers when they cannot hide, and every move is seen.”
Two days in, the Space Cybersecurity Operations and Resilience department you are building has evidence to stand on: Kestrel Orbital’s three departments share a platform model and a threat catalogue written against it, and both came out of sessions the departments showed up for. Today you hand the pen to Satellite Design & Engineering: the engineers open their artifacts and walk each threat with you into the attacker’s likely route through the platform. You drive the organization to evolve into a converged data-and-signals approach that illuminates complex attack patterns and reduces adversary dwell time, and the paths you trace build toward the detection methods Executive Order 14144 requires.
DAY 3 START
Today you trace how an adversary would move through the telecommand path to realize each Day 2 threat, and name the data you would need to see each step. Yesterday the Security Operations Center grounded the threats; today Satellite Design & Engineering brings the build knowledge that turns each threat into a walkable path, the department’s first full working day inside the shared model. The paths and source inventory feed the detection methods Executive Order 14144 requires.
MAP THE ATTACK PATHS
Six artifacts on the table. Satellite Design & Engineering owns the deepest knowledge of how the platform actually moves data and commands, and today the department lays that knowledge open: the six artifacts below, brought to the table because two days of shared work earned the ask. You walk them together for every attack path you enumerate today. Each one tells you something different about where an attacker could enter, where they could pivot, and what they would touch on the way.
System block diagrams: what subsystem connects to what, over which bus, with which authentication boundary.
How a single telecommand actually moves from operator console through C&DH to the receiving subsystem.
How mission data moves on-board, where it’s buffered, where it’s signed, where it’s downlinked.
Wire-level protocol specs: CCSDS framing, MIL-STD-1553 bus traffic, SpaceWire, internal handshakes.
What runs on the OBC, how commands are parsed and dispatched, what behaviors are hard-coded vs reconfigurable.
Vendor provenance for each firmware and hardware item: who built it, when, with which signing pipeline.
CONVERGED DETECTION ENGINEERING PROCESS
Inputs. Yesterday’s enumerated threat set, fourteen threats anchored to the telecommand path, and a working session with Satellite Design & Engineering. Output. One AN-ATT element per attack path, with TOE listing every structural element the path traverses end-to-end. Six steps, fixed order. Set LAYER (always AN), identify the source, set TAG (ATT), assign the ORDINAL, enumerate the TOE chain, then build the detection-source inventory. Constraint. Every element must enumerate a complete TOE; an attack path with no structural traversal is a hypothesis, not a path.
AN-ATT).00 (AN:ATT:Attack Path:00, AN:ATT:Attack Path:01, and so on); one ordinal per distinct attack path.USER SEGMENT ATTACK PATHS
Each row is one AN-ATT element enumerated with Satellite Design & Engineering. The path is driven by an AN-THR from yesterday's set. The TOE chain lists every structural element the attacker would touch in order. The Steps and Source Inventory block names, for each step on the path, the required data or signal source needed to observe it, plus the status of that source on the platform: Available with a source identifier, Partial, or Gap. The source inventory is the second deliverable of Converged Detection Engineering and is what Day 4 reads when authoring signatures and playbooks.
| ID | AN-ATT ETEN | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
AN:ATT:Attack Path:00 |
Operator-console credential theft via spear-phishing or credential stuffing: attacker harvests operator credentials, signs into the console workstation, and issues commands within the operator’s authority.
DRIVEN BY
AN:THR:Threat:01 (Console credential theft)TOE CHAIN SEG:US:User:00 → SVC:CP:Control Plane:13 (console ops) → AST:HW:Hardware:04 (console workstation) → AST:DA:Data:03 (HSM keys) → SVC:CP:Control Plane:15 (user-side ACA)STEPS
STEPS AND SOURCE INVENTORY
SOURCE Industry-reported credential-theft patterns against operator workstations.
CONFIDENCE Medium. Pattern is widely reported in enterprise IT; satellite-specific incidents underreported.
|
|||||||||||||||
AN:ATT:Attack Path:01 |
End-user application tampering via supply-chain compromise: malicious update installed on the operator workstation alters displayed mission product or silently injects commands.
DRIVEN BY
AN:THR:Threat:00 (End-user application tampering)TOE CHAIN SEG:US:User:00 → AST:SW:Software:08 (end-user app SW) → SVC:DP:Data Plane:02 (mission product display) → AST:DA:Data:04 (mission product data)STEPS
STEPS AND SOURCE INVENTORY
SOURCE SolarWinds Orion compromise (2020, CISA AA20-352A) as supply-chain pattern reference.
CONFIDENCE Medium. Pattern documented in IT supply chains; satellite-app analogue is inferred.
|
GROUND SEGMENT ATTACK PATHS
Each row is one AN-ATT element enumerated with Satellite Design & Engineering. The path is driven by an AN-THR from yesterday's set. The TOE chain lists every structural element the attacker would touch in order. The Steps and Source Inventory block names, for each step on the path, the required data or signal source needed to observe it, plus the status of that source on the platform: Available with a source identifier, Partial, or Gap. The source inventory is the second deliverable of Converged Detection Engineering and is what Day 4 reads when authoring signatures and playbooks.
| ID | AN-ATT ETEN | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
AN:ATT:Attack Path:02 |
Mass modem firmware-wipe via management-plane abuse: external VPN appliance compromise → management network access → abuse of the legitimate modem management interface → push of a wiper as a firmware update payload → modem flash and SPI EEPROM overwritten, modems bricked.
DRIVEN BY
AN:THR:Threat:02 (Long-dwell ground-network intrusion)TOE CHAIN SEG:GR:Ground:00 → SVC:CP:Control Plane:08 (ground crypto) → SVC:CP:Control Plane:09 (ground ACA) → AST:SW:Software:02 (ground ACA SW) → AST:DA:Data:01 (ACA credentials) → AST:DA:Data:02 (patch binaries) → AST:SW:Software:03 (patch deployment SW) → SVC:CP:Control Plane:12 (patch updates)STEPS
STEPS AND SOURCE INVENTORY
SOURCE Viasat post-incident report (30 March 2022); CISA AA22-110A; SentinelLabs AcidRain analysis. Path confirmed by post-incident analysis on the KA-SAT network (24 Feb 2022).
CONFIDENCE High. Path matches the public reconstruction of the KA-SAT outage.
|
|||||||||||||||||||||
AN:ATT:Attack Path:03 |
Operator credential theft via phishing or credential stuffing on ground-station service accounts → sign-in to mission ops console → commands issued within stolen account’s authority.
DRIVEN BY
AN:THR:Threat:03 (Operator credential theft)TOE CHAIN SEG:GR:Ground:00 → AST:DA:Data:01 (ACA credentials) → SVC:CP:Control Plane:09 (ground ACA) → SVC:CP:Control Plane:13 (console ops)STEPS
STEPS AND SOURCE INVENTORY
SOURCE MITRE ATT&CK T1078 (Valid Accounts); industry-reported satellite-operator phishing campaigns.
CONFIDENCE Medium. Pattern frequently observed; per-operator details non-public.
|
|||||||||||||||||||||
AN:ATT:Attack Path:04 |
Privileged insider with command authority issues unauthorized commands directly from a commanding workstation, bypassing peer review.
DRIVEN BY
AN:THR:Threat:04 (Privileged insider misuse)TOE CHAIN SEG:GR:Ground:00 → AST:HW:Hardware:04 (console workstation) → AST:SW:Software:04 (console SW) → SVC:CP:Control Plane:13 (console ops) → SVC:CP:Control Plane:09 (ground ACA)STEPS
STEPS AND SOURCE INVENTORY
SOURCE MITRE ATT&CK T1078.003 (Local Accounts); NIST SP 800-53 PS-7 insider-threat models.
CONFIDENCE Medium. Insider patterns well-documented; satellite-specific incidents underreported.
|
|||||||||||||||||||||
AN:ATT:Attack Path:05 |
Lateral movement from compromised operator workstation through the operator network into mission-control hosts.
DRIVEN BY
AN:THR:Threat:05 (Lateral movement to mission control)TOE CHAIN SEG:GR:Ground:00 → AST:HW:Hardware:04 (console HW) → AST:SW:Software:04 (console SW) → SVC:CP:Control Plane:13 (console ops) → SVC:CP:Control Plane:09 (ground ACA)STEPS
STEPS AND SOURCE INVENTORY
SOURCE MITRE ATT&CK TA0008 (Lateral Movement); composite from enterprise intrusion reporting.
CONFIDENCE Medium. Pattern enterprise-standard; satellite mission-control specifics platform-dependent.
|
|||||||||||||||||||||
AN:ATT:Attack Path:06 |
Ransomware against the launch-control / patch-deployment pipeline: criminal actor encrypts launch-control hosts and patch binaries, denying both launch ops and the ability to push corrective firmware.
DRIVEN BY
AN:THR:Threat:06 (Ransomware against launch infrastructure)TOE CHAIN SEG:GR:Ground:00 → SVC:CP:Control Plane:10 (launch control) → SVC:CP:Control Plane:12 (patch pipeline) → AST:DA:Data:02 (patch binaries) → AST:SW:Software:03 (patch deployment SW)STEPS
STEPS AND SOURCE INVENTORY
SOURCE CISA Stop Ransomware advisories; pattern observed in critical-infrastructure ransomware (2021–2024).
CONFIDENCE Medium. Ransomware well-documented; satellite launch-control incidents rare in public reporting.
|
LINK SEGMENT ATTACK PATHS
Each row is one AN-ATT element enumerated with Satellite Design & Engineering. The path is driven by an AN-THR from yesterday's set. The TOE chain lists every structural element the attacker would touch in order. The Steps and Source Inventory block names, for each step on the path, the required data or signal source needed to observe it, plus the status of that source on the platform: Available with a source identifier, Partial, or Gap. The source inventory is the second deliverable of Converged Detection Engineering and is what Day 4 reads when authoring signatures and playbooks.
| ID | AN-ATT ETEN | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
AN:ATT:Attack Path:07 |
Sustained RF noise injection across uplink/downlink bands to deny communications. May be paired with timing knowledge of overhead passes.
DRIVEN BY
AN:THR:Threat:07 (Jamming campaign)TOE CHAIN SEG:LI:Link:00 → SVC:CP:Control Plane:05 (link ACA) → SVC:HY:Hybrid:01 (FEC/ECC) → SVC:HY:Hybrid:02 (T2 tracking) → AST:SI:Signal:00 (uplink/downlink waveforms)STEPS
STEPS AND SOURCE INVENTORY
SOURCE Jamming campaigns affecting satellite communications during the Russia–Ukraine conflict (2022–2024); ITU interference reports.
CONFIDENCE High. Patterns directly reported by multiple operators and governments.
|
|||||||||||||||
AN:ATT:Attack Path:08 |
Replay-and-spoof against the uplink command waveform paired with stolen session keys to bypass authentication and issue commands the spacecraft accepts as legitimate.
DRIVEN BY
AN:THR:Threat:08 (Replay-and-spoof on uplink)TOE CHAIN SEG:LI:Link:00 → AST:SI:Signal:00 (uplink waveform) → AST:DA:Data:00 (link ACA credentials) → SVC:CP:Control Plane:05 (link ACA) → SVC:CP:Control Plane:09 (ground ACA)STEPS
STEPS AND SOURCE INVENTORY
SOURCE Aerospace Corp. SPARTA framework SPACE-T1428 (Replay Attacks).
CONFIDENCE Medium. Theoretically grounded; public attribution of successful replay-and-spoof against operational satellites is limited.
|
|||||||||||||||
AN:ATT:Attack Path:09 |
Passive downlink interception: collector with sufficient antenna gain reads mission product and telemetry off the downlink waveform without active transmission.
DRIVEN BY
AN:THR:Threat:09 (Downlink interception)TOE CHAIN SEG:LI:Link:00 → AST:SI:Signal:00 (downlink waveform) → AST:SW:Software:01 (payload command encoder) → SVC:HY:Hybrid:02 (T2 tracking)STEPS
STEPS AND SOURCE INVENTORY
SOURCE Long-standing SIGINT discipline. SPARTA SPACE-T1427 (Eavesdropping on Communications).
CONFIDENCE High. Eavesdropping on unencrypted satellite downlinks is widely documented.
|
SPACE SEGMENT ATTACK PATHS
Each row is one AN-ATT element enumerated with Satellite Design & Engineering. The path is driven by an AN-THR from yesterday's set. The TOE chain lists every structural element the attacker would touch in order. The Steps and Source Inventory block names, for each step on the path, the required data or signal source needed to observe it, plus the status of that source on the platform: Available with a source identifier, Partial, or Gap. The source inventory is the second deliverable of Converged Detection Engineering and is what Day 4 reads when authoring signatures and playbooks.
| ID | AN-ATT ETEN | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
AN:ATT:Attack Path:10 |
Destructive bus attack chained from a stolen command path: attacker reaches the command authority service, issues sequences ADCS/EPS/FTS will execute, ending the mission.
DRIVEN BY
AN:THR:Threat:10 (Destructive bus attack)TOE CHAIN SEG:SP:Space:00 → SVC:CP:Control Plane:00 (ADCS) → SVC:CP:Control Plane:02 (EPS) → SVC:CP:Control Plane:03 (FTS) → AST:HW:Hardware:00 (ADCS sensors) → AST:SW:Software:00 (ADCS FSW) → AST:HW:Hardware:01 (power chain) → AST:HW:Hardware:02 (FTS receiver) → AST:FW:Firmware:00 (FTS firmware)STEPS
STEPS AND SOURCE INVENTORY
SOURCE SPARTA SPACE-T1029 (Disrupt). Galaxy 15 (2010) drift event as illustrative bus-failure consequence.
CONFIDENCE Medium. Path elements technically grounded; no public attribution of a successful end-to-end destructive cyber attack on a Western commercial bus.
|
|||||||||||||||
AN:ATT:Attack Path:11 |
Command-path integrity attack: attacker manipulates the C&DH command-processing pipeline or the space-side cryptographic service so subsequent commands are accepted as authorized.
DRIVEN BY
AN:THR:Threat:11 (Command-path integrity attack)TOE CHAIN SEG:SP:Space:00 → SVC:HY:Hybrid:00 (C&DH) → SVC:CP:Control Plane:01 (space-side crypto) → AST:HW:Hardware:06 (OBC/OBDH) → AST:FW:Firmware:01 (OBC firmware) → AST:SW:Software:06 (C&DH FSW)STEPS
STEPS AND SOURCE INVENTORY
SOURCE SPARTA SPACE-T1014 (Software Modification) and SPACE-T1042 (Compromise Software Supply Chain).
CONFIDENCE Medium. Technically grounded; specific Western on-orbit incidents are not publicly disclosed.
|
|||||||||||||||
AN:ATT:Attack Path:12 |
Pre-launch firmware supply-chain compromise: malicious firmware reaches a vendor build pipeline, ships into a flight component, and runs in orbit after launch.
DRIVEN BY
AN:THR:Threat:12 (Supply-chain firmware compromise)TOE CHAIN SEG:SP:Space:00 → SVC:CP:Control Plane:03 (FTS) → SVC:CP:Control Plane:04 (TCS) → SVC:CP:Control Plane:02 (EPS) → AST:FW:Firmware:00 (FTS firmware) → AST:FW:Firmware:01 (OBC firmware) → AST:FW:Firmware:02 (payload firmware)STEPS
STEPS AND SOURCE INVENTORY
SOURCE SolarWinds (2020, CISA AA20-352A) and CCleaner (2017) as supply-chain references; SPARTA SPACE-T1041.
CONFIDENCE Medium. Supply-chain compromise well-documented in IT; satellite firmware analogue structurally identical.
|
|||||||||||||||
AN:ATT:Attack Path:13 |
Payload-data tampering between the science instrument and the downlink encryptor: attacker with on-board execution alters mission product before it is signed and downlinked.
DRIVEN BY
AN:THR:Threat:13 (Payload-data tampering)TOE CHAIN SEG:SP:Space:00 → SVC:DP:Data Plane:00 (mission data plane) → SVC:DP:Data Plane:01 (payload data plane) → AST:HW:Hardware:07 (payload electronics) → AST:FW:Firmware:02 (payload firmware)STEPS
STEPS AND SOURCE INVENTORY
SOURCE SPARTA SPACE-T1059 (Modify On-Board Values).
CONFIDENCE Low–Medium. Technically grounded; no public reports of a successful attack of this kind.
|
DAY 3 COMPLETE · FOURTEEN ATTACK PATHS
One attack path per threat, walked with Satellite Design & Engineering. Every element’s TOE chain names the services and assets the attacker would traverse, and every element cites the public reporting or framework reference the path is anchored to. Written in the shared five-field form, the paths read the same to all three departments, and the strongest of them, like the KA-SAT reconstruction, are exactly the kind of runnable analysis the organization’s Space ISAC channel exists to exchange.
| ID | Description | Driven by |
|---|---|---|
AN:ATT:Attack Path:00 |
Operator-console credential theft via spear-phishing or credential stuffing: attacker harvests operator credentials, signs into the console workstation, and issues commands within the operator’s authority. | AN:THR:Threat:01 (Console credential theft) |
AN:ATT:Attack Path:01 |
End-user application tampering via supply-chain compromise: malicious update installed on the operator workstation alters displayed mission product or silently injects commands. | AN:THR:Threat:00 (End-user application tampering) |
AN:ATT:Attack Path:02 |
Mass modem firmware-wipe via management-plane abuse: external VPN appliance compromise → management network access → abuse of the legitimate modem management interface → push of a wiper as a firmware update payload → modem flash and SPI EEPROM overwritten, modems bricked. | AN:THR:Threat:02 (Long-dwell ground-network intrusion) |
AN:ATT:Attack Path:03 |
Operator credential theft via phishing or credential stuffing on ground-station service accounts → sign-in to mission ops console → commands issued within stolen account’s authority. | AN:THR:Threat:03 (Operator credential theft) |
AN:ATT:Attack Path:04 |
Privileged insider with command authority issues unauthorized commands directly from a commanding workstation, bypassing peer review. | AN:THR:Threat:04 (Privileged insider misuse) |
AN:ATT:Attack Path:05 |
Lateral movement from compromised operator workstation through the operator network into mission-control hosts. | AN:THR:Threat:05 (Lateral movement to mission control) |
AN:ATT:Attack Path:06 |
Ransomware against the launch-control / patch-deployment pipeline: criminal actor encrypts launch-control hosts and patch binaries, denying both launch ops and the ability to push corrective firmware. | AN:THR:Threat:06 (Ransomware against launch infrastructure) |
AN:ATT:Attack Path:07 |
Sustained RF noise injection across uplink/downlink bands to deny communications. May be paired with timing knowledge of overhead passes. | AN:THR:Threat:07 (Jamming campaign) |
AN:ATT:Attack Path:08 |
Replay-and-spoof against the uplink command waveform paired with stolen session keys to bypass authentication and issue commands the spacecraft accepts as legitimate. | AN:THR:Threat:08 (Replay-and-spoof on uplink) |
AN:ATT:Attack Path:09 |
Passive downlink interception: collector with sufficient antenna gain reads mission product and telemetry off the downlink waveform without active transmission. | AN:THR:Threat:09 (Downlink interception) |
AN:ATT:Attack Path:10 |
Destructive bus attack chained from a stolen command path: attacker reaches the command authority service, issues sequences ADCS/EPS/FTS will execute, ending the mission. | AN:THR:Threat:10 (Destructive bus attack) |
AN:ATT:Attack Path:11 |
Command-path integrity attack: attacker manipulates the C&DH command-processing pipeline or the space-side cryptographic service so subsequent commands are accepted as authorized. | AN:THR:Threat:11 (Command-path integrity attack) |
AN:ATT:Attack Path:12 |
Pre-launch firmware supply-chain compromise: malicious firmware reaches a vendor build pipeline, ships into a flight component, and runs in orbit after launch. | AN:THR:Threat:12 (Supply-chain firmware compromise) |
AN:ATT:Attack Path:13 |
Payload-data tampering between the science instrument and the downlink encryptor: attacker with on-board execution alters mission product before it is signed and downlinked. | AN:THR:Threat:13 (Payload-data tampering) |
DAY 3 COMPLETE
What you built today. Fourteen AN-ATT elements enumerated with Satellite Design & Engineering. 2 USER, 5 GROUND, 3 LINK, 4 SPACE. Every element walks an end-to-end attacker traversal through real services and assets on the platform, anchored to public reporting or framework reference. No hypothetical paths; every element is grounded. Satellite Design & Engineering spent the day writing in the language it helped build, and the other two departments can read every path without a briefing. The paths and their source inventory feed the detection methods Executive Order 14144 requires on the command path.
Your role here. Detection engineering is the third of the five functions where a Full Spectrum professional drives change, and you don’t have to be the detection expert or the spacecraft engineer to lead it. Security Operations, Satellite Operations, and Satellite Design & Engineering can sometimes be provided by separate organizations, so your job is to build the cross-functional team and converge their data and signals into shared detections. That is what makes this function a deliberate point of insertion for transforming how those organizations defend the platform together.
DHS Science & Technology reports an on-board detection gap: most satellite detection today is telemetry-based, and many cyberattacks cannot be seen through telemetry alone. DHS and Aerospace Corp. built an on-board IDS prototype, SpaceCOP, around malware-agnostic Indicators of Behavior to close it. Converged detection engineering targets exactly this gap. Source: Air & Space Forces Magazine, Nov. 19, 2025.

DAY 3 COMPLETE
You enumerated fourteen attack paths against the command path and the data each one would expose, with Satellite Design & Engineering walking every chain beside you. Tomorrow, Day 4 turns them into the detection signatures and response playbooks the mandates’ detect-report-recover duties call for.
INCIDENT RESPONSE
PREPAREDNESS.
Day 3 done. Tomorrow (Day 4 / Mod 04 · Incident Response Preparedness), you turn today’s attack paths and data sources into the signatures that fire so IR knows which playbook to run, inside the reporting deadlines NIS2 sets.
A multiple-choice exam aligned with Module 03 KSAT areas. Drawn at random from a question bank covering Function THREE's taxonomy element (AN-ATT), its TARGET attachment (TOE), and the production flow into the next function. Exam scaffolding wired in next iteration.