MODULE 2
CONTEXTUALIZED THREAT MODELING
METEORSTORM™ Function Two
Overlay threat logic onto the mission architecture
40 Slides | ~50 Minutes
FULL SPECTRUM SPACE CYBERSECURITY PROFESSIONAL
OUTLINE
- M1: Concept of Operations
- M2: Contextualized Threat Modeling
- M3: Converged Detection Engineering
- M4: Incident Response Preparedness
- M5: Adversary Management
- M6: Space Operations Exercise
- M7: Guidance Modes Exercise
- M8: Payload Operations Exercise
- M9: Contested Space Operations
- M10: Incident Response Exercise
1 / 40
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
2
Function Two Purpose
Function Two extends the CONOPS by asking: how could the mission fail or be deliberately disrupted?
It overlays threat logic onto the environments, segments, services, and assets defined in Function One.
The result: a threat model that is mission-specific, structurally grounded, and ready for detection engineering.
KEY QUESTION
Given YOUR mission architecture, what could cause each critical requirement to fail?
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
3
Why Mission-Anchored Threats Beat Generic Catalogs
Traditional approach: Start from a catalog of known threats and try to match them to your platform.
METEORSTORM approach: Start from YOUR mission requirements and reason outward about what could cause failure.
KEY INSIGHT
Generic catalogs miss platform-specific threats. Mission-anchored modeling ensures complete coverage by starting from what matters most: your mission.
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
4
The Four Steps of Function Two
Step 1
Identify Failure Concerns
Identify Failure Concerns
→
Step 2
Define Threat Elements
Define Threat Elements
→
Step 3
Attach to CONOPS
Attach to CONOPS
→
Step 4
Validate Coverage
Validate Coverage
Each step builds on the previous, creating progressively more structured and traceable threat artifacts.
The output of Function Two feeds directly into Function Three: Converged Detection Engineering.
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
5
STEP 1: IDENTIFY FAILURE CONCERNS
Reasoning From Mission Requirements
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
6
Reasoning From Mission Requirements
For each mission requirement, ask: what could cause this to fail?
Engage subject matter experts across ALL disciplines:
- Cybersecurity analysts find cyber threats
- RF engineers find signal-layer threats
- Mission operators find timing and availability threats
- Platform engineers find physical threats
KEY PRINCIPLE
No single discipline sees all the threats. Cross-discipline engagement is mandatory.
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
7
Cross-Discipline Failure Analysis
CYBERSECURITY
Network intrusion, malware, supply chain compromise, insider threats
RF ENGINEERING
Jamming, spoofing, interference, signal degradation, link budget violations
MISSION OPERATIONS
Timing constraints, command windows, orbital mechanics, contact scheduling
PHYSICAL SECURITY
Ground station access, ASAT weapons, directed energy, co-orbital threats
The convergence of these perspectives reveals threats invisible to any single team.
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
8
STARCOM-LEO: Requirements to Failure Concerns
| Mission Requirement | Failure Concern |
|---|---|
| Continuous broadband coverage | Loss or degradation of RF or optical links disrupting service continuity |
| Accept and execute authorized commands | Unauthorized or spoofed commands reaching satellites, causing loss of control |
| Transmit telemetry to ground | Telemetry data integrity compromise or interception |
| Relay user traffic with ≤50ms latency | Denial of service or traffic manipulation in the data plane |
| Maintain inter-satellite optical links | Disruption of optical links through dazzling, interference, or software exploitation |
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
9
Exercise: Derive Your Own Failure Concerns
HANDS-ON EXERCISE
- Take 3 mission requirements from your platform’s CONOPS (or from Module 1).
- For each requirement, identify at least 2 failure concerns from different disciplines.
- Document which discipline identified each concern.
If you don’t have your own platform yet, use the STARCOM-LEO requirements from Module 1.
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
10
STEP 2: DEFINE THREAT ELEMENTS
Formalizing Concerns as Analytical Objects
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
11
Formalizing Concerns as Threat Elements
Each failure concern becomes a formal Threat element (AN-THR) in the METEORSTORM analytical layer.
Assigned a structured identifier: AN: THR: Threat: XX
This transforms vague worries into analytically tractable, machine-readable objects.
Each threat gets a name, identifier, and detailed description — creating a shared vocabulary across all disciplines.
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
12
Threat Identifier Structure
The naming convention breakdown:
AN
Analytic Layer
The analytical/threat modeling layer of the taxonomy
THR
Threat Category
Identifies this as a Threat element specifically
Threat
Human-readable Label
The descriptive name of the specific threat
XX
Sequential Ordinal
Unique number for each threat in the model
Example: AN: THR: Threat: 00 — “RF Link Interference”
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
13
THR:00 — RF Link Interference
AN: THR: Threat: 00
Identifier:AN: THR: Threat: 00
Name:RF Link Interference
Description:Deliberate or environmental disruption of Ku/Ka-band RF uplink/downlink or feeder link signals, reducing data availability and constellation command capacity.
EXPOSURE DOMAINS
Electronic Warfare, Environmental — spans both adversary action and natural phenomena.
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
14
THR:01 — Unauthorized Command Injection
AN: THR: Threat: 01
Identifier:AN: THR: Threat: 01
Name:Unauthorized Command Injection
Description:Adversary attempts to inject unauthorized commands into the satellite command interface, targeting the control plane to achieve unauthorized maneuvers, mode changes, or software modification.
EXPOSURE DOMAINS
Cyber, Electronic Warfare — combines digital exploitation with signal-layer access.
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
15
THR:02 — Telemetry Interception and Manipulation
AN: THR: Threat: 02
Identifier:AN: THR: Threat: 02
Name:Telemetry Interception and Manipulation
Description:Interception or alteration of telemetry data in transit between satellites and ground stations, degrading operator situational awareness and enabling adversary intelligence collection.
EXPOSURE DOMAINS
Cyber, Electronic Warfare — targets data integrity and confidentiality in the control plane.
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
16
THR:03 — Data Plane Denial of Service
AN: THR: Threat: 03
Identifier:AN: THR: Threat: 03
Name:Data Plane Denial of Service
Description:Volumetric or targeted disruption of user broadband traffic relay, including gateway saturation, routing table manipulation, or selective traffic dropping.
EXPOSURE DOMAINS
Cyber — targets availability of the user data plane through network-layer attacks.
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
17
THR:04 — Optical Link Disruption
AN: THR: Threat: 04
Identifier:AN: THR: Threat: 04
Name:Optical Link Disruption
Description:Disruption of inter-satellite laser links through ground-based or space-based dazzling, co-orbital interference, or exploitation of link handover logic in routing software.
EXPOSURE DOMAINS
Non-Kinetic Physical, Cyber — combines directed energy with software exploitation.
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
18
THR:05 — Supply Chain Compromise
AN: THR: Threat: 05
Identifier:AN: THR: Threat: 05
Name:Supply Chain Compromise
Description:Introduction of malicious code or hardware modifications through the satellite manufacturing, software development, or ground station equipment supply chain.
EXPOSURE DOMAINS
Cyber — pre-deployment compromise that persists through the entire mission lifecycle.
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
19
THR:06 — Space Environment Effects
AN: THR: Threat: 06
Identifier:AN: THR: Threat: 06
Name:Space Environment Effects
Description:Orbital debris impact, solar particle events, or radiation-induced faults causing hardware degradation, memory corruption, or temporary loss of satellite capability.
EXPOSURE DOMAINS
Kinetic, Environmental — natural phenomena that produce effects indistinguishable from some attacks.
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
20
Complete Threat Element Table
| Identifier | Name | Description |
|---|---|---|
| THR:00 | RF Link Interference | Deliberate or environmental disruption of Ku/Ka-band RF signals |
| THR:01 | Unauthorized Command Injection | Adversary injection of unauthorized commands into satellite command interface |
| THR:02 | Telemetry Interception & Manipulation | Interception or alteration of telemetry data in transit |
| THR:03 | Data Plane Denial of Service | Volumetric or targeted disruption of user broadband traffic relay |
| THR:04 | Optical Link Disruption | Disruption of inter-satellite laser links through dazzling or software exploit |
| THR:05 | Supply Chain Compromise | Malicious code or hardware modifications via manufacturing/dev supply chain |
| THR:06 | Space Environment Effects | Orbital debris, solar particles, or radiation-induced faults |
Seven threats span all five exposure domains: Kinetic (debris), Non-Kinetic Physical (dazzling), EW (jamming/spoofing), Cyber (command injection, supply chain), and Environmental (radiation, particles).
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
21
STEP 3: ATTACH THREATS TO CONOPS ELEMENTS
Structural Linkage for Cross-Domain Correlation
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
22
Why Structural Attachment Matters
Without attachment, threats are abstract concepts floating in space.
Attachment transforms them into analytically tractable objects linked to specific platform elements.
Every threat connects to:
PCE
Environment
Environment
→
SEG
Segment
Segment
→
SVC
Service
Service
→
AST
Asset
Asset
KEY PRINCIPLE
This structural linkage is what enables cross-domain correlation in Function Three.
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
23
Threat-to-CONOPS Mapping Structure
The mapping format links each threat to all four taxonomy layers:
Threat
→
PCE
→
SEG
→
SVC
→
AST
EXAMPLE MAPPING
THR:00 RF Link Interference
PCE: OR + TE SEG: SP + GR + LI SVC: CP + DP
AST: HW:00, AST:SI:00, AST:SI:02
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
24
STARCOM-LEO: RF Link Interference Mapping
THR:00 — Detailed CONOPS Attachment
| Layer | Elements | Description |
|---|---|---|
| PCE | OR, TE | Orbital (satellite RF systems) + Terrestrial (ground antennas) |
| SEG | SP, GR, LI | Space segment, Ground segment, Link segment |
| SVC | CP, DP | Control Plane (command path) + Data Plane (user traffic) |
| AST | HW:00, HW:02, HW:03, SI:00, SI:02 | Sat transceiver, ground antenna, gateway antenna, RF signals, feeder links |
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
25
STARCOM-LEO: Command Injection Mapping
THR:01 — Detailed CONOPS Attachment
| Layer | Elements | Description |
|---|---|---|
| PCE | OR, TE | Orbital (flight software) + Terrestrial (ground management) |
| SEG | SP, GR, LI | Space segment, Ground segment, Link segment |
| SVC | CP | Control Plane only — targets the command path |
| AST | SW:00, SW:01, DA:01, SI:00 | Flight software, ground constellation mgmt, command packages, RF uplink |
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
26
Complete Threat Attachment Matrix
| Threat | PCE | SEG | SVC | AST |
|---|---|---|---|---|
| THR:00 RF Link Interference | OR, TE | SP, GR, LI | CP, DP | HW:00, HW:02, HW:03, SI:00, SI:02 |
| THR:01 Command Injection | OR, TE | SP, GR, LI | CP | SW:00, SW:01, DA:01, SI:00 |
| THR:02 Telemetry Interception | OR, TE | SP, GR, LI | CP | DA:00, SI:00, SW:00 |
| THR:03 Data Plane DoS | OR, TE | SP, GR, US, LI | DP | SW:02, DA:02, HW:03, HW:04 |
| THR:04 Optical Link Disruption | OR | SP, LI | CP, DP | HW:01, SI:01, SW:02 |
| THR:05 Supply Chain Compromise | TE | SP, GR | CP, DP | SW:00, SW:01, HW:00-04 |
| THR:06 Space Environment | OR | SP | CP, DP | HW:00, HW:01, DA:00, SI:00, SI:01 |
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
27
Visualizing Threats on the CONOPS Diagram
The CONOPS diagram from Module 1 is now updated to show threat nodes.
Each threat connects to the specific PCEs, segments, services, and assets it affects.
This creates a visual threat map — the reference artifact for Function Three.
The threat-enriched CONOPS diagram becomes the primary input for detection engineering. It visually shows WHERE threats intersect with your mission architecture.
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
28
STEP 4: VALIDATE COVERAGE
Ensuring No Mission Requirement Goes Unprotected
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
29
Ensuring Complete Threat Coverage
Return to mission requirements and confirm: does every critical requirement have at least one associated threat?
Coverage gaps = blind spots in your security posture.
Gaps should be documented, assigned for follow-up, and tracked.
MISSION QUESTION
Can you trace every mission requirement to at least one identified threat? If not, where are your blind spots?
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
30
Coverage Validation Matrix
| Mission Requirement | Associated Threats | Coverage Status |
|---|---|---|
| Continuous broadband coverage | THR:00, THR:04, THR:06 | COVERED |
| Accept authorized commands | THR:01, THR:05 | COVERED |
| Transmit telemetry to ground | THR:02, THR:06 | COVERED |
| Relay user traffic ≤50ms | THR:03, THR:00 | COVERED |
| Maintain optical links | THR:04, THR:06 | COVERED |
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
31
Identifying and Documenting Gaps
What if a requirement has NO associated threats? That’s a gap.
Document gaps with: which requirement, what disciplines were consulted, what follow-up is needed.
- New services not yet threat-modeled
- Cross-domain interactions not considered
- Environmental factors overlooked
- Third-party dependencies not assessed
MISSION QUESTION
Are there mission requirements from your CONOPS that no threat currently addresses?
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
32
STARCOM-LEO: Coverage Validation Results
All five mission requirements are covered by at least two threats.
Cross-domain coverage confirmed: threats span Kinetic, Non-Kinetic Physical, EW, Cyber, and Environmental domains.
The model accounts for both deliberate adversary action AND natural environmental effects.
This validated threat model feeds directly into Function Three: Converged Detection Engineering. Every detection rule will trace back to a specific threat, which traces back to a mission requirement.
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
33
FRAMEWORK INTEGRATION
Enriching the Threat Model with External Intelligence
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
34
Cross-Referencing with MITRE ATT&CK
METEORSTORM threat elements can be mapped to ATT&CK techniques:
- THR:01 (Command Injection) maps to multiple ATT&CK techniques in Initial Access, Execution
- THR:05 (Supply Chain) maps to T1195 Supply Chain Compromise
- This enriches the threat model with the broader community’s adversary intelligence
KEY PRINCIPLE
METEORSTORM doesn’t replace ATT&CK — it provides the converged structure to apply it across all domains.
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
35
Cross-Referencing with SPARTA and SPACE-SHIELD
SPARTA catalogs space-specific adversary tactics targeting spacecraft and ground segments.
SPACE-SHIELD covers European space system threats.
METEORSTORM can ingest these frameworks, mapping their TTPs to the taxonomy layers. Space-specific TTPs get linked to PCE, SEG, SVC, AST elements in your CONOPS.
The ingested framework content becomes operationally actionable because it’s linked to YOUR mission architecture.
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
36
Layered Enrichment Model
Multiple frameworks layer into METEORSTORM’s unified threat model:
ATT&CK
Maps to AN layer — techniques become threat enrichments
SPARTA
Maps to PCE-OR, SEG-SP — space segment threats
SPACE-SHIELD
Maps to space segment threats — European focus
ATLAS
Maps to AI/ML threats on autonomy-enabled platforms
FiGHT
Maps to 5G telecommunications threats
The result: a single, unified threat model incorporating all relevant domain knowledge.
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
37
Recording the Threat Model in MISP
- Create AN-THR tagged events in MISP for each identified threat
- Apply METEORSTORM taxonomy tags: PCE, SEG, SVC, AST for each threat
- Attach cross-references to ATT&CK, SPARTA, SPACE-SHIELD techniques
- Link threat events to CONOPS elements via MISP object relationships
The MISP-recorded threat model becomes the machine-readable, shareable foundation for all subsequent work — from detection engineering to incident response.
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
38
The Function Two Output
A contextualized threat model where every identified threat is structurally linked to platform elements.
Full traceability chain:
Mission
Requirements
Requirements
→
Failure
Concerns
Concerns
→
Threat
Elements
Elements
→
CONOPS
Attachment
Attachment
→
Coverage
Validation
Validation
CONOPS (F1)
→
Threat Model (F2)
→
Detection Architecture (F3)
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
39
Threat Model Quality Checklist
- Every mission requirement has at least one associated threat
- Threats span multiple exposure domains (not just cyber)
- Each threat is formally defined with AN-THR identifier
- Every threat is attached to specific PCE, SEG, SVC, AST elements
- Cross-references to existing frameworks are documented
- Coverage gaps are identified and assigned for follow-up
- The threat-enriched CONOPS diagram is updated and published
Module 2 — Contextualized Threat Modeling
OPERATOR: —
SCORP² Practitioner | eHs® | TLP-GREEN
40
Module 2 Summary
- Function Two overlays threat logic onto the CONOPS from Function One
- Seven STARCOM-LEO threats span all five exposure domains
- Structural attachment transforms abstract concerns into traceable analytical objects
- The validated threat model is THE input for detection engineering in Module 3
Next: Module 3 — Converged Detection Engineering
VIDEO
MISSION STATUS
STUDENT—
SECTIONSession 2 — Threat Modeling
START00:00
REMAINING—