SCOR Practitioner — Session 8: Payload Operations Exercise

MODULE 8

PAYLOAD OPERATIONS EXERCISE

Cyber Exposure Domain

Detect and respond to a malicious firmware update targeting payload systems

60 Minutes | 10 min instruction + 40 min simulation + 10 min break

MODULE 8 — PAYLOAD OPERATIONS EXERCISESCORP²

LABS Learning Objectives

Learn, Apply, Build, Simulate

LABS Component	Type	Statement
(L)EARN	Knowledge	Knowledge of communications payload operations including transponder management, beam shaping, power allocation, link margins, and bit error rates (BER).
(L)EARN	Knowledge	Knowledge of how malicious firmware updates cause anomalous transponder reconfiguration in a space operations context.
(A)PPLY	Skill	Skill in monitoring payload health metrics to detect performance degradation across transponder channels.
(A)PPLY	Skill	Skill in detecting unauthorized configuration changes, commanding payload safe mode, and verifying system state against a known-good baseline.
(B)UILD	Ability	Ability to distinguish payload anomalies caused by malicious firmware from those caused by physical damage or environmental radiation effects.
(S)IMULATE	Task	Detect anomalous transponder behavior from a malicious firmware update, command payload safe mode, assess configuration state, and initiate firmware reload within the 40-minute exercise window.

SCORP² Practitioner | eHs®TLP-GREEN

MODULE 8 — PAYLOAD OPERATIONS EXERCISESCORP²

Exercise Scenario Briefing

Students operate the 3-satellite constellation with an active communications relay payload. This exercise focuses on the Cyber exposure domain through a malicious firmware update that targets the payload processor, causing anomalous transponder reconfiguration. Students must detect the anomaly through payload telemetry, isolate the affected system, and initiate recovery procedures.

PAYLOAD CONFIGURATION

Multi-transponder communications relay payload
Configurable beam shaping and power allocation
Real-time link margin and BER monitoring
Known-good firmware baseline stored onboard

EXERCISE STRUCTURE

Phase 1: Nominal payload operations (~15 min)
Phase 2: Malicious firmware response (~25 min)
Instructor guidance available throughout
Builds on Module 6 and 7 skills

Payload anomalies can look like hardware degradation. The ability to compare current configuration against a known-good baseline is your primary diagnostic tool.

SCORP² Practitioner | eHs®TLP-GREEN

MODULE 8 — PAYLOAD OPERATIONS EXERCISESCORP²

Phase 1: Nominal Payload Operations

Establishing Payload Baseline (~15 min)

Students configure transponders, monitor link margins, manage the power budget, and track user traffic across the communications relay payload. This phase builds familiarity with payload telemetry and establishes the baseline against which anomalies will be detected.

TRANSPONDER CONFIG

Frequency assignments, bandwidth allocation, power levels per channel. Students verify configuration matches the mission plan.

LINK MARGINS

Uplink/downlink signal-to-noise ratio, bit error rate monitoring, rain fade margins, adjacent channel interference levels.

POWER BUDGET

Total payload power draw, per-transponder allocation, thermal limits, bus voltage stability. Power anomalies indicate configuration changes.

PAYLOAD AWARENESS

A transponder reconfiguration that you did not command is either a fault or an intrusion. The baseline tells you which.

SCORP² Practitioner | eHs®TLP-GREEN

MODULE 8 — PAYLOAD OPERATIONS EXERCISESCORP²

Phase 2: Malicious Firmware Update to Payload Processor

Cyber Exposure Domain

A firmware update causes anomalous transponder reconfiguration: unexpected frequency changes and power level modifications appear across multiple channels. Students must detect the anomaly through link margin and power telemetry, then execute the response sequence.

THREAT INDICATORS

Unexpected frequency assignments on multiple transponders
Power levels diverge from commanded configuration
BER increases on affected channels
Configuration does not match last known-good state

RESPONSE SEQUENCE

Detect anomalous transponder behavior through telemetry
Command payload safe mode to halt further changes
Verify configuration state against known-good baseline
Request firmware reload from verified onboard image

CYBER DOMAIN

CYBER — Exploitation through software, firmware, and network access. The payload still functions, but it now serves the adversary’s configuration.

SCORP² Practitioner | eHs®TLP-GREEN

MODULE 8 — PAYLOAD OPERATIONS EXERCISESCORP²

Instructor Guidance Notes

This exercise introduces the Cyber domain. Instructors should:

Ensure students understand transponder configuration before introducing the anomaly
Walk operators through the safe mode command and its effects on payload operations
Explain the difference between radiation-induced bit flips and deliberate firmware modification
Guide students through the post-safing configuration assessment process
Help students understand why firmware verification against a known-good baseline is critical

The key teaching moment: malicious firmware changes are persistent and intentional, unlike single-event upsets from radiation. The pattern of changes reveals intent.

SCORP² Practitioner | eHs®TLP-GREEN

MODULE 8 — PAYLOAD OPERATIONS EXERCISESCORP²

Feedback Requested from Zendir

The following questions will help finalize this exercise design. We welcome any additional recommendations.

Can your platform simulate a multi-transponder communications payload with configurable parameters?
Is firmware verification against a known-good baseline achievable within the simulation?
Can BER metrics be displayed in real-time to allow students to detect degradation?
How do you recommend visualizing the difference between current and baseline configurations?
Can payload safe mode be simulated with realistic command latency and confirmation?

COLLABORATION

Scenario design is open for Zendir’s input. We want exercises that work well on your platform.

SCORP² Practitioner | eHs®TLP-GREEN

MODULE 8 — PAYLOAD OPERATIONS EXERCISESCORP²

Exposure Domain Reference: Cyber

From SCORP² Cookbook Volume 0, Section 1A.1

Cyber threats exploit software, firmware, and network vulnerabilities to gain unauthorized access, modify configurations, exfiltrate data, or deny services. In the space domain: command injection through compromised ground systems, malicious firmware updates to flight software or payload processors, data exfiltration from mission systems, and denial of service through network flooding or protocol exploitation. Cyber attacks can be persistent, stealthy, and difficult to attribute.

Key challenge: Cyber threats can masquerade as normal system behavior. Detection requires continuous monitoring against verified baselines and anomaly correlation across multiple telemetry streams.

SCORP² Practitioner | eHs®TLP-GREEN

MODULE 8 — PAYLOAD OPERATIONS EXERCISESCORP²

Exercise Summary

Phase	Duration	Focus	Domain
Phase 1	~15 min	Nominal payload operations and transponder configuration	Baseline
Phase 2	~25 min	Malicious firmware detection, safe mode, and recovery	Cyber

Students completing this exercise will have practiced payload operations and responded to a Cyber domain threat. Three single-domain exercises are now complete. Module 9 introduces the first multi-domain exercise: Contested Space Operations combining Kinetic and Electronic Warfare.

SCORP² Practitioner | eHs®TLP-GREEN

✓

Module 8 Complete

Practiced communications payload operations and transponder management
Detected and responded to a Cyber threat: malicious firmware update
Third single-domain exercise complete — multi-domain exercises begin next

Next: Module 9 — Contested Space Operations (Kinetic + Electronic Warfare)