spacestrategies Methods & Frameworks Applied analysis → spacepolicies.org

Threat Modeling

Description

Systematic identification and characterization of threats to a system, asset, or domain. Rooted in military intelligence tradecraft and later formalized in cybersecurity (STRIDE, PASTA, ATT&CK), threat modeling maps adversarial actors, their capabilities, intent, opportunity, and attack vectors against a defined target. In the space domain, it applies to physical assets (satellites, ground stations, launch infrastructure), cyber systems (TT&C links, data pipelines), and hybrid scenarios (electronic warfare, supply chain compromise).

When to Use

  • Any topic involving space security, counterspace operations, or orbital infrastructure protection.
  • Analysis of ASAT threats (kinetic, co-orbital, directed energy, cyber).
  • Assessment of satellite communication jamming, spoofing, or interception risks.
  • Supply chain security for space hardware and software components.
  • Evaluating national or commercial space architectures against adversarial scenarios.
  • When a stakeholder asks “what could go wrong and who would do it.”

How to Apply

  1. Define the target scope. Identify the system, asset, or capability under analysis. Establish boundaries: what is in scope (e.g., a specific satellite constellation, a ground segment, a launch campaign) and what is out.
  2. Enumerate threat actors. List all plausible adversaries: nation-states, non-state actors, criminal organizations, insider threats, and unintentional threat sources (e.g., debris, space weather). For each actor, characterize capability (technical sophistication, resources), intent (strategic goals, motivation), and opportunity (access, timing windows).
  3. Map the attack surface. Identify all entry points, interfaces, and dependencies the target exposes: RF links, ground-to-space command channels, software update mechanisms, third-party components, orbital proximity, electromagnetic spectrum access.
  4. Identify threat scenarios. For each actor-surface pairing, develop concrete threat scenarios: what the actor would do, through which vector, exploiting which vulnerability. Use structured formats (actor + vector + vulnerability + impact).
  5. Assess likelihood and impact. Rate each scenario on probability (actor capability x intent x opportunity) and consequence severity (mission degradation, data loss, physical destruction, escalation risk). Use a consistent scale.
  6. Prioritize and cluster. Rank threats by combined risk score. Identify clusters of related threats that share common vulnerabilities or actors. Highlight the highest-priority threats that demand immediate attention.
  7. Identify mitigations and gaps. For each high-priority threat, map existing countermeasures and identify residual risk. Flag gaps where no mitigation exists or where current defenses are insufficient.
  8. Document assumptions and uncertainty. Explicitly state intelligence gaps, assumptions about actor behavior, and confidence levels for each assessment.

Key Dimensions

  • Threat actors — Who: nation-states, proxies, criminal groups, insiders, natural hazards.
  • Capability — What they can do: technical sophistication, available weapons/tools, demonstrated capacity.
  • Intent — Why they would act: strategic objectives, doctrinal drivers, political incentives.
  • Opportunity — When and how access is possible: orbital windows, geographic access, supply chain insertion points.
  • Attack vectors — The pathway: kinetic, electronic, cyber, supply chain, information operations.
  • Vulnerability — What can be exploited: single points of failure, unencrypted links, orbital predictability.
  • Impact — Consequence categories: mission kill, data compromise, escalation, cascading effects (Kessler syndrome).
  • Likelihood — Probability assessment combining capability, intent, and opportunity.

Expected Output

  • A structured threat register listing each identified threat with actor, vector, vulnerability, likelihood, and impact ratings.
  • A prioritized threat matrix or heat map showing the most critical threats.
  • Narrative analysis of the top 3-5 threat scenarios with detailed attack logic.
  • Identification of key mitigations and residual risk gaps.
  • Explicit statement of assumptions and confidence levels.

Limitations

  • Highly dependent on available intelligence about adversary capabilities and intent; gaps in open-source information can lead to blind spots or speculation.
  • Risk of mirror-imaging (assuming adversaries think like the analyst).
  • Static snapshot: threat landscapes evolve rapidly, especially in space where new capabilities emerge frequently.
  • Does not inherently address systemic or structural risks (use Resilience Analysis for that).
  • Can become overly focused on exotic threats (e.g., orbital EMP) while underweighting mundane but more probable risks (e.g., ground segment misconfiguration).
  • Not suitable as a standalone tool for policy recommendation — pair with risk assessment and resilience frameworks.

Articles Using This Method