Inhibit Ground System Functionality, Technique DE-0002.01

Disrupt or Deceive Downlink: Inhibit Ground System Functionality

Threat actors may utilize access to the ground system to inhibit its ability to accurately process, render, or interpret spacecraft telemetry, effectively leaving ground controllers unaware of the spacecraft’s true state or activity. This may involve traditional denial-based techniques, such as disabling telemetry software, corrupting processing pipelines, or crashing display interfaces. In addition, more subtle deception-based techniques may be used to falsify telemetry data within the ground system — such as modifying command counters, acknowledgments, housekeeping data, or sensor outputs — to provide the appearance of nominal operation. These actions can suppress alerts, mask unauthorized activity, or prevent both automated and manual mitigations from being initiated based on misleading ground-side information. Because telemetry is the primary method by which ground controllers monitor the health, behavior, and safety of the spacecraft, any disruption or falsification of this data directly undermines situational awareness and operational control.

Other Subtechniques of Disrupt or Deceive Downlink ( 3 )

ID	Name
DE-0002.01	Inhibit Ground System Functionality
DE-0002.02	Jam Link Signal
DE-0002.03	Inhibit Spacecraft Functionality

ID: DE-0002.01

Sub-technique of: DE-0002

Notional Risk (H | M | L): 21 | 17 | 12

ⓘ

Tactic: Defense Evasion

Created: 2022/10/19

Last Modified: 2025/04/15

Countermeasures

ID	Name	Description	NIST Rev5	D3FEND	ISO 27001
CM0002	COMSEC	A component of cybersecurity to deny unauthorized persons information derived from telecommunications and to ensure the authenticity of such telecommunications. COMSEC includes cryptographic security, transmission security, emissions security, and physical security of COMSEC material. It is imperative to utilize secure communication protocols with strong cryptographic mechanisms to prevent unauthorized disclosure of, and detect changes to, information during transmission. Systems should also maintain the confidentiality and integrity of information during preparation for transmission and during reception. Spacecraft should not employ a mode of operations where cryptography on the TT&C link can be disabled (i.e., crypto-bypass mode). The cryptographic mechanisms should identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.	AC-17 \| AC-17(1) \| AC-17(10) \| AC-17(2) \| AC-18 \| AC-18(1) \| AC-2(11) \| AC-3(10) \| CA-3 \| IA-4(9) \| IA-5 \| IA-5(7) \| IA-7 \| PL-8 \| PL-8(1) \| SA-8(18) \| SA-8(19) \| SA-9(6) \| SC-10 \| SC-12 \| SC-12(1) \| SC-12(2) \| SC-12(3) \| SC-12(6) \| SC-13 \| SC-16(3) \| SC-28(1) \| SC-28(3) \| SC-7 \| SC-7(10) \| SC-7(11) \| SC-7(18) \| SC-7(5) \| SC-8(1) \| SC-8(3) \| SI-10 \| SI-10(3) \| SI-10(5) \| SI-10(6) \| SI-19(4) \| SI-3(8)	D3-ET \| D3-MH \| D3-MAN \| D3-MENCR \| D3-NTF \| D3-ITF \| D3-OTF \| D3-CH \| D3-DTP \| D3-NTA \| D3-CAA \| D3-DNSTA \| D3-IPCTA \| D3-NTCD \| D3-RTSD \| D3-PHDURA \| D3-PMAD \| D3-CSPP \| D3-MA \| D3-SMRA \| D3-SRA \|	A.5.14 \| A.6.7 \| A.8.1 \| A.8.16 \| A.5.14 \| A.8.1 \| A.8.20 \| A.5.14 \| A.8.21 \| A.5.16 \| A.5.17 \| A.5.8 \| A.5.14 \| A.8.16 \| A.8.20 \| A.8.22 \| A.8.23 \| A.8.26 \| A.8.12 \| A.5.33 \| A.8.20 \| A.8.24 \| A.8.24 \| A.8.26 \| A.5.31 \| A.5.33 \| A.8.11
CM0073	Traffic Flow Analysis Defense	Utilizing techniques to assure traffic flow security and confidentiality to mitigate or defeat traffic analysis attacks or reduce the value of any indicators or adversary inferences. This may be a subset of COMSEC protections, but the techniques would be applied where required to links that carry TT&C and/or data transmissions (to include on-board the spacecraft) where applicable given value and attacker capability. Techniques may include but are not limited to methods to pad or otherwise obfuscate traffic volumes/duration and/or periodicity, concealment of routing information and/or endpoints, or methods to frustrate statistical analysis.	SC-8 \| SI-4(15)	D3-NTA \| D3-ANAA \| D3-RPA \| D3-NTCD \|	A.5.10 \| A.5.14 \| A.8.20 \| A.8.26
CM0050	On-board Message Encryption	In addition to authentication on-board the spacecraft bus, encryption is also recommended to protect the confidentiality of the data traversing the bus.	AC-4 \| AC-4(23) \| AC-4(24) \| AC-4(26) \| AC-4(31) \| AC-4(32) \| PL-8 \| PL-8(1) \| SA-3 \| SA-8 \| SA-8(18) \| SA-8(19) \| SA-8(9) \| SA-9(6) \| SC-13 \| SC-16 \| SC-16(1) \| SC-16(2) \| SC-16(3) \| SC-8(1) \| SC-8(3) \| SI-19(4) \| SI-4(10) \| SI-4(25)	D3-MH \| D3-MENCR \| D3-ET \|	A.5.14 \| A.8.22 \| A.8.23 \| A.8.11 \| A.5.8 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.27 \| A.8.28 \| A.5.33 \| A.8.24 \| A.8.26 \| A.5.31 \| A.8.11
CM0005	Ground-based Countermeasures	This countermeasure is focused on the protection of terrestrial assets like ground networks and development environments/contractor networks, etc. Traditional detection technologies and capabilities would be applicable here. Utilizing resources from NIST CSF to properly secure these environments using identify, protect, detect, recover, and respond is likely warranted. Additionally, NISTIR 8401 may provide resources as well since it was developed to focus on ground-based security for space systems (https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8401.ipd.pdf). Furthermore, the MITRE ATT&CK framework provides IT focused TTPs and their mitigations https://attack.mitre.org/mitigations/enterprise/. Several recommended NIST 800-53 Rev5 controls are provided for reference when designing ground systems/networks.	AC-1 \| AC-10 \| AC-11 \| AC-11(1) \| AC-12 \| AC-12(1) \| AC-14 \| AC-16 \| AC-16(6) \| AC-17 \| AC-17(1) \| AC-17(10) \| AC-17(2) \| AC-17(3) \| AC-17(4) \| AC-17(6) \| AC-17(9) \| AC-18 \| AC-18(1) \| AC-18(3) \| AC-18(4) \| AC-18(5) \| AC-19 \| AC-19(5) \| AC-2 \| AC-2(1) \| AC-2(11) \| AC-2(12) \| AC-2(13) \| AC-2(2) \| AC-2(3) \| AC-2(9) \| AC-20 \| AC-20(1) \| AC-20(2) \| AC-20(3) \| AC-20(5) \| AC-21 \| AC-22 \| AC-3 \| AC-3(11) \| AC-3(13) \| AC-3(15) \| AC-3(4) \| AC-4 \| AC-4(23) \| AC-4(24) \| AC-4(25) \| AC-4(26) \| AC-4(31) \| AC-4(32) \| AC-6 \| AC-6(1) \| AC-6(10) \| AC-6(2) \| AC-6(3) \| AC-6(5) \| AC-6(8) \| AC-6(9) \| AC-7 \| AC-8 \| AT-2(4) \| AT-2(4) \| AT-2(5) \| AT-2(6) \| AT-3 \| AT-3(2) \| AT-4 \| AU-10 \| AU-11 \| AU-12 \| AU-12(1) \| AU-12(3) \| AU-14 \| AU-14(1) \| AU-14(3) \| AU-2 \| AU-3 \| AU-3(1) \| AU-4 \| AU-4(1) \| AU-5 \| AU-5(1) \| AU-5(2) \| AU-5(5) \| AU-6 \| AU-6(1) \| AU-6(3) \| AU-6(4) \| AU-6(5) \| AU-6(6) \| AU-7 \| AU-7(1) \| AU-8 \| AU-9 \| AU-9(2) \| AU-9(3) \| AU-9(4) \| CA-3 \| CA-3(6) \| CA-3(7) \| CA-7 \| CA-7(1) \| CA-7(6) \| CA-8 \| CA-8(1) \| CA-9 \| CM-10(1) \| CM-11 \| CM-11(2) \| CM-11(3) \| CM-12 \| CM-12(1) \| CM-14 \| CM-2 \| CM-2(2) \| CM-2(3) \| CM-2(7) \| CM-3 \| CM-3(1) \| CM-3(2) \| CM-3(4) \| CM-3(5) \| CM-3(6) \| CM-3(7) \| CM-3(8) \| CM-4 \| CM-5(1) \| CM-5(5) \| CM-6 \| CM-6(1) \| CM-6(2) \| CM-7 \| CM-7(1) \| CM-7(2) \| CM-7(3) \| CM-7(5) \| CM-7(8) \| CM-7(9) \| CM-8 \| CM-8(1) \| CM-8(2) \| CM-8(3) \| CM-8(4) \| CM-9 \| CP-10 \| CP-10(2) \| CP-10(4) \| CP-2 \| CP-2(2) \| CP-2(5) \| CP-2(8) \| CP-3(1) \| CP-4(1) \| CP-4(2) \| CP-4(5) \| CP-8 \| CP-8(1) \| CP-8(2) \| CP-8(3) \| CP-8(4) \| CP-8(5) \| CP-9 \| CP-9(1) \| CP-9(2) \| CP-9(3) \| IA-11 \| IA-12 \| IA-12(1) \| IA-12(2) \| IA-12(3) \| IA-12(4) \| IA-12(5) \| IA-12(6) \| IA-2 \| IA-2(1) \| IA-2(12) \| IA-2(2) \| IA-2(5) \| IA-2(6) \| IA-2(8) \| IA-3 \| IA-3(1) \| IA-4 \| IA-4(9) \| IA-5 \| IA-5(1) \| IA-5(13) \| IA-5(14) \| IA-5(2) \| IA-5(7) \| IA-5(8) \| IA-6 \| IA-7 \| IA-8 \| IR-2 \| IR-2(2) \| IR-2(3) \| IR-3 \| IR-3(1) \| IR-3(2) \| IR-3(3) \| IR-4 \| IR-4(1) \| IR-4(10) \| IR-4(11) \| IR-4(12) \| IR-4(13) \| IR-4(14) \| IR-4(3) \| IR-4(4) \| IR-4(5) \| IR-4(6) \| IR-4(7) \| IR-4(8) \| IR-5 \| IR-5(1) \| IR-6 \| IR-6(1) \| IR-6(2) \| IR-7 \| IR-7(1) \| IR-8 \| MA-2 \| MA-3 \| MA-3(1) \| MA-3(2) \| MA-3(3) \| MA-4 \| MA-4(1) \| MA-4(3) \| MA-4(6) \| MA-4(7) \| MA-5(1) \| MA-6 \| MA-7 \| MP-2 \| MP-3 \| MP-4 \| MP-5 \| MP-6 \| MP-6(3) \| MP-7 \| PE-3(7) \| PL-10 \| PL-11 \| PL-8 \| PL-8(1) \| PL-8(2) \| PL-9 \| PM-11 \| PM-16(1) \| PM-17 \| PM-30 \| PM-30(1) \| PM-31 \| PM-32 \| RA-10 \| RA-3(1) \| RA-3(2) \| RA-3(3) \| RA-3(4) \| RA-5 \| RA-5(10) \| RA-5(11) \| RA-5(2) \| RA-5(4) \| RA-5(5) \| RA-7 \| RA-9 \| SA-10 \| SA-10(1) \| SA-10(2) \| SA-10(7) \| SA-11 \| SA-11(2) \| SA-11(4) \| SA-11(7) \| SA-11(9) \| SA-15 \| SA-15(3) \| SA-15(7) \| SA-17 \| SA-2 \| SA-22 \| SA-3 \| SA-3(1) \| SA-3(2) \| SA-4 \| SA-4(1) \| SA-4(10) \| SA-4(12) \| SA-4(2) \| SA-4(3) \| SA-4(5) \| SA-4(7) \| SA-4(9) \| SA-5 \| SA-8 \| SA-8(14) \| SA-8(15) \| SA-8(18) \| SA-8(21) \| SA-8(22) \| SA-8(23) \| SA-8(24) \| SA-8(29) \| SA-8(9) \| SA-9 \| SA-9(1) \| SA-9(2) \| SA-9(6) \| SA-9(7) \| SC-10 \| SC-12 \| SC-12(1) \| SC-12(6) \| SC-13 \| SC-15 \| SC-16(2) \| SC-16(3) \| SC-18(1) \| SC-18(2) \| SC-18(3) \| SC-18(4) \| SC-2 \| SC-2(2) \| SC-20 \| SC-21 \| SC-22 \| SC-23 \| SC-23(1) \| SC-23(3) \| SC-23(5) \| SC-24 \| SC-28 \| SC-28(1) \| SC-28(3) \| SC-3 \| SC-38 \| SC-39 \| SC-4 \| SC-45 \| SC-45(1) \| SC-45(2) \| SC-49 \| SC-5 \| SC-5(1) \| SC-5(2) \| SC-5(3) \| SC-50 \| SC-51 \| SC-7 \| SC-7(10) \| SC-7(11) \| SC-7(12) \| SC-7(13) \| SC-7(14) \| SC-7(18) \| SC-7(21) \| SC-7(25) \| SC-7(29) \| SC-7(3) \| SC-7(4) \| SC-7(5) \| SC-7(7) \| SC-7(8) \| SC-7(9) \| SC-8 \| SC-8(1) \| SC-8(2) \| SC-8(5) \| SI-10 \| SI-10(3) \| SI-10(6) \| SI-11 \| SI-12 \| SI-14(3) \| SI-16 \| SI-19(4) \| SI-2 \| SI-2(2) \| SI-2(3) \| SI-2(6) \| SI-21 \| SI-3 \| SI-3(10) \| SI-4 \| SI-4(1) \| SI-4(10) \| SI-4(11) \| SI-4(12) \| SI-4(13) \| SI-4(14) \| SI-4(15) \| SI-4(16) \| SI-4(17) \| SI-4(2) \| SI-4(20) \| SI-4(22) \| SI-4(23) \| SI-4(24) \| SI-4(25) \| SI-4(4) \| SI-4(5) \| SI-5 \| SI-5(1) \| SI-6 \| SI-7 \| SI-7(1) \| SI-7(17) \| SI-7(2) \| SI-7(5) \| SI-7(7) \| SI-7(8) \| SR-1 \| SR-10 \| SR-11 \| SR-11(1) \| SR-11(2) \| SR-11(3) \| SR-12 \| SR-2 \| SR-2(1) \| SR-3 \| SR-3(1) \| SR-3(2) \| SR-3(3) \| SR-4 \| SR-4(1) \| SR-4(2) \| SR-4(3) \| SR-4(4) \| SR-5 \| SR-5(1) \| SR-5(2) \| SR-6 \| SR-6(1) \| SR-7 \| SR-8 \| SR-9 \| SR-9(1)	Nearly all D3FEND Techniques apply to Ground \|	5.2 \| 5.3 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.1 \| A.5.2 \| A.5.4 \| A.5.15 \| A.5.31 \| A.5.36 \| A.5.37 \| A.5.16 \| A.5.18 \| A.8.2 \| A.8.16 \| A.5.15 \| A.5.33 \| A.8.3 \| A.8.4 \| A.8.18 \| A.8.20 \| A.8.2 \| A.8.4 \| A.5.14 \| A.8.22 \| A.8.23 \| A.8.11 \| A.8.10 \| A.5.15 \| A.8.2 \| A.8.18 \| A.8.5 \| A.8.5 \| A.7.7 \| A.8.1 \| A.5.14 \| A.6.7 \| A.8.1 \| A.8.16 \| A.5.14 \| A.8.1 \| A.8.20 \| A.5.14 \| A.7.9 \| A.8.1 \| A.5.14 \| A.7.9 \| A.8.20 \| A.6.3 \| A.8.15 \| A.8.15 \| A.8.6 \| A.5.25 \| A.6.8 \| A.8.15 \| A.7.4 \| A.8.17 \| A.5.33 \| A.8.15 \| A.5.28 \| A.8.15 \| A.8.15 \| A.8.15 \| A.5.14 \| A.8.21 \| 9.1 \| 9.3.2 \| 9.3.3 \| A.5.36 \| 9.2.2 \| A.8.9 \| A.8.9 \| 8.1 \| 9.3.3 \| A.8.9 \| A.8.32 \| A.8.9 \| A.8.9 \| A.8.9 \| A.8.9 \| A.8.19 \| A.8.19 \| A.5.9 \| A.8.9 \| A.5.2 \| A.8.9 \| A.8.19 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.2 \| A.5.29 \| A.8.1 \| A.8.6 \| A.5.30 \| A.5.30 \| A.5.29 \| A.7.11 \| A.5.29 \| A.5.33 \| A.8.13 \| A.5.29 \| A.5.16 \| A.5.16 \| A.5.16 \| A.5.17 \| A.8.5 \| A.5.16 \| A.6.3 \| A.5.25 \| A.5.26 \| A.5.27 \| A.8.16 \| A.5.5 \| A.6.8 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.24 \| A.7.10 \| A.7.13 \| A.8.10 \| A.8.10 \| A.8.16 \| A.8.10 \| A.7.13 \| A.5.10 \| A.7.7 \| A.7.10 \| A.5.13 \| A.5.10 \| A.7.7 \| A.7.10 \| A.8.10 \| A.5.10 \| A.7.9 \| A.7.10 \| A.5.10 \| A.7.10 \| A.7.14 \| A.8.10 \| A.5.10 \| A.7.10 \| A.5.8 \| A.5.7 \| 4.4 \| 6.2 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| 10.2 \| 4.4 \| 6.2 \| 7.4 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| 9.1 \| 9.2.2 \| 10.1 \| 10.2 \| A.8.8 \| 6.1.3 \| 8.3 \| 10.2 \| A.5.22 \| A.5.7 \| A.5.2 \| A.5.8 \| A.8.25 \| A.8.31 \| A.8.33 \| 8.1 \| A.5.8 \| A.5.20 \| A.5.23 \| A.8.29 \| A.8.30 \| A.8.28 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.37 \| A.8.27 \| A.8.28 \| A.5.2 \| A.5.4 \| A.5.8 \| A.5.14 \| A.5.22 \| A.5.23 \| A.8.21 \| A.8.9 \| A.8.28 \| A.8.30 \| A.8.32 \| A.8.29 \| A.8.30 \| A.5.8 \| A.8.25 \| A.8.25 \| A.8.27 \| A.8.6 \| A.5.14 \| A.8.16 \| A.8.20 \| A.8.22 \| A.8.23 \| A.8.26 \| A.8.23 \| A.8.12 \| A.5.10 \| A.5.14 \| A.8.20 \| A.8.26 \| A.5.33 \| A.8.20 \| A.8.24 \| A.8.24 \| A.8.26 \| A.5.31 \| A.5.14 \| A.5.10 \| A.5.33 \| A.6.8 \| A.8.8 \| A.8.32 \| A.8.7 \| A.8.16 \| A.8.16 \| A.8.16 \| A.8.16 \| A.5.6 \| A.8.11 \| A.8.10 \| 5.2 \| 5.3 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.1 \| A.5.2 \| A.5.4 \| A.5.19 \| A.5.31 \| A.5.36 \| A.5.37 \| A.5.19 \| A.5.20 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.21 \| A.8.30 \| A.5.20 \| A.5.21 \| A.5.23 \| A.8.29 \| A.5.22 \| A.5.22
CM0070	Alternate Communications Paths	Establish alternate communications paths to reduce the risk of all communications paths being affected by the same incident.	AC-17 \| CP-2 \| CP-4(2) \| CP-8(3) \| PL-8 \| PL-8(1) \| SC-47	D3-NM \| D3-NTPM \|	A.5.14 \| A.6.7 \| A.8.1 \| 7.5.1 \| 7.5.2 \| 7.5.3 \| A.5.2 \| A.5.29 \| A.8.1 \| A.5.8

Related CWE Classes

Priority 1	Priority 2	Priority 3	Priority 4
CWE-200: Information Exposure

Related Aerospace Threat ID

Related MITRE ATT&CK TTPs

T1562.006

Related ESA SPACE-SHIELD TTPs

No related Spaceshield TTPs

Related MITRE EMB3D Threats

No related MITRE EMB3D Threats

Indicators of Behavior

ID	Name	Description	STIX Pattern
CSNE-9	Unexpected Downlink Traffic Dropped or Disrupted	Detection of downlink traffic being unexpectedly dropped or disrupted with a high error rate, potentially indicating an attack targeting the spacecraft's ability to send telemetry data.	[network-traffic:direction = 'downlink' AND network-traffic:status = 'dropped' OR network-traffic:error_rate > 'acceptable_threshold']
CSNE-40	Unplanned Deactivation of Downlink Transmitter	Detection of the downlink transmitter being deactivated unexpectedly, potentially indicating a malicious action intended to disable the spacecraft's ability to send telemetry data to the ground.	[x-opencti-telemetry:component = 'downlink_transmitter' AND x-opencti-telemetry:status = 'inactive' AND x-opencti-telemetry:deactivation_reason != 'planned']
CSNE-41	High Latency Detected in Downlink Communication	Detection of unusually high latency in downlink communications, which may indicate that an attacker is interfering with telemetry transmission to delay or disrupt communication between the spacecraft and ground controllers.	[network-traffic:latency > 'acceptable_latency_threshold' AND network-traffic:direction = 'downlink']
MIRE-6	Unexpected Modification of Memory Location Associated with Telemetry Data	Detection of an unexpected modification in the memory block associated with telemetry data. The system identifies abnormal write operations in memory locations that store telemetry information before it is transmitted, suggesting manipulation by malware. Adversaries may change telemetry before downlink in order to prevent the ground from being aware of malware being on the spacecraft.	[x-opencti-memory:block = 'telemetry_memory_block' AND x-opencti-memory:write_operation = 'unexpected' AND x-opencti-memory:modification_time != 'authorized_time']
SIUU-25	Unauthorized Function Hooking in Telemetry Process	Detection of unauthorized function hooking in the telemetry process, specifically targeting the packet_write_function. This hook allows the malware to modify telemetry data before it is transmitted to ground systems, concealing malicious activity onboard the spacecraft	[process:image_ref.name = 'telemetry_process' AND process:hooked_function = 'packet_write_function']
SIUU-26	Unauthorized Modification of Downlink Configuration	Detection of unauthorized modifications to the downlink frequency configuration settings, suggesting a potential attack to disrupt the spacecraft's ability to transmit telemetry.	[x-opencti-radio-configuration:downlink_frequency != 'authorized_value' AND x-opencti-radio-configuration:modification_time != 'scheduled_window']