Satellite Cybersecurity for Critical Infrastructure

Key Takeaways

• The highest satellite cyber risk usually sits in ground systems, remote access, and suppliers
• Compliance helps buyers only when it is tied to mission uptime, recovery, and accountability
• Managed security can close staffing gaps, but weak procurement still leaves large exposures

The Ground Segment Is Usually the First Place to Break

On 24 February 2022, the attack on KA-SAT disrupted broadband service for several thousand customers in Ukraine and tens of thousands across Europe. The CISA and FBI advisory that followed treated the incident as a warning to satellite communications providers and customers, not as a narrow wartime anomaly. That distinction matters for electric utilities, oil and gas operators, emergency response agencies, ports, rail systems, mining sites, and remote industrial facilities that depend on satellite links when terrestrial networks are weak, unavailable, or too expensive to extend.

Much of the public discussion around spacecraft security still drifts toward the satellite itself. Buyers do need to care about telemetry, tracking, and command, often shortened to TT&C. They also need to think about onboard software, payload isolation, and the integrity of timing or positioning data. Yet the first break in a real incident often comes somewhere more ordinary: a virtual private network, an exposed management plane, a trusted supplier connection, a misconfigured remote-access channel, or weak identity control inside the ground segment. CISA’s 2024 recommendations for space system operators treat space systems as a chain of ground, link, and orbital elements rather than as a single protected object. ENISA’s 2025 space threat study makes the same point from a European perspective by examining threats across development, deployment, operations, and decommissioning.

That framing changes how a buyer should scope satellite cybersecurity for critical infrastructure. A utility that leases satellite backhaul for substations is not buying “space security” in the abstract. It is buying resilience for dispatch, remote monitoring, field communications, and restoration work after a storm or other disruption. A pipeline operator using satellite connectivity for remote sites is not dealing with a distant aerospace issue. It is dealing with command integrity, safe remote access, logging, and the ability to keep operations running when a local communications outage hits. In many deployments, the satellite link connects directly or indirectly to operational technology, which means a cyber event can spill from enterprise systems into physical operations.

The most useful buyer question at the start is simple: where can an attacker gain control, impair visibility, or corrupt trust before anyone notices. That question usually points to identity systems, remote administration, supplier software, exposed web services, unmanaged field equipment, and the ground software that brokers commands and data. Once a procurement team starts with that view, the conversation gets better fast. Budget can move away from marketing language and toward architecture, staffing, monitoring, segmentation, recovery design, and contract terms that hold vendors to measurable obligations.

Dependence on Satellite Links Changes the Risk Calculation

A hospital system using satellite backup for regional continuity, a maritime terminal depending on satellite links for logistics, and a power utility using satellite communications for remote assets do not face the same kind of business interruption as a normal office network. Their exposure is tied to operations, safety, public service, and legal duty. The NIST Cybersecurity Framework 2.0 places the GOVERN function at the center of cyber risk management because policy, roles, supply-chain expectations, and oversight shape what every other control can achieve. That is especially useful for satellite-dependent infrastructure, where cyber failure can carry physical and public consequences long before an IT team classifies an incident.

Satellite use also creates a concentration problem. A buyer may believe it has redundancy because it has more than one link or more than one site. Yet many supposedly separate services can still depend on the same teleport, the same management stack, the same cloud control plane, the same field device family, or the same identity provider. NIST’s Organizational Profiles guidance is valuable here because it forces an operator to describe current and target outcomes rather than collect controls without context. CISA’s Cross-Sector Cybersecurity Performance Goals 2.0 push in the same direction by emphasizing a practical baseline for infrastructure operators that need to reduce risk first, then build maturity.

Mission dependence also changes recovery planning. A corporate email outage is serious. Loss of satellite connectivity to a remote power asset during a wildfire, or to a logistics hub during a port disruption, can create a far more urgent chain of effects. Buyers need to ask what “recover” means in operational terms. Does the provider support alternate paths, degraded modes, local fallback, safe manual operation, or pre-staged replacement hardware. Can the operator rekey devices at scale. Are logs retained in a way that allows an incident team to reconstruct what happened. Does the contract define who owns the first hour of triage and who has authority to cut off suspect access to field assets. Those details matter more than polished claims about advanced cyber capability.

Another difference from standard enterprise buying is that some critical-infrastructure users have to manage both secrecy and continuity. A defense-related port operator or public-safety agency may need to conceal topology, asset identity, or traffic patterns. An electric or transport operator may need to keep services running even if some detection confidence is still low. That pushes buyers toward layered architecture, least-privilege access, strong identity proofing, independent logging, and formal incident playbooks. Space ISAC exists because threat sharing and sector coordination became necessary, not optional. The creation of the EU Space ISAC under the European Commission and EUSPA shows the same institutional shift: satellite cyber risk now sits inside broader infrastructure and security policy, not in a niche aerospace corner.

Compliance Works Only When It Maps to Real Operations

Buyers often ask which framework they should require. That question is too blunt. A better question is which combination of frameworks, standards, and contractual evidence will show that a satellite service can be operated securely in the buyer’s own environment. NIST CSF 2.0 remains a strong governance and risk-communication tool because it organizes work under GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER. For procurement teams, its Current and Target Profile structure is useful because it turns security buying into a gap-closing exercise rather than a box-checking exercise. A target profile can express what a utility, transport operator, or public agency expects from a satellite provider and its subcontractors.

That top layer still needs technical and operational depth. ISO/IEC 27001 gives buyers a well-known information security management baseline and an audit language that procurement teams can understand. It helps answer whether the provider has organized risk management, documented controls, and repeatable governance. It does not, by itself, prove that industrial or mission systems are segmented correctly or that remote operations are secured appropriately. That is where ISA/IEC 62443 becomes useful for environments where satellite links touch industrial automation and control systems. The standard family is designed for electronically secure industrial automation and control systems and assigns responsibility across asset owners, product suppliers, and service providers.

European buyers often have another layer to consider. NIS2 widens cybersecurity obligations for important and essential entities across the European Union, and the EU Space ISAC is explicitly tied to NIS2 and the Critical Entities Resilience Directive. A provider selling into Europe may therefore need to show more than technical controls. It may need governance evidence, incident reporting readiness, supplier oversight, and board-level accountability that aligns with NIS2 duties. For energy operators in North America, sector requirements can matter as much as general cyber frameworks. NERC CIP remains the governing set of standards for cybersecurity in the bulk electric system, and buyers in that sector need satellite vendors to support that compliance posture rather than complicate it.

Supply-chain discipline belongs in the same compliance discussion. NIST SP 800-161 Rev. 1 addresses cybersecurity supply chain risk management across products and services, with attention to visibility into how technology is developed, integrated, and deployed. CISA’s Secure by Design program and its SBOM guidance push vendors toward safer defaults and better software component transparency. Buyers should treat those materials as procurement tools. The point is not to collect more policy documents. The point is to make vendors prove that remote administration is limited, defaults are safe, logging is useful, patching is governable, and third-party code is visible enough to support fast risk decisions.

The Vendor Shortlist Should Follow Functions, Not Brand Noise

Too many satellite cybersecurity procurements start with logos. Buyers hear pitches from endpoint companies, cloud firms, managed service providers, industrial security vendors, and space-specific specialists, then try to force them into a single scorecard. The result is often a messy shortlist where products solve different problems but compete on the same spreadsheet. A more useful method starts with functions: mission-system security, identity and access control, visibility into operational technology, managed detection and response, incident response, supplier assurance, and threat-sharing participation. Once those functions are defined, vendors become easier to compare.

Space and infrastructure buyers usually need at least one category that understands mission or ground-segment software. Kratos is relevant because it supplies control and command systems used in satellite operations, which places security questions close to the heart of mission execution. Buyers looking for application-level zero-trust concepts in space and defense systems may examine firms such as SpiderOak, whose product material focuses on access control, secure messaging, and protected data exchange in distributed operations. Neither type of vendor replaces enterprise or industrial security tooling. They cover a different slice of the problem.

Industrial and cyber-physical visibility vendors matter when satellite links reach field assets, sensors, or control environments. Nozomi Networks positions its platform around asset intelligence, threat detection, and monitoring for operational technology and Internet of Things environments. Claroty focuses on cyber-physical systems and industrial environments where uptime and safety shape how security controls can be deployed. These vendors often help answer a practical question that satellite operators and infrastructure owners share: what is actually connected, what protocols are in use, and what risk follows from that architecture.

Managed detection and response belongs on the same shortlist for buyers that do not have deep internal security operations. Mandiant Managed Defense, CrowdStrike Falcon Complete, Microsoft Defender Experts for XDR, and Palo Alto Networks Unit 42 MDR all sell a version of 24/7 expert-led detection and response. They are not interchangeable. Their value depends on telemetry coverage, integration depth, escalation model, automation scope, and how well they operate in mixed cloud, endpoint, network, and identity environments.

The table below works better than a brand list because it keeps the discussion tied to buyer needs.

Buyers should also resist the temptation to hand a single prime contractor every cyber responsibility. That may simplify procurement, yet it can also compress visibility. Separate providers for mission systems, OT visibility, and MDR can work well if contracts define log access, escalation paths, evidence retention, and decision rights during an incident. A strong architecture with shared operating procedures often beats an oversized master contract that hides weak integration.

Managed Security Services Can Close the Staffing Gap

A satellite-dependent infrastructure operator may have strong network engineers, field operations teams, and compliance staff, yet still lack enough security analysts to monitor alerts around the clock. That gap is one reason managed detection and response has become more attractive. Mandiant Managed Defense stresses 24/7 threat detection, investigation, response, and proactive hunting. Microsoft Defender Experts for XDR describes a managed extended detection and response service built around Microsoft’s security stack. CrowdStrike’s MDR offer and Palo Alto Networks’ MDR service make similar claims about continuous monitoring and guided or executed response.

The buyer mistake is to treat managed security as a substitute for security architecture. It is not. An external team cannot compensate for weak identity design, flat networks, poor asset inventory, or a contract that leaves ownership of logs and response decisions ambiguous. MDR works best when the operator has already decided which systems matter most, where administrative boundaries sit, how incidents will be escalated, and what authority a provider has to isolate devices or revoke access. The service can then increase speed and coverage rather than pile more alerts onto an already confused team.

For satellite cybersecurity for critical infrastructure, co-managed models often make more sense than fully outsourced promises. A power utility or transport authority usually needs its own people in the loop because cyber decisions can affect field crews, dispatch, safety controls, and public communication. External analysts may see the telemetry first. Internal operators know which site outage can be tolerated, which cannot, and which containment step could create a larger operational problem. A mature service relationship respects that split. It supplies speed, triage discipline, hunting, and broader threat knowledge without erasing operational judgment inside the asset owner.

Threat sharing becomes more useful in that setting. Space ISAC exists to support preparation, response, and collaboration across the space sector. Its April 2026 announcements about a Canada Global Hub and cooperation with NATO show that institutional coordination is widening. In Europe, the EU Space ISAC was built to let members share information and guidance in a structured setting. Those bodies do not replace a managed service, and a managed service does not replace them. One gives peer visibility and sector signals. The other helps convert data into action inside a customer environment. Buyers who combine both often get better value than buyers who pick one and assume the problem is solved.

Procurement Questions That Expose Weak Security Claims

A serious buying process can expose shallow cyber claims quickly. CISA’s Secure by Design guidance gives buyers a useful starting point because it pushes product makers to make safer design choices and reduce unsafe defaults. The Secure by Demand guide pushes from the customer side by framing questions software buyers can ask about a manufacturer’s approach to security. Buyers of satellite services, terminals, ground software, and related managed services should treat those questions as baseline procurement material rather than optional reading.

The first set of questions should focus on access. How is privileged access granted, recorded, rotated, and revoked. What administrative functions can a supplier perform remotely. Does the vendor support phishing-resistant multifactor authentication for privileged users. Can the buyer separate operator roles from vendor support roles. CISA’s guidance on remote access for industrial environments is directly relevant for satellite-linked infrastructure because remote maintenance is often necessary and frequently abused. A provider that cannot explain remote access paths in detail is asking the buyer to accept blind risk.

The second set should focus on visibility and evidence. What logs are produced, who owns them, where are they stored, and for how long. Can the buyer export them into its own tools. Does the system preserve event order and provenance well enough for forensics. Can software components be disclosed through an SBOM. If a high-severity vulnerability appears in a third-party library, how fast can the supplier tell affected customers which products are exposed. Buyers should also ask whether the supplier aligns product development with NIST supply-chain guidance and whether subcontractors are governed under the same security commitments.

The third set should focus on operations and recovery. How often does the provider exercise incident response with customers. Has it tested restoration of service after a destructive event. Are alternate communications paths available. Can field devices be re-provisioned at scale. Does the vendor support segmented deployment so that a compromise in one management domain does not spread automatically into others. NIST CSF 2.0 is useful here because it reminds buyers that response and recovery are not late-stage extras. They belong in the core operating model from the start.

Procurement also needs one uncomfortable question: what happens if the vendor itself is the point of entry. NIST’s Organizational Profiles and Tiers model gives buyers a way to ask for maturity evidence rather than slogans. A provider may hold ISO/IEC 27001 certification and still leave weak gaps in mission operations, field support, or supplier oversight. A product may fit ISA/IEC 62443 concepts and still be hard to monitor in practice. The best contracts acknowledge that reality. They specify logging rights, vulnerability disclosure timelines, incident notification windows, exercise participation, audit rights, and measurable recovery duties. Buyers that settle for general security language usually discover its limits when time is short and responsibility matters most.

Summary

Satellite cybersecurity for critical infrastructure should be purchased as an operational resilience discipline, not as a decorative cyber add-on. The lesson from KA-SAT and from later policy work by CISA, NIST, and ENISA is consistent: the most damaging weaknesses often sit in ground operations, identity, remote access, supplier relationships, and recovery planning.

Buyers get better results when they define functions before brands, map compliance to actual operations, and write contracts that specify evidence, ownership, and response authority. Managed services can strengthen detection and staffing depth. They cannot rescue a weak architecture or a vague procurement process. Operators that depend on satellite links for power, transport, emergency communications, industrial control, or other public-service functions need a buying posture that treats cyber design, logging, supplier transparency, and tested recovery as part of the service itself.

Appendix: Useful Books Available on Amazon

• Sandworm
• This Is How They Tell Me the World Ends
• Countdown to Zero Day
• The Fifth Domain
• Ghost in the Wires
• The Cuckoo’s Egg

Appendix: Top Questions Answered in This Article

Where does the biggest satellite cyber risk usually sit?

For most operators, the highest risk sits in the ground segment, remote administration paths, supplier connections, and identity systems rather than in the spacecraft alone. Those parts are easier to reach, patched on uneven schedules, and often tied directly to enterprise networks and support workflows.

Why does satellite dependence change cyber priorities for infrastructure operators?

Loss of a satellite link can interrupt dispatch, field communications, remote monitoring, logistics, or restoration work in places where other connectivity is weak. That means cyber decisions affect operations, safety, and public-service continuity rather than office productivity alone.

Does ISO/IEC 27001 prove a satellite provider is operationally secure?

No single certification proves that. ISO/IEC 27001 shows that an organization has an information security management system, documented controls, and a risk-management structure. Buyers still need mission-specific evidence on segmentation, remote access, logging, recovery, and supplier oversight.

Why is ISA/IEC 62443 relevant to satellite services?

It becomes relevant when satellite links connect to industrial automation and control systems such as substations, remote pumping stations, rail assets, or process controls. The standard family helps buyers assign security duties across asset owners, service providers, and product suppliers in those settings.

What should a managed detection and response provider actually deliver?

A capable provider should offer around-the-clock monitoring, triage, threat hunting, investigation support, and well-defined response actions. Buyers should also expect clear escalation rules, integration with their existing telemetry, and tested coordination with internal operations teams.

Why are SBOMs useful in satellite cybersecurity procurement?

A software bill of materials gives buyers more visibility into the components inside products and services they depend on. That can shorten the time needed to judge exposure when a third-party library or common software component is found to have a serious vulnerability.

How should buyers think about threat-sharing organizations?

Threat-sharing groups are useful when they provide timely, relevant signals that internal teams or service providers can convert into action. Membership has limited value if no one is assigned to review alerts, compare them to local exposure, and adjust defenses or response steps.

What contract terms matter most in this area?

Logging rights, incident notification windows, audit rights, vulnerability disclosure timelines, exercise participation, and response authority matter more than generic promises of high security. Contracts should also define who owns evidence, who can isolate systems, and how recovery duties are assigned.

Can a single prime contractor handle the whole problem?

Sometimes, yet that arrangement can reduce visibility if responsibilities are bundled too broadly. Many operators get better results by separating mission systems, industrial visibility, and managed detection services, then forcing those providers to work from shared procedures and evidence rules.

What is the most useful first question in a satellite cyber buying process?

The best opening question is where an attacker could gain control, impair visibility, or corrupt trust before anyone notices. That quickly directs attention to identity, remote access, supplier paths, field devices, and the ground software that carries commands and data.

Appendix: Glossary of Key Terms

Telemetry, Tracking, and Command

Used to monitor spacecraft health, determine position, and send operating instructions, this mission-control function links the satellite to its ground operators. Security failure in this area can disrupt service, corrupt operator awareness, or permit unauthorized actions against the mission.

Ground Segment

Made up of control centers, antennas, software, networks, and support systems on Earth, this part of a satellite service handles operations and data exchange. Many serious cyber exposures appear here because it often connects vendors, cloud systems, and enterprise administration.

Managed Detection and Response

Provided by an outside security team, this service combines monitoring, investigation, threat hunting, and guided or executed response. It is most useful for organizations that need round-the-clock coverage but do not have enough internal staff to run a full security operations center.

Operational Technology

Found in industrial and infrastructure environments, these systems monitor or control physical equipment such as substations, pumps, valves, and transport assets. Security choices in these environments must account for uptime, safety, and the practical limits of maintenance windows.

Zero Trust

Built around the idea that access should never rely on broad implicit trust, this approach checks identity, device condition, and policy before allowing actions. In satellite-linked operations, it helps reduce the damage that can follow from stolen credentials or over-permissioned vendors.

Software Bill of Materials

Used as a component inventory for software, this record identifies ingredients inside an application or system. Buyers use it to judge whether a newly disclosed vulnerability affects a product they run and to push suppliers toward better software transparency.

Current Profile

Within the NIST Cybersecurity Framework, this describes the outcomes an organization is achieving now or trying to achieve. It gives buyers and operators a structured way to describe present controls, known weaknesses, and the starting point for improvement.

Target Profile

Defined under the NIST Cybersecurity Framework, this describes the outcomes an organization wants to achieve based on mission needs and risk priorities. It is useful in procurement because it lets a buyer express security expectations in operational terms.

Cybersecurity Supply Chain Risk Management

Focused on products, services, and the organizations that provide them, this discipline deals with how supplier choices can introduce hidden weaknesses or malicious functionality. It is especially relevant where satellite systems depend on subcontractors, software components, and remote support paths.

NIS2

Established by the European Union, this directive expands cybersecurity duties for important and essential entities. It matters to satellite and infrastructure providers in Europe because it connects governance, incident reporting, supplier oversight, and management accountability under a shared legal framework.