Satcom and the Attack Surface No One Maps — A Sovereign Perspective

The Blind Spot That Became an Attack Plane

Satellite communications have become critical infrastructure for organisations that cannot afford terrestrial-only networks—maritime, aerospace, energy, defence, remote banking, and sovereign administration—yet the cybersecurity industry treats satcom as an afterthought, bolting EDR and SIEM logic onto hardware designed in the 1990s, with firmware updates that travel six months slower than threat actors, and regulatory frameworks that do not yet recognise the attack surface as a distinct threat domain.

The Industry Narrative: Resilience Through Redundancy

The public discourse on satcom security centres on availability and failover. When Viasat's KA-SAT network suffered destructive cyberattack in February 2022—deployed against Ukrainian infrastructure during the Russian invasion—the security community's response was predictable: improve patch velocity, harden remote management interfaces, segment VPN access, implement EDR on ground stations. Viasat published a detailed forensic breakdown (CVE-2022-24685, an unauthenticated command injection in the modem management interface), and the industry learned once again that default credentials and unpatched firmware kill availability. The Viasat incident exposed approximately 30,000 VSAT terminals across Europe, the Middle East, and North Africa.

Since then, satellite operators and their clients have adopted layered defences: SIEM aggregation of ground-station logs, firewall rules between satcom segments and corporate networks, endpoint detection on staff with access to terminal management systems, and threat intelligence feeds monitoring for satcom-specific indicators of compromise. Intelsat published framework guidance in 2023. The International Maritime Organization updated its cyber security code (SOLAS requirements, in force January 2024) to mandate vulnerability assessment and patch management for all bridge systems, including satcom receivers. The US National Counterintelligence and Security Centre issued specific warnings about satcom eavesdropping risks in dual-use military-commercial infrastructure (2023). These are legitimate, necessary moves.

Yet the narrative stalls there. The industry assumes satcom is a network access problem—a vector to infiltrate the corporate LAN, exfiltrate data, or disrupt service. Patch the modem. Segment the traffic. Deploy detection. Move on. What this frame misses is the more consequential question: what if the attack does not target the organisation using satcom, but instead modifies the satcom service itself such that the organisation receives undetectable, mission-critical falsified data?

The Architectural Failure: Trust Asymmetry and Latency Collapse

Satellite communications operate under two inherited constraints that create a structural asymmetry against which no amount of EDR listening is adequate:

Latency and the collapse of real-time trust negotiation. Geostationary satellite links introduce 250–500ms round-trip latency; LEO constellations reduce this to 20–100ms, but still far exceed terrestrial networks. For organisations using satcom as primary or failover link—maritime navigation systems, energy SCADA, remote banking branches, sovereignty-critical networks in denied-access regions—this latency makes it impossible to execute real-time cryptographic renegotiation, mutual authentication handshakes, or out-of-band challenge-response verification. Instead, systems fall back to pre-shared keys, certificate pinning, and static trust anchors. Those anchors are then attractive targets.

Signal visibility and the collapse of network perimeter. Satellite signals are broadcast (or multicast) over entire regions. An adversary with a directional antenna and software-defined radio (SDR) capability can receive the encrypted payload without touching the ground station or the organisation's corporate network at all. The attack surface includes the RF layer—a domain most cybersecurity practitioners have no competency in, and which existing regulations (NIST CSF, ISO 27001, DORA, NIS2) treat as "physical security" rather than "cyber". In 2024, security researchers demonstrated proof-of-concept RF jamming and spoofing attacks against commercial maritime AIS-over-satcom and safety-critical GMDSS services. These demonstrations did not involve compromising any endpoint, network, or application—only RF injection at the signal layer.

The Change Healthcare ransomware attack (February 2024) relied on lateral movement through a fortified corporate network; the attacker entered via VPN with stolen credentials, then traversed internal systems for weeks before extortion. The incident exposed a gap in detection speed—but the network segment itself was never compromised from outside. Contrast this with the 2024 Synnovis ransomware incident (NHS England, May), where attackers compromised a managed service provider's corporate network, encrypted critical laboratory systems, and cascaded the failure across the NHS estate. Both illustrate the assumption underlying current security architecture: the threat is inside the network, or entering the network through conventional vectors. Satcom introduces a threat that is reachable at the signal layer, before any network exists.

The PULSE Reading: Architecture Versus Detection

The industry's remediation—better logging, faster patching, EDR everywhere—rests on a detection-and-response paradigm that assumes the threat will leave traces, and those traces can be collected, correlated, and acted upon before mission-critical systems suffer. This works when the attack surface is bounded and the system is designed for observable state.

Satcom is designed for the opposite. It is inherently unobservable at scale. An adversary with RF capability modifying satellite signal parameters—redirecting traffic, injecting spoofed navigation updates, or altering telemetry—may do so without triggering any log entry in any ground station, any SIEM, any EDR client, any firewall, or any IDS/IPS. The attack happens in the RF domain, outside the observability infrastructure entirely.

Detection-and-response, therefore, is not a remediation for satcom threats—it is a false sense of security. The framework assumes you can see an attack in progress. Against RF-layer adversaries with signal-level spoofing or redirect capability, you cannot see it unless you have continuous RF spectrum monitoring and signal authentication, and most organisations do not.

The PULSE doctrine offers a different path: not detecting RF attacks, but architecting away the need for detection by treating satcom data as fundamentally untrusted until cryptographically validated against a zero-knowledge substrate.

Sovereign Satcom Architecture: Four Principles

Zero-knowledge substrate for signal-layer authentication. Rather than trusting that a satellite link is uncompromised (which you cannot verify), design systems to validate all satcom-delivered data against a zero-knowledge proof or multiparty computation that resides in a separate, non-satcom-dependent consensus layer. Navigation systems (GPS, GNSS) received over satcom should be validated against a zero-knowledge GNSS oracle that does not depend on the satcom link itself—perhaps a hardened, locally-deployed atomic clock with occasional terrestrial time sync, or a cryptographic proof of freshness anchored to an external timestamping authority accessible via terrestrial network. Financial transactions over satcom should be validated via a zero-knowledge proof of account state before execution, with the satcom link carrying only encrypted, authenticated messages that are useless if modified in transit.

This is not redundancy. It is independence. It removes the assumption that the satcom link is truthful.

Data-plane and control-plane separation in RF domains. Design satcom systems such that the data plane (bulk payload) is physically isolated from the control plane (routing, handoff, signal parameters). The data plane can be encrypted end-to-end between endpoints outside the satellite operator's infrastructure. The control plane—which the satellite operator must manage—should be cryptographically signed at the RF layer by hardware security modules that cannot be updated remotely. An adversary who compromises ground-station software cannot modify the signal parameters that direct the data plane. This is a straightforward application of air-gap principle to the RF domain.

Continuous adversarial posture in the RF substrate. Unlike terrestrial networks, where adversarial posture can be adjusted at the application layer (changing firewall rules, updating signatures, enabling detection), RF posture must be engineered into the satellite link itself. This means: (a) randomised frequency hopping across authorised bands, with the hopping schedule authenticated via zero-knowledge proof only at transmission time, not published in advance; (b) beamforming that constrains the RF footprint to only authorised ground stations, with beamforming parameters cryptographically bound to the satellite's orbital state; (c) adaptive modulation and coding that changes based on detected RF interference (defence against jamming detection itself becomes adversarial, forcing an attacker to continuously adapt).

Domain-specific automation in the satcom layer, not the application layer. Rather than layering EDR and SIEM on top of satcom infrastructure, embed cryptographic validation and anomaly response directly into the modem firmware and the satellite RF payload. When a satcom link receives data that fails zero-knowledge validation, the modem does not queue it for human investigation—it drops the packet, logs the attempt in a tamper-evident write-once storage, and optionally triggers RF silence (ceases reception) until a new cryptographic handshake can be negotiated. This is not a detection rule in a SIEM; it is a state machine in hardware.

Sovereigns and the Satcom Stack

Organisations holding or transferring critical data over satcom—maritime fleets with real-time cargo tracking, energy operators managing SCADA over satellite links in remote regions, central banks coordinating settlements across time zones without relying on terrestrial internet, military and intelligence services using satcom as deny-region communication—cannot afford to treat satcom as "just another network". The regulatory environment is beginning to recognise this: DORA (Digital Operational Resilience Act) requires EU financial institutions to map and test alternative communication channels, including satcom, as part of third-party dependency management. NIS2 mandates critical infrastructure operators to assess and report on supply chain risks, including RF-domain vulnerabilities. The FCA's SM&CR (Senior Managers Certification Regime) increasingly holds board members personally accountable for resilience failures involving communication infrastructure.

Yet most current implementations treat satcom security as compliance-by-checkbox: add a firewall rule, segment the VLAN, deploy Snort or Zeek on the gateway. These measures provide defence against application-layer attacks (credential compromise, malware lateral movement) but are theatre against RF-layer spoofing or signal injection.

The transition requires rethinking what "security" means in a satcom context. It is not about detecting intrusions after they happen. It is about designing systems such that falsified satcom data—whether injected at the RF layer, modified in transit, or redirected at the ground station—cannot alter the organisation's operational state without cryptographic proof of authenticity that is independent of the satcom operator's infrastructure.

Toward Unmapped Territory

The satcom attack surface remains unmapped not because it is invisible, but because the security industry's observability stack was designed for terrestrial networks. Once you accept that RF-layer threats cannot be detected in the traditional sense, the question becomes one of architecture: what systems can you build that are resistant to falsified satcom input by construction, rather than reliant on detecting that input after compromise?

That question sits at the intersection of cryptography, RF engineering, and infrastructure resilience—a space where legacy SIEM, EDR, and IDS logic cannot venture.

Operators managing sovereign critical infrastructure over satcom links who wish to discuss post-breach-resistant architecture for RF-dependent systems should request a briefing under mutual NDA.