8.7.5 — Strategic Asset Protection — maturity: live

Cyber-Physical Asset Linkage

Correlating satellite-observed physical changes at critical infrastructure sites with known cyber-attack timelines to detect, attribute and anticipate hybrid threat campaigns.

Auto-drafted reference page — content reviewed for shape, individual references not yet link-checked.

Nation-states and non-state actors increasingly synchronise cyber intrusions with physical interference — a power-grid malware deployment timed to coincide with covert equipment sabotage, or a refinery control-system breach preceded by suspicious vehicle activity at the perimeter. Security agencies relying solely on network telemetry miss the physical dimension entirely; agencies relying on ground sensors miss the geographic context. Satellite observation closes that gap by providing an independent, tamper-resistant record of activity at every critical site regardless of whether the site's own SCADA or sensor network has been compromised.

A dedicated LEO constellation carrying very-high-resolution optical imagers, thermal infrared sensors and RF survey payloads builds a continuous baseline of each asset's physical signature — parking patterns, heat output, electromagnetic emissions, construction activity. When a cyber-incident is reported, analysts retrospectively query the satellite archive to identify any physical precursors or concurrent anomalies in the hours and days before the intrusion. Forward-looking, the same data feeds an ML fusion engine that flags statistically abnormal physical states and automatically cross-references open threat intelligence, generating pre-attack warnings before the keyboard stroke is ever made.

The operational outcome is a national hybrid-threat intelligence picture that is genuinely fused rather than siloed. Defenders can attribute campaigns with physical evidence that is sovereign, court-admissible and immune to adversary manipulation of the target's own sensor infrastructure. Escalation decisions — whether to invoke NATO Article 5, activate emergency powers or execute a diplomatic demarche — rest on independently verified facts rather than contested vendor telemetry.

What matters

Adversaries routinely compromise site sensors before physical action; satellite observation is the only external, tamper-resistant witness.
Cyber-physical correlation requires sub-hourly revisit: a 24-satellite LEO walker achieves this without relying on commercial foreign-operated tasking queues.
Physical evidence derived from sovereign imagery is legally and diplomatically defensible in ways that recycled vendor telemetry or allied-shared signals intelligence is not.
Export controls on SAR and high-resolution optical data mean a nation dependent on commercial foreign providers can be denied access precisely when a hybrid crisis escalates.

Sovereignty score: 9/10 — A nation that outsources cyber-physical correlation to foreign commercial platforms hands adversaries both the intelligence baseline and the ability to deny or degrade it at the moment of greatest need.

Commercial satellite tasking is controlled by foreign operators subject to their own government's export, embargo or emergency-powers legislation — precisely the entities most likely to restrict access during a geopolitical crisis involving the target nation.
Hybrid campaign attribution carries legal and diplomatic weight only when the underlying physical evidence comes from a sovereign system with a verified, unbroken chain of custody that cannot be challenged as third-party or allied-supplied intelligence.
An adversary conducting a cyber intrusion as a precursor to physical sabotage may simultaneously compromise the target's procured commercial data feeds, suppressing or falsifying the imagery archive that would otherwise expose the operation.
National critical-infrastructure classifications and the identities of monitored sites are themselves state secrets; routing tasking requests through a foreign commercial operator unavoidably leaks the targeting priorities to that operator's jurisdiction.

Reference architecture

Payload: Three-payload microsatellite stack: (1) panchromatic/multispectral optical imager, 0.5m GSD, 12km swath; (2) MWIR/LWIR thermal sensor, 3m GSD, for heat-signature baselining; (3) RF survey receiver, 100 MHz to 18 GHz, direction-finding accuracy ±0.5°, for detecting anomalous emissions at industrial control frequencies
Bus class: ESPA-class microsat, 150–200 kg wet mass, 700W end-of-life solar array, 512 GB solid-state recorder, X-band downlink at 300 Mbps
Orbit: Sun-synchronous LEO at 480–520 km, 24-satellite walker constellation (24/4/1), achieving sub-60-minute revisit at mid-latitudes; orbital plane separation chosen to maximise overlap over the national territory's critical-site density
Ground segment: 4-station sovereign ground network (X-band receive, S-band TT&C) co-located with existing national intelligence facilities; encrypted crosslinks between satellites for store-and-forward over low-latitude gaps; SatNOGS UHF/VHF backup for housekeeping telemetry only
Software & data
Latency
Cost band
Lead time

References

ENISA Threat Landscape for Critical Infrastructure 2023 — ENISA documents the growing convergence of cyber and physical attack vectors against energy, water and transport infrastructure across EU member states. The report explicitly flags the intelligence gap created when physical-layer monitoring is absent from cyber-incident response workflows.
CISA Cross-Sector Cybersecurity Performance Goals: Physical-Cyber Convergence Guidance — CISA's guidance requires critical-infrastructure operators to treat physical security events as triggers for cyber posture review and vice versa. It acknowledges that independent out-of-band monitoring is necessary when on-site systems may themselves be compromised.
IAEA Nuclear Security Series No. 35-G: Physical Protection of Nuclear Material and Facilities — The IAEA establishes that independent external monitoring of facility status is a defence-in-depth principle, particularly where insider threats or cyber compromise of internal sensors cannot be ruled out.
ESA Φ-lab: Earth Observation for Security Applications — ESA's Φ-lab research programme demonstrates machine-learning fusion of SAR, optical and RF satellite data streams for anomaly detection at infrastructure sites, establishing the technical baseline for cyber-physical correlation at national scale.
NATO CCDCOE: Hybrid Threats and Critical Infrastructure — Tallinn Manual Applicability — The NATO Cooperative Cyber Defence Centre of Excellence identifies satellite-derived physical intelligence as an emerging evidentiary standard for attributing hybrid attacks, noting that physical corroboration significantly strengthens legal and political attribution cases.