8.7.5 — Strategic Asset Protection — maturity: live

Cyber-Physical Asset Linkage

Correlating satellite-observed physical changes at critical infrastructure sites with known cyber-attack timelines to detect, attribute and anticipate hybrid threat campaigns.

When physical infrastructure and digital control systems share the same attack surface, only persistent overhead imagery fused with network telemetry gives a nation the situational awareness to act before a breach becomes a catastrophe.

Nation-states and non-state actors increasingly synchronise cyber intrusions with physical interference — a power-grid malware deployment timed to coincide with covert equipment sabotage, or a refinery control-system breach preceded by suspicious vehicle activity at the perimeter. Security agencies relying solely on network telemetry miss the physical dimension entirely; agencies relying on ground sensors miss the geographic context. Satellite observation closes that gap by providing an independent, tamper-resistant record of activity at every critical site regardless of whether the site's own SCADA or sensor network has been compromised.

A dedicated LEO constellation carrying very-high-resolution optical imagers, thermal infrared sensors and RF survey payloads builds a continuous baseline of each asset's physical signature — parking patterns, heat output, electromagnetic emissions, construction activity. When a cyber-incident is reported, analysts retrospectively query the satellite archive to identify any physical precursors or concurrent anomalies in the hours and days before the intrusion. Forward-looking, the same data feeds an ML fusion engine that flags statistically abnormal physical states and automatically cross-references open threat intelligence, generating pre-attack warnings before the keyboard stroke is ever made.

The operational outcome is a national hybrid-threat intelligence picture that is genuinely fused rather than siloed. Defenders can attribute campaigns with physical evidence that is sovereign, court-admissible and immune to adversary manipulation of the target's own sensor infrastructure. Escalation decisions — whether to invoke NATO Article 5, activate emergency powers or execute a diplomatic demarche — rest on independently verified facts rather than contested vendor telemetry.

What matters

Adversaries routinely compromise site sensors before physical action; satellite observation is the only external, tamper-resistant witness.
Cyber-physical correlation requires sub-hourly revisit: a 24-satellite LEO walker achieves this without relying on commercial foreign-operated tasking queues.
Physical evidence derived from sovereign imagery is legally and diplomatically defensible in ways that recycled vendor telemetry or allied-shared signals intelligence is not.
Export controls on SAR and high-resolution optical data mean a nation dependent on commercial foreign providers can be denied access precisely when a hybrid crisis escalates.

Quick facts

Global cost of critical-infrastructure cyber incidents (2023): $13.0B estimated losses (2023) — IBM Cost of a Data Breach Report 2023
Industrial control system (ICS) vulnerabilities disclosed (2023): 1,979 CVEs (2023) — Dragos Year in Review: ICS/OT Cybersecurity 2023
Median time to identify a critical-infrastructure breach: 204 days (2023) — IBM Cost of a Data Breach Report 2023
Estimated number of internet-exposed industrial control system devices globally: ≈90,000 devices (2024) — Shodan Critical Infrastructure Exposure Report

Sovereignty score: 9/10 — A nation that outsources cyber-physical correlation to foreign commercial platforms hands adversaries both the intelligence baseline and the ability to deny or degrade it at the moment of greatest need.

Commercial satellite tasking is controlled by foreign operators subject to their own government's export, embargo or emergency-powers legislation — precisely the entities most likely to restrict access during a geopolitical crisis involving the target nation.
Hybrid campaign attribution carries legal and diplomatic weight only when the underlying physical evidence comes from a sovereign system with a verified, unbroken chain of custody that cannot be challenged as third-party or allied-supplied intelligence.
An adversary conducting a cyber intrusion as a precursor to physical sabotage may simultaneously compromise the target's procured commercial data feeds, suppressing or falsifying the imagery archive that would otherwise expose the operation.
National critical-infrastructure classifications and the identities of monitored sites are themselves state secrets; routing tasking requests through a foreign commercial operator unavoidably leaks the targeting priorities to that operator's jurisdiction.

Reference architecture

Payload: Three-payload microsatellite stack: (1) panchromatic/multispectral optical imager, 0.5m GSD, 12km swath; (2) MWIR/LWIR thermal sensor, 3m GSD, for heat-signature baselining; (3) RF survey receiver, 100 MHz to 18 GHz, direction-finding accuracy ±0.5°, for detecting anomalous emissions at industrial control frequencies
Bus class: ESPA-class microsat, 150–200 kg wet mass, 700W end-of-life solar array, 512 GB solid-state recorder, X-band downlink at 300 Mbps
Orbit: Sun-synchronous LEO at 480–520 km, 24-satellite walker constellation (24/4/1), achieving sub-60-minute revisit at mid-latitudes; orbital plane separation chosen to maximise overlap over the national territory's critical-site density
Ground segment: 4-station sovereign ground network (X-band receive, S-band TT&C) co-located with existing national intelligence facilities; encrypted crosslinks between satellites for store-and-forward over low-latitude gaps; SatNOGS UHF/VHF backup for housekeeping telemetry only
Data pipeline: On-board radiometric calibration and L0 packetisation → sovereign ground L1 processing cluster → GPU-accelerated change-detection engine producing L2 anomaly masks at 15-minute latency → cyber-event correlation engine ingesting SIEM feeds via classified API → ML fusion model producing hybrid-threat probability scores with physical evidence attachments → sovereign air-gapped archive with cryptographic chain-of-custody
End-user delivery: Classified web console for national cyber-physical fusion centre with time-synchronised overlay of satellite-observed anomalies on cyber-incident timelines; automated push alerts to sector CERTs and critical-infrastructure owner-operators via sovereign encrypted messaging; retrospective query interface for forensic attribution workflows; separate read-only feed to national intelligence assessment directorate
Time to launch: Single-satellite demonstrator (optical + thermal only) in 20 months from contract, validating baseline and change-detection pipeline; full 24-satellite constellation with RF payload in 42 months; initial operating capability declared at 8 satellites (~120-minute revisit) at month 30
Caveats: High-resolution optical payloads below 0.5m GSD from US primes are subject to ITAR and EAR licensing — specify Airbus Defence & Space, ISRO IISU or SITAEL as alternative suppliers; RF survey payload frequency coverage above 18 GHz requires national spectrum authority coordination to avoid interference with ground terminals; thermal sensor calibration requires a network of ground truth sites at known emitting assets, which must be pre-designated in coordination with facility operators under appropriate security clearance

Frequently asked

What exactly does 'cyber-physical asset linkage' mean in the satellite context?

It means using satellite-derived data — optical imagery, SAR, RF emissions monitoring, AIS/ADSB cross-checks — to detect physical changes at a site (new vehicles, perimeter breaches, construction anomalies) and correlate them with cyber events in the same facility's operational technology network. The satellite becomes the independent, tamper-resistant sensor that neither the attacker nor a compromised insider can blind. Fusion with SCADA telemetry turns isolated anomalies into actionable threat indicators.

Why can't a nation simply buy this as a commercial imagery subscription?

Commercial providers such as Planet, Maxar, or ICEYE operate under the export-control and licensing laws of their home country, which can lawfully restrict or suspend access during a geopolitical crisis — precisely when you need the data most. A nation-owned constellation carries no such third-party kill-switch. Additionally, raw downlinks to a sovereign ground station reduce the risk of an adversary intercepting or spoofing a commercially routed data pipeline.

Which physical asset types benefit most from this application?

The highest-value targets are assets whose physical disruption and cyber compromise are mutually reinforcing: power-grid substations, water-treatment chemical dosing systems, nuclear fuel-cycle facilities, LNG terminals, and financial-exchange data centres with rooftop cooling infrastructure. For all of these, an adversary that combines a cyberattack with timed physical interference (cutting fibre, blocking access roads) can multiply the impact by orders of magnitude; satellite linkage provides the only wide-area view that connects both vectors.

How small a constellation is workable for a mid-sized nation?

For a nation with 50–200 high-value critical sites, a constellation of 6–12 microsatellites in a sun-synchronous LEO at ~500 km altitude can achieve 3–5 revisits per day per site in combination with commercial augmentation. This is enough to detect overnight construction activity, perimeter changes, or the arrival of specialised equipment that correlates with a known threat signature. A fully sovereign capability with SAR and optical payloads at that scale is achievable for approximately $300–600M over a 10-year programme life.

Does RF emissions monitoring from space add real value here?

Yes. Companies such as HawkEye 360 have demonstrated that passive RF geolocation from LEO can detect anomalous radio-frequency activity near protected sites — rogue drones broadcasting on unlicensed bands, frequency-hopping jammers, or unusual cellular patterns consistent with a coordinated intrusion team. For a sovereign operator, integrating an RF-monitoring payload on the same bus as the imaging sensor removes the need to rely on a foreign commercial provider for this intelligence layer.

How does this interact with national SCADA security frameworks like NERC CIP or IEC 62443?

NERC CIP-014-3 already mandates physical security risk assessments for high-voltage transmission infrastructure, and IEC 62443-3-3 sets cybersecurity requirements for industrial control systems. Cyber-physical satellite linkage provides the independent physical-verification layer that neither standard explicitly addresses: a sensor outside the facility's own security perimeter that can confirm or refute ground-level status reports. Nations can cite space-based monitoring as a compensating control in their compliance documentation.

What is the governance model for handling the fused data?

Best practice, as advocated by ENISA and NIST, is a tiered data-handling architecture: raw satellite imagery stored in a classified enclave, change-detection alerts routed to a sector-specific ISAC (Information Sharing and Analysis Centre), and de-identified trend data available to regulators and operators. The satellite operator — ideally a national space agency or a state-owned special-purpose vehicle — should be constitutionally separated from law-enforcement and intelligence agencies to prevent mission creep and to preserve civil-liberties safeguards.

Can a small nation afford to build this capability without international partners?

Most small nations will benefit from a tiered approach: build and own the ground segment and data-processing pipeline domestically, co-develop or procure the satellite bus from a trusted partner nation under a government-to-government technology-transfer agreement, and operate the constellation autonomously. ESA's Earth Observation programme and bilateral arrangements such as the Copernicus Contributing Missions framework provide precedents for shared-development models that still leave the data sovereign with the operating nation.

Glossary

Cyber-Physical System (CPS): An engineered system in which computational algorithms and physical components are tightly integrated, so that a cyber event (e.g., a malicious command) produces direct physical effects (e.g., a valve closure or generator trip).
OT (Operational Technology): Hardware and software that directly monitors or controls physical devices, processes, and events in industrial environments — distinct from IT systems that manage data.
SCADA (Supervisory Control and Data Acquisition): A category of OT software architecture used to remotely monitor and control industrial infrastructure such as power grids, pipelines, and water systems.
SAR (Synthetic Aperture Radar): An active microwave imaging system on a satellite that can produce high-resolution imagery of the Earth's surface regardless of cloud cover or illumination conditions.
Change Detection: An image-processing technique that compares satellite imagery of the same location at different times to identify statistically significant physical changes such as new structures, vehicle movements, or ground disturbance.
ICS (Industrial Control System): The broad category of control systems — including SCADA, Distributed Control Systems (DCS), and Programmable Logic Controllers (PLC) — used to operate industrial infrastructure.
CVE (Common Vulnerabilities and Exposures): A publicly maintained list of known cybersecurity vulnerabilities, each assigned a unique identifier, maintained by MITRE under sponsorship from the US Department of Homeland Security.
RF Geolocation: The process of determining the physical location of a radio-frequency emitter by measuring signal timing or angle-of-arrival from multiple satellite or ground-based receivers.
Sun-Synchronous Orbit (SSO): A near-polar LEO in which the satellite passes over any given location at the same local solar time on each orbit, ensuring consistent lighting conditions for optical imaging.
ISAC (Information Sharing and Analysis Centre): A sector-specific organisation that collects, analyses, and disseminates threat intelligence among critical-infrastructure operators and government agencies within a defined industry vertical.

References

NIST Special Publication 800-82 Rev. 3: Guide to Operational Technology Security — The definitive US federal guidance on securing industrial control systems, Rev. 3 expands coverage to include supply-chain risk management and explicitly addresses the gap between physical-security controls and cyber-monitoring tools in converged OT environments.
IBM Cost of a Data Breach Report 2023 — IBM's annual report places the mean cost of a critical-infrastructure breach at $4.82M above the cross-industry average, with a median detection time of 204 days — a window large enough for a coordinated attacker to exploit both cyber and physical access vectors before defenders respond.
Dragos Year in Review: ICS/OT Cybersecurity 2023 — Dragos identified 1,979 ICS-specific CVEs in 2023, of which 35% had no available patch at time of disclosure. The report highlights that adversary groups such as VOLTZITE and KAMACITE deliberately sequence cyber intrusions with physical reconnaissance of substation and pipeline facilities.
HawkEye 360 RF Analytics for Critical Infrastructure Protection — HawkEye 360 describes how passive RF geolocation from its cluster-satellite constellation can detect anomalous radio-frequency emissions near protected facilities, including signals consistent with unmanned aircraft systems, jamming devices, or clandestine communications equipment used in advance of a physical intrusion.
IEC 62443-3-3: System Security Requirements and Security Levels — IEC 62443-3-3 defines seven foundational requirements and four security levels for industrial automation and control systems, providing the normative framework against which satellite-augmented monitoring can be positioned as a compensating control for physical-layer verification gaps.
CISA Cross-Sector Cybersecurity Performance Goals 2023 — CISA's sector-agnostic CPGs establish baseline cyber hygiene practices for critical infrastructure operators, and include recommendations for independent, out-of-band monitoring mechanisms — a role that space-based physical-change detection is uniquely positioned to fulfil for geographically dispersed asset portfolios.

Related applications

8.7.1 — Nuclear Facility Surveillance (Strategic Asset Protection)
8.7.2 — Refinery & Petrochemical Watch (Strategic Asset Protection)
8.7.3 — Strategic Reserve Monitoring (Strategic Asset Protection)
8.1.1 — Border Activity Detection (Smart Borders)
8.1.2 — Cross-Border Incursion Alerts (Smart Borders)
8.1.3 — Migration Flow Mapping (Smart Borders)
8.1.4 — Border Wall & Fence Integrity Monitoring (Smart Borders)
8.1.5 — Remote Crossing Surveillance (Smart Borders)