The global space industry is navigating an increasingly precarious security landscape as state-sponsored actors, particularly from Iran, deploy sophisticated social engineering and artificial intelligence to compromise satellite infrastructure. During the CyberSat Exchange at SATShow Week in March, Chief Information Security Officers (CISOs) from leading satellite firms—including Vantor, SES, Viasat, and Telesat—convened to provide a sobering assessment of the vulnerabilities facing the sector. Their warnings coincide with a heightened state of alert from United States federal agencies regarding the security of critical infrastructure and the rapidly closing window between the discovery of a software vulnerability and its active exploitation by hostile entities.
The Surge in Iranian Cyber Operations and Social Engineering
A primary focus of the discussion centered on the evolving capabilities of Iranian threat actors. Norm Laudermilch, CISO of Vantor, highlighted a massive spike in activity that mirrors the established tactics, techniques, and procedures (TTPs) associated with Tehran-linked hacking groups. These actors have demonstrated a high level of proficiency in social engineering, moving beyond generic phishing attempts to highly targeted, multi-staged campaigns.
According to Laudermilch, Iranian actors are meticulously scraping public-facing corporate websites to create "malicious mirrors"—near-identical replicas of legitimate portals. These fake sites are then used to target suppliers, customers, and external partners. By directing these entities to a fraudulent URL that appears authentic, attackers can harvest credentials and gain a foothold in the supply chain. This method exploits the inherent trust between space companies and their sprawling network of third-party vendors.
The sophistication extends to mobile and encrypted messaging platforms. "Amazing targeted smishing and phishing" campaigns are now prevalent on SMS, WhatsApp, and Signal. Laudermilch noted that threat actors are increasingly leveraging generative AI to enhance their deception. By capturing audio from public speeches or panel discussions, attackers can feed the data into AI voice-cloning tools to create authentic-sounding voice notes. These messages, often demanding immediate administrative actions such as the escalation of user privileges or the release of sensitive system logs, are designed to bypass traditional security hurdles through psychological pressure and perceived authority.
Federal Alerts and the Expansion of the Attack Surface
The concerns voiced by space industry leaders align with a broader warning issued by the U.S. government. On April 7, a Joint Alert was released by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the FBI, the Environmental Protection Agency (EPA), the Department of Energy, and U.S. Cyber Command. The advisory specifically addressed the growing threat posed by Iran-affiliated advanced persistent threat (APT) actors targeting internet-facing operational technology (OT) devices.
While the space sector is not officially designated as one of the 16 critical infrastructure sectors in the United States, its integral role in telecommunications, GPS, and national defense makes it a de facto critical component of global stability. The Joint Alert emphasized that Iranian actors are actively exploiting vulnerabilities in OT systems, which are the hardware and software used to monitor and control physical devices. For space companies, this includes ground station equipment and command-and-control interfaces that bridge the gap between terrestrial networks and orbital assets.
The advisory urged organizations to review indicators of compromise (IOCs) and implement more rigorous monitoring of their networks. The CISOs at the CyberSat Exchange noted that the time between a "zero-day" vulnerability being announced and an exploit being deployed has shrunk to nearly zero, necessitating a shift from reactive patching to proactive, intelligence-led defense.
Artificial Intelligence: A Double-Edged Sword in Orbit
The integration of Artificial Intelligence (AI) into the space industry has introduced a new and complex attack surface. Vinit Duggal, Vice President of Networking Engineering and CISO of SES, remarked that threat actor capabilities have reached a "substantial" level, moving at "light speed." He argued that the industry must reach a state of "playing math with math," utilizing AI-driven defense systems to counter AI-driven attacks.
Phil Mar, CTO and Vice President of Engineering for Viasat Government, observed that the engineering profession itself is undergoing a revolution. Modern engineers are increasingly relying on AI to write and modify code, a shift that requires security architectures to be "AI-aware." Mar warned against "blind automation," stressing that while AI can accelerate response times, clear human-led escalation paths and decision loops must be maintained to prevent automated systems from making catastrophic errors during a breach.
Asit Tandon, Chief Network and Information Officer of Telesat, raised concerns regarding the integrity of the AI models themselves. He pointed out that attackers do not necessarily need to "crash" a system to be successful; instead, they can manipulate the underlying policy or data of an AI model. This "model poisoning" can lead to a situation where the AI continues to function but provides subtly incorrect results or biased data, leading operators to make flawed decisions based on compromised intelligence. This "silent" threat, Tandon noted, is often more dangerous than a loud, disruptive attack.
Lessons from the Viasat Incident and the Drive for Resilience
The 2022 cyberattack on Viasat’s KA-SAT network remains a watershed moment for the industry. The attack, which occurred at the onset of the Russian invasion of Ukraine, resulted in the permanent "bricking" of thousands of satellite modems across Europe. This incident fundamentally changed the industry’s perception of risk, shifting the focus from simple prevention to comprehensive resilience.
"I think it is only a matter of time before another major incident," Laudermilch admitted, noting that while security controls aim for prevention, resilience is the strategy for when prevention fails. Since the Viasat event, companies have invested heavily in the ability to recover operations quickly after a compromise.
Viasat has been notably transparent about the 2022 attack, sharing the full attack chain with the broader industry to foster a collective defense. Phil Mar described the daily reality of satellite security as "hand-to-hand combat," an ongoing struggle to stay one step ahead of adversaries who are constantly probing for weaknesses in both old and new infrastructure.
Security by Design in the Era of Multi-Orbit Constellations
The transition toward Low Earth Orbit (LEO) and multi-orbit "mesh" constellations is altering the tactical landscape of space security. Telesat is currently developing its "Lightspeed" constellation, which utilizes a high number of smaller satellites to provide global connectivity. Tandon emphasized that while these constellations offer inherent redundancy—if one satellite fails, others can take its place—they also significantly increase the number of entry points for an attacker.
"Cybersecurity has to be right at the center of things," Tandon said. "It can no longer be a bolt-on later." This "security by design" philosophy is essential for managing the complex software environments required for multi-orbit operations.
However, the move to mesh networks also offers unique defensive advantages. Laudermilch explained that a mesh network in space can adapt dynamically to ground-based threats. For example, if a specific ground station or geographic region is launching a Radio Frequency (RF) interference attack or attempting a command-and-control compromise, a satellite can be programmed to "stop listening" as it passes over that area. Instead, it can receive its instructions and data through inter-satellite links from neighboring vehicles in the constellation, effectively bypassing the threat.
The Future of Information Sharing and Strategic Investment
As the panel concluded, the experts discussed how they would allocate resources if given a significant budget increase, such as $100 million. Vinit Duggal of SES suggested that the priority should be data consolidation. Currently, many companies have security data siloed in different departments or systems, making it difficult to gain a comprehensive view of the threat landscape. By centralizing this data, companies could apply advanced analytics to identify patterns that might otherwise go unnoticed.
Asit Tandon advocated for a shift toward "near real-time operational incident sharing." While the industry has improved its willingness to share post-incident reports, Tandon argued that sharing information as an attack is unfolding would provide the greatest benefit to collective security. This would allow companies to adjust their defenses in minutes rather than months.
The consensus among the CISOs was clear: the space industry is no longer a peripheral target. As space becomes increasingly vital to the global economy and geopolitical strategy, it has become a primary front in the ongoing cyber conflict between state actors. The combination of Iranian persistence, AI-driven exploitation, and the rapid expansion of orbital infrastructure requires a unified, resilient, and proactive approach to security that begins at the design phase and continues through the entire lifecycle of every satellite launched.