Commercial low Earth orbit (LEO) satellite operators may be delivering connectivity into Australia without establishing a local presence, potentially placing user data outside the reach of domestic laws, a new joint advisory from Australia’s cyber security agency and its international partners warns.
The advisory warns that LEO systems routinely relay data across multiple national borders without passing through local infrastructure in Australia.
Doing so risks creating ambiguity over which country’s laws govern that data, complicating compliance with privacy and data protection regulations.
Private satellite operators’ global infrastructure and operational autonomy can exert control over data flows that may exceed the regulatory capacity of individual nations.
To mitigate the complex challenge of ensuring sovereignty over data as it traverses global satellite infrastructures, the Australian Cyber Security Centre (ACSC) and partner agencies recommend that organisations using LEO services request contractual terms defining data localisation obligations.
This includes seeking in-country management of customer-held keys to maintain cryptographic sovereignty, ACSC suggested.
Furthermore, organisations should ask providers to configure satellites to downlink data exclusively to ground stations within permitted jurisdictions.
LEO satellite operators should also be asked to isolate customer data at operating system, network and storage levels
ACSC said the Confidentiality, Integrity and Availability (CIA) triad is critical to maintaining secure and reliable operations.
Challenges under the CIA triad concept include preventing unauthorised access to data transmitted or stored in the satellite system network, and maintaining the integrity of it so that the information isn’t manipulated.
Ensuring that the LEO satellite network and the services it provides are accessible when needed is another challenge.
ACSC warned that satellite signals could be jammed, with data links being overwhelmed through denial of service attacks. Kinetic strikes from anti-satellite weapons is another risk, the agency said.
Detailed cyber security risk mitigation advice
LEO satellite systems face a set of cyber threats driven by their distributed architecture, limited physical access to space-based assets, and reliance on radio frequency links that are susceptible to jamming, spoofing, and interception, ACSC said.
The constant movement of LEO satellites and frequent handovers between ground stations make it harder to maintain consistent security across connections, demanding specialised approaches that go beyond conventional terrestrial security models.
Ground infrastructure comprising satellite control centres, gateways, and user terminals, presents the most exposed attack surface.
This is due to extensive connectivity with existing and future terrestrial networks and susceptibility to threats including malware injection, credential compromise, and denial-of-service attacks.
The space segment itself faces risks including unauthorised command injection, payload hijacking, firmware tampering, and signal spoofing, with legacy satellites particularly vulnerable given they were designed before modern cyber security standards existed.
At the user end, weak endpoint security, unpatched software, insecure API configurations, and poor cyber hygiene can give attackers a foothold that allows them to pivot into the broader satellite ecosystem.
For organisations using LEO services, the guidance recommends enforcing multi-factor authentication (MFA), and deploying endpoint detection and response (EDR) tools.
Encrypting data in transit and at rest using approved algorithms, and implementing regular patching and secure configuration baselines for terminals is also recommended.
Security agencies urge organisations to begin planning for post-quantum cryptography now, establishing key management strategies aligned with emerging post-quantum (PQ) standards before breaking current encryption methods becomes viable.
LEO satellite services deliver high-bandwidth and low latency internet communications, as well as direct to device (D2D) connectivity and mobile backhaul.
As such, LEO satellite services have increasingly become the favoured option for consumers and businesses in remote areas.
Mining, maritime, agriculture, and healthcare are some of the sectors that often rely on commercial satellite constellations for remote connectivity and emergency communications.
The guidance is aimed at organisations that use commercial LEO services rather than the satellite operators themselves.
