"Five Years Has Become a Truly Long Time": Fortinet Director of Specialized Systems Engineering Aldo Di Mattia on Ground Segment Vulnerabilities, Quantum-Proof Satellites, and Why OT Security Principles Apply to Space Infrastructure

Satellite ground stations don't look like factories – the screens show orbital mechanics, not assembly lines –  but they fail the same way. Legacy software that can't be patched. Remote access that expands attack surfaces. Firmware updates that happen once a year if you're lucky. The cybersecurity playbook is the same; most operators just haven't realized it yet.

Aldo Di Mattia joined Fortinet in 2012 and has progressed to Director of Specialized Systems Engineering and Cybersecurity Advisor, leading a team of experts responsible for SASE, SecOps, OT, and Cloud technologies across Italy and Malta. He holds seven USPTO patents spanning Security Cooperation, Zero Trust Access, Deception, SD-WAN, Threat Intelligence, and Face Recognition, with his two most recent built on artificial intelligence. He has also served as a university professor in cyber defense, automation response, and quantum-proof encryption.

His perspective on space infrastructure security begins with a simple observation: satellite ground segments share fundamental vulnerabilities with industrial control systems. Legacy software that cannot be easily patched. Remote access requirements that expand attack surfaces. Devices designed for decades of operation in environments where firmware updates happen rarely, if at all. The same principles that govern factory floor security, visibility, segmentation, centralized control, apply directly to the systems that communicate with assets in orbit.

The conversation that follows explores what happens when OT security frameworks meet space infrastructure, how NIS2 regulations affect satellite operators, whether quantum computing threatens satellites already in orbit, and why the Mediterranean corridor presents distinct cybersecurity coordination challenges. Di Mattia's answers draw on both his technical background and his experience working across Italian and Maltese critical infrastructure sectors.

---

Satellite ground stations share vulnerabilities with industrial control systems: legacy software, limited patching, remote access requirements. From your OT security experience, what are the most underappreciated attack vectors for ground segments?

"Yes, exactly," Di Mattia begins. "Satellite ground infrastructure often runs OT-like systems, yet lacks modern continuous visibility and logging, making lateral movement and stealthy breaches easier. The number of vulnerabilities on OT devices is huge, many more than IT systems."

He walks through the math. IT systems live three to five years, and during that short window they receive about a patch per month. OT devices work for decades, and in that long period they have very few firmware updates. In many cases, less than one per year. "It means they have many critical vulnerabilities exploitable during the life cycle," he explains. A vulnerability is defined as critical when it allows an unauthenticated user to control the system, execute arbitrary code, or gain additional privileges. Ground segments inherit this exposure.

Vulnerabilities are the biggest problem, but broadening the discussion, Di Mattia points to what Fortinet's State of Operational Technology and Cybersecurity reports consistently highlight: a massive lack of visibility, segmentation, and centralized control across OT environments. "These gaps are the foundation that attackers exploit in complex converged environments."

When it comes to reducing these underappreciated vectors, he emphasizes remote access first. "Especially for remote and vendor connections," he says. "If OT remote access is not tightly controlled, it becomes one of the largest attack vectors." The approach involves Zero Trust Architecture, VPN, multifactor authentication, and system access through RSA systems.

Then there's the visibility problem. "It's fundamental to include software and vulnerability management and a threat intelligence service," Di Mattia continues, "in order to identify all exploitable vulnerabilities, including at the same time a virtual patching solution that blocks any potential exploitation while awaiting the physical patching."

He also stresses segmentation and micro-segmentation to prevent lateral movement in converged networks, adding that deception systems allow Security Operation Centres to identify cyber criminals inside the perimeter and understand their attack methods.

"And platform-based security across IT and OT," he adds, "unified enforcement and threat intel, because the complexity is enemy of security."

---

Italy's NIS2 transposition covers over 12,000 entities, including critical product manufacturers and digital infrastructure. How should satellite operators interpret these requirements? Is there a risk they fall into a regulatory gray zone?

"I don't believe there is a gray zone," Di Mattia responds, "because NIS2, de facto, is a list of best practices. I think every company should try to address the requirements of this EU directive, not only the companies quoted in NIS2."

All private entities should benefit from this work, he argues, because it helps every company improve their cybersecurity posture. Public administrations and critical infrastructures classified as essential or important have to satisfy the requirements to avoid heavy fines, but the underlying logic applies universally. "Anyway, digital infrastructures and space infrastructures, including ground segment, are explicitly involved."

The directive requires organizations to implement "appropriate and proportionate" controls covering risk analysis and security policies, incident handling, business continuity and disaster recovery, secure development and vulnerability handling, access control and asset management, encryption and authentication, and supply-chain security.

Di Mattia pauses on that last item. "Except for supply-chain security, which is really complex to address and to verify," he admits. "We could talk for hours about that." The challenges of confirming security practices across extended supplier networks resist simple solutions.

But for everything else on the list, these are basic best practices needed to survive in a digital world. "I think no one wants to see their business fail," he observes, "so it would be right to adapt."

---

You've taught quantum-proof encryption at the university level. Many satellites have 15 to 20 year lifespans with no way to upgrade encryption. What's your timeline assessment, and what compensating controls make sense for operators who can't retrofit?

"Yes, it's really important to use quantum-proof cryptography," Di Mattia says, "and it's fundamental to do this just now."

While Q-Day may still be a few years away, the threat of quantum computers to data security is already here. He describes the harvest-now, decrypt-later scenario: threat actors harvest sensitive and confidential data today so they can decrypt it using quantum computers once they become available. "Because of this, it is critical that organizations begin making their encrypted data quantum-safe now so any harvested data remains secure once quantum computers arrive."

For satellite operators who cannot update their orbital infrastructure immediately, Di Mattia sees a practical workaround. "Awaiting to update the satellites infrastructure, we can solve the issue with site-to-site VPN quantum proof." The traffic passing through satellite systems gets encrypted before transmission using quantum-resistant methods, without requiring changes to the satellites themselves.

He describes two key quantum-safe solutions available today. The first, Post-Quantum Cryptography or PQC, is a software solution. "Because PQC is software, it is ideal for large-scale, cost-effective deployments across diverse environments, including clouds, data centers, and endpoints," he explains. "It can also be integrated into existing appliances, firewalls, and VPN gateways to secure active traffic and digital identities." ML-KEM is the current standardized PQC algorithm.

The second approach, Quantum Key Distribution or QKD, is hardware-dependent. "QKD ensures security based on principles of quantum physics," Di Mattia notes. "However, it requires integration with key QKD vendors via the standardized ETSI GS QKD 014 interface to ensure interoperability and management." QKD is suited for high-assurance, mission-critical links, such as securing government or financial backbone networks where the highest level of assurance is mandatory.

"By offering both options, a comprehensive platform enables security teams to choose the most efficient, robust defense strategy to meet their security posture requirements," he says. "In both cases the traffic passing through the satellite infrastructure is already encrypted and the encryption used is quantum-proof, without an infrastructure update."

---

You cover Italy and Malta, both at the center of the Mediterranean. Are there cybersecurity threats or coordination challenges unique to this corridor that play out differently than in Northern Europe?

"Both countries are feeling the effects of the two ongoing conflicts and the hot geopolitical situation geographically close," Di Mattia explains.

The current wars are hybrid, and many cyber-attacks often leave nations involved in a conflict and land in neighboring countries or across the world. The Mediterranean's proximity to active conflict zones creates exposure that shapes the threat environment in ways Northern European nations experience differently.

"Except for the conflicts and for some specific attacks to Italian or Maltese targets," he continues, listing the most common motivations: espionage, competitiveness, fraud, theft, "we are in line with the rest of Europe."

The implication is subtle but worth noting. The Mediterranean corridor faces the same baseline threats as the rest of the continent, but with an additional layer of conflict spillover that comes from geographic proximity. Ground segments in this region connect to satellites serving areas where hybrid warfare is not theoretical but operational.

---

You hold seven USPTO patents spanning Security Cooperation, Zero Trust Access, Deception, SD-WAN, Threat Intelligence, and Face Recognition. Which of these concepts translates most directly to space systems, and which capabilities are still missing?

"The greatest part of those have the scope to improve the cybersecurity protection of infrastructures and communications," Di Mattia reflects, "so I think almost all of them apply."

He walks through the different functions. Some help address communications availability, which he considers perhaps the most important aspect for space communications. Others improve threat identification and unauthorized access detection. Still others simplify the native cooperation between the roughly 40 to 50 security products that protect a modern infrastructure: network, application, data center, email, endpoint, and more. "We can protect an IT/OT/IoT infrastructure only if we can simplify the architecture," he explains.

As for what's missing, Di Mattia sees ongoing needs. "Without doubt, many capabilities are missing, for sure to improve more and more availability and performance," he says, "and why not, further innovative ways to improve encryption."

The investment picture is changing. "These systems will be used more and more in the near future, so many more features and patents will arrive soon because there is now much more investment and attention from companies."

---

Five years from now, what does the cybersecurity landscape for space infrastructure look like? What threats should operators be preparing for today that most aren't taking seriously yet?

"It's becoming difficult to answer these questions," Di Mattia admits. "Five years has become a truly long time in the evolution of technology and cybersecurity. It used to seem like an adequate amount of time to make these considerations, but now the world is increasingly fast."

Generative AI and Agentic AI are transforming everything rapidly. We don't know when Q-Day will be. "Just as we don't know what attackers will invent with these new technologies at their disposal."

For the immediate future, he circles back to fundamentals. "In the immediate future, I believe we should adopt the minimum protection systems and best practices mentioned above. This alone would help a lot."

His reasoning is mechanical. To compromise a system, you have to reach it. Then you have to exploit a vulnerability, a bad configuration, or poor adoption of appropriate standards. "What we need to do is make life difficult for attackers."

Di Mattia describes what this looks like in practice: protect OT/IT/IoT infrastructures with next-generation firewalls. Use Virtual Private Networks or Zero Trust Access, both quantum-resilient, based on multi-factor authentication. Access systems only through PAM-RSA, in an infrastructure where there are deception solutions, asset and software and vulnerability management, virtual patching gateways, sandboxing, and other state-of-the-art security solutions like EDR, NDR, and MDR. Support Security Operation Centre experts with SIEM and SOAR that enable high visibility, automatic configuration, self-assessment, and automation response. And of course, solutions based on Generative AI and Agentic AI.

"This is not the future," Di Mattia concludes. "It is the present, and it is a consolidated present."

---

Author's Analysis

Space infrastructure security is converging with OT security not because anyone planned it that way, but because the underlying technical realities are similar. Legacy systems. Long lifecycles. Remote access requirements. Limited patching windows. The accumulated wisdom of industrial control system security applies directly, and operators who recognize this can move faster than those who treat space as an entirely novel domain.

Di Mattia's central point deserves emphasis: the defensive architecture he describes is not speculative. Zero Trust, micro-segmentation, virtual patching, quantum-proof VPN tunnels, AI-assisted security operations. These exist now. The challenge lies in implementation, in securing budget and coordinating across organizational silos, not in waiting for technology to mature.

The regulatory environment is pushing in this direction. NIS2 mandates many of these practices. The harvest-now, decrypt-later threat creates urgency around quantum readiness even before Q-Day arrives. And the Mediterranean corridor Di Mattia covers offers a preview of how geopolitical proximity shapes cyber risk. Ground segments there connect to satellites serving regions where hybrid warfare is operational, not theoretical.

The satellites already in orbit will complete their missions with the encryption they launched with. The question is what happens on the ground, and whether operators treat the next five years as long enough to matter.

---

About Aldo Di Mattia

Aldo Di Mattia is Director of Specialized Systems Engineering and Cybersecurity Advisor at Fortinet, leading a team of experts responsible for SASE, SecOps, OT, and Cloud technologies across Italy and Malta. He joined Fortinet in 2012 as a Systems Engineer and progressed through increasingly senior roles to his current position.

In 2005, Di Mattia earned a degree in Computer Science from La Sapienza University of Rome, completing an experimental thesis on network security. From 2004 to 2012, he worked for two of the most prominent Italian system integrators in cybersecurity, developing extensive expertise and obtaining more than twenty specialized certifications in leading cybersecurity technologies, as well as the independent CISSP certification issued by ISC2.

At Fortinet, he has filed seven patents with the USPTO (United States Patent and Trademark Office), the most recent two of which are based on Artificial Intelligence. These patents include technological innovations across multiple areas of cybersecurity and physical security, specifically related to Security Cooperation, Zero Trust Access, Deception, SD-WAN, Threat Intelligence, and Face Recognition.

In parallel, Di Mattia has served as a university professor in Italy, teaching cyber defense, automation response, and quantum-proof encryption.

For more information, contact Aldo Di Mattia on LinkedIn.