The Ground Station Industry Is Hardening Against Missiles. The Bigger Threat Is the Software Running Them.
In the early hours of February 24, 2022, as Russian troops crossed into Ukraine, a cyberattack struck the Viasat KA-SAT network. Within minutes, 30,000 modems across Europe were dark. Ukraine lost satellite internet. German wind turbines lost remote monitoring. The satellite itself was untouched.
The attack did not breach the spacecraft. It breached the management interface.
Attackers exploited a misconfigured VPN appliance to access the trusted management segment of the KA-SAT network, then pushed destructive commands through the same infrastructure operators use to run the system. SentinelOne researchers named the malware AcidRain. It shared code with VPNFilter, a 2018 tool the FBI attributed to the Russian GRU. The most disruptive cyber operation of the war so far did not require an ASAT missile. It required a misconfigured firewall.
Four years later, the ground station industry has noticed the missiles. It has not fully noticed the software.
SpaceNews reported recent strikes on SESs commercial teleport in Israel, on AWS infrastructure in the UAE and Bahrain, and on radar systems supporting U.S. missile detection. Operators like France-based Skynopy and U.S.-based Atlas Space Operations have built software platforms that route satellite traffic across 17 and 34 geographically distributed stations respectively, promising to cut downlink delays from 90 minutes to under 40. Space Norways cables to Svalbard were knocked out for 11 days in 2022; the response was to add backup routes. KSAT now operates more than 30 sites globally.
This is the right answer to the wrong question.
The physical layer is not where the Viasat attack happened. The Viasat attack happened in the management plane. And as commercial ground stations migrate to cloud-based platforms offering Ground Station as a Service, the attack surface there is expanding faster than anyone is hardening it.
The U.K. governments Cyber Security and Digital Identity Directorate published a study documenting the risk in 2025. Integrating ground stations with cloud infrastructure improves accessibility and enables seamless handovers across global networks. It also introduces the same attack surface that makes enterprise networks vulnerable to intrusion, combined with industrial control systems that were never designed for modern threat models. Legacy systems are the worst offenders: many were built before cybersecurity was a design requirement. Smaller operators lack the resources to keep up. The result is a fragmented industry where security maturity varies wildly, and the shared responsibility model of cloud services creates accountability gaps between GSaaS providers and satellite operators that neither side has fully mapped.
CISA put it plainly in a 2024 report: the ground segment is the most vulnerable part of space infrastructure to cyberattack. NIST published a separate framework applying its Cybersecurity Framework to satellite command and control. Neither document is classified. Both have been available for over a year. Neither has prompted the kind of industry-wide security audit that the physical hardening narrative has.
The Space Forces own procurement history illustrates the problem. SpaceNews reported the service launched the SCAR program in 2022 to build mobile ground stations for satellite command and control, awarding BlueHalo a $1.4 billion contract later increased to $1.7 billion. In May 2025, AeroVironment acquired BlueHalo. In September, the company announced a contract restructure. On January 16, 2026, the government issued a stop work order. No units have been delivered. The program is being reopened to other vendors, and the new acquisition strategy will emphasize fixed-price commercial models and supply chain resilience over the bespoke design originally specified.
The SCAR/BADGER stumbles reflect a deeper difficulty: the requirements for resilient ground infrastructure in a contested environment are not settled. Mobile terminals, distributed networks, regulatory flexibility for cross-border licensing these are all unsolved problems. And they are getting attention. The software layer underneath them is not.
The SDA director put one part of it clearly in 2023: common mode failures like cyberattacks on ground systems can take out all your satellites, and you cannot proliferate your way out of that. The industry response has focused on proliferation. Distributed ground station networks, multi-site redundancy, satellite-to-satellite relays designed to bypass ground infrastructure entirely. These are real improvements. They do not address the management plane.
There is no evidence that any major ground station operator has suffered a Viasat-style management-layer compromise since 2022. The Viasat case involved a specific misconfiguration on a specific network. It is possible that the industry has since closed that particular gap. It is also possible that the lessons learned from Viasat have been applied selectively, at better-resourced operators, while smaller providers and older systems continue to run with the same vulnerabilities they had in 2022.
The cloud transition makes the stakes higher regardless. When a ground station network runs on a cloud platform shared with other tenants, a single exploited vulnerability potentially exposes multiple operators. When management interfaces are accessible via the internet rather than air-gapped at specific facilities, the attack surface grows. The UK DSIT study documented both risks. It also documented that the smallest operators in the supply chain have the least capacity to respond to them.
Ground station operators will tell you about their geographic diversification, their backup routes, their resilience architecture. Most of that is genuine. The question worth asking is what happens when the next attack does not come through the antenna, but through the software that tells the antenna where to point and when to transmit. The industry has a plan for that. It is not clear anyone has built it.