What Does Selling Your Ground Stations Mean for Cybersecurity?

On May 3, Bloomberg reported that Eutelsat Group is exploring options to sell its ground station network, which is said to be valued at over $850 million.

Eutelsat is said to be working with consultants to find a buyer for the ground network. This may stem from the fact that infrastructure investment groups may have expressed interest in Eutelsat infrastructure. It was reported to Bloomberg that no final decisions have been made, and Eutelsat may decide to keep the company.

On May 6, Eutelsat published a press release confirming Bloomberg’s speculations and underlining that “it is analyzing options to partner with external infrastructure investors in its ground network.” Eutelsat clarified that this was only an avenue that is being explored and that there was no certainty that it would ever materialize.

This comes a few months after Eutelsat merged with OneWeb and sold its stake in Airbus OneWeb Satellite joint venture.

Exploring Eutelsat’s Options

When considering selling an existing ground station network, several options may be available to Eutelsat (although it also applies to any other company):

· Selling its ground stations to develop a new generation of ground stations;

· Establishing joint ventures with infrastructure investment firms or other telecommunications companies;

· Attracting investments in exchange of stakes in the company;

· Selling its ground stations to develop a gateway-less system, relying on inter-satellite links rather than ground stations (similarly to Rivada’s OuterNet project);

· Selling its ground stations to another company to switch to Ground Stations as a Service (GSaaS) providers such as Microsoft Azure or AWS Ground Station;

· Selling its ground stations directly to a GSaaS operator and keep using them through the GSaaS solution, but without owning them;

· Renting its spare capacities to a GSaaS operator.

The Cost-Benefit of Ground Stations as a Service

Ground Stations as a Service (GSaaS) is a cloud computing service that enables satellite operators to use a network of ground stations to control their satellite, retrieve, and process satellite data on their virtual private cloud (VPC). It removes the need for operators to build their own ground stations. Space companies share stations with other operators but only pay for the antenna time used by their systems, thereby significantly reducing both their fixed and operating costs. GSaaS have built their own ground stations but also rely on established networks developed by space companies. GSaaS providers may therefore also be interested in such a network. This market is currently dominated by AWS Ground Stations and Microsoft Azure Orbital Ground Station.

The ground segment is often seen as one of the most vulnerable segments because it’s vulnerable to many traditional IT threats. If successful and sophisticated enough, targeting a ground station can also enable an attacker to send commands and ultimately take control of a satellite.

In terms of cybersecurity, the advantage of GSaaS is that cybersecurity solutions are often embedded within virtual private clouds. Operators can therefore focus on mission specifics rather than deal with the technical and regulatory aspects of building and securing their ground infrastructure. Cybersecurity of the ground stations becomes the responsibility of the cloud provider. In addition, for operators, cyber threats become the same as other digital infrastructures on Earth, removing the specifics and challenges of securing space systems.

Nevertheless, it does not make GSaaS immune to cyberattacks. The operator then becomes vulnerable to attacks that target the cloud infrastructure at large. Major cloud providers regularly face cyberattacks, in particular denials of service (DDoS), which may prevent space operators from sending commands and controlling their spacecraft, including conducting timely anti-collision maneuvers in case of attack. More broadly, as seen in the general press recently, depending on internet giants means that customers may be victims of inadvertent mistakes.

A few weeks ago, it was reported that Google Cloud accidentally deleted the data of an $125 billion Australian pension fund. Although this was an isolated case, the consequences could be critical should it happen to a space company.

While GSaaS is a convenient solution, its cyber disadvantages mostly pertain to digital and data sovereignty from the perspective of European operators. Most cloud ground station services are U.S. companies. Regardless of where the data is stored, cloud providers are subject to U.S. jurisdiction due to the extraterritoriality of U.S laws such as the Cloud Act of 2018, thereby affecting data security, confidentiality, and sovereignty for European space companies such as Eutelsat.

Not owning its ground infrastructure, and ultimately the data that goes through it, may become an issue for Eutelsat should it aim to expand its number of customers in the field of security and defense. At the same time, European cloud providers are arguably not dimensioned to enter the GSaaS market, leaving only U.S providers as credible options.

In April at the Cysat conference in Paris, Cesar Carmona from Rivada Space Networks underlined that startups do not have time to reinvent the wheel and rely on well established players and cloud providers, which also make it easier for space companies in terms of compliance.

Marin Le Houelleur from Prométhée explained that they relied on major cloud providers because it is practical but stressed that it was not ideal in terms of sovereignty, underscoring his awareness that they “give their data and keys to the devil.”

The Cybersecurity Stakes of Selling Ground Stations

When considering the possibility of selling ground stations, a company should not overlook cybersecurity aspects when handing over its infrastructure, regardless of the option chosen.

Selling to another stakeholder often involves phases of due diligence, audits, and other internal assessments, but a company should always bear in mind the potential economic intelligence threat of certain audit companies. In addition, what would happen if unpatched vulnerabilities, APT threats, or other cyber risks are discovered throughout the due diligence process? How would this affect the transaction and who would be in charge of fixing these issues?

In addition, the seller and the buyer would have to contractually agree on liability and responsibility in case an attack occurs during and/or after the transaction. Furthermore, the seller would have to take all measures to ensure that no confidential data remains on ground stations’ networks prior to the transaction.

Another aspect which may be overlooked is communications. Communications about an attack are sometimes as critical as the attack itself. The buyer and the seller would therefore also need to contractually agree on responsibilities and possibilities of press relations and communications in case an attack occurs during or after the transaction.

Finally, selling to another stakeholder would not necessarily prevent the seller from having to deal with the network after the transaction. In case the ground station network integrates proprietary software, responsibilities for regularly updating the software and patching vulnerabilities often stay the responsibility of the creator. This would also have to be contractually defined with the seller.

Ultimately, considering the sale of a ground network is a complex decision, one that intertwines with financial, operational, security, and sovereignty challenges. Contractual cybersecurity aspects are highly complex and often buried within the fine prints. One small clause may affect the operations or reputation of either the buyer or the seller should an attack occur. Regardless of Eutelsat’s decision, securing a ground infrastructure does not entirely stop when it’s sold and may continue until the end of its lifecycle. Although cybersecurity is unlikely to be the central focus of Eutelsat’s consideration to sell its ground network, it is one of many that should not be neglected. VS

Clémence Poirier is a Senior Cyberdefense Researcher at the Center for Security Studies (CSS) at ETH Zurich

Photo: Eutelsat's Skylogic Mediterraneo teleport in Sardinia. Credit: Eutelsat