gstp cybersecurity compedium...

Prepared by TEC-T Reference ESA-TECT-PL-015678 Issue 1 Revision 0 Date of Issue 28/10/2019 Status Document Type

Distribution

ESA UNCLASSIFIED - For Official Use

estec European Space Research

and Technology Centre Keplerlaan 1

2201 AZ Noordwijk The Netherlands

T +31 (0)71 565 6565 F +31 (0)71 565 6040

www.esa.int

GSTP Element 1 “Develop” Compendium 2019: Cybersecurity

/24


Date 28/10/2019 Issue 1 Rev 0


Title GSTP Element 1 “Develop” Compendium 2019: Cybersecurity

Issue 1 Revision 0

Author TEC-T Date 28/10/2019

Approved by

Date

Reason for change Issue Revision Date

Issue 1 Revision 0

Reason for change Date Pages Paragraph(s)

/24




Table of contents:

1. INTRODUCTION ................................................................................................................................... 42. LIST OF ACTIVITIES ............................................................................................................................. 73. DESCRIPTION ...................................................................................................................................... 9

GEN - Generic Technologies – Cybersecurity ..................................................................................................................... 9 CD2 - Structures, Mechanisms, Materials, Thermal ........................................................................................................ 9 CD3 - Avionic Architecture / DHS / Onboard SW / (FDIR) / GNC + AOCS / TT&C (E2E) ......................................... 11 CD5 - End-to-End RF & Optical Systems and Products for Navigation, Communication and Remote Sensing ........ 16 CD9 - Digital Engineering for Space Missions ............................................................................................................... 21

/24




1. INTRODUCTION

The GSTP E1 “Develop” Compendium 2019: Cybersecurity, is a list of candidate activities for the GSTP E1 “Develop” Work Plan. The aim of the GSTP E1 “Develop” Compendium 2019: Cybersecurity, is to provide to industry and Delegations a consolidated overview by Competence Domain of the priorities in the development of Cybersecurity technologies within the GSTP Programme. This document follows the previous GSTP Element 1 Compendia of Potential Activities (2013-2017) and complete the GSTP E1 Compendium 2019 for Generic Technologies (ESA-TECT-PL-015884). This compendium is issued to Delegations of GSTP Participating States and their industries for comments. Such comments will be considered in the following updates of the work plan for this GSTP Element 1 “Develop”. The objective is to have a good indication of the developments the participants intend to support in order to present updates of the GSTP E1 “Develop” Work Plan with consolidated set of activities to the IPC for approval. Space infrastructure are becoming more and more critical and subject not only to safety threats but to security threats alike. It becomes a necessity to protect those assets from any harmful conditions and events, whether this is intentional or not. Security has been identified by ESA and its Member States as a new pillar for space system developments. This includes the development of new technology and key enablers to support and enhance security of all space applications. The security of space infrastructure shall address not only space segment, but also ground segment and their operations, and the user component relying on those segments. The latter in many cases is the easiest subject of the attacks. This can become very critical when satellite services are in support of Safety-of-Life applications (e.g. satellite navigation and communication for civil aviation, maritime, railway), or important maintenance functions (e.g. support SW updates Over the Air for automotive in a world of connected autonomous vehicles), or even commercially and business related applications (e.g. road tolling, fishery and agriculture management, asset tracking, etc.). Security has to be regarded from an end to end point of view. The attacker will in fact search for the weakest point. Space systems just like other parts of the digitized critical infrastructure, are vulnerable to cyberattack. Cyberattacks can include jamming, spoofing and hacking attacks on communication networks; targeting control systems or mission packages; and attacks on the ground infrastructure such as satellite control centres. Cybersecurity therefore has become a critical requirement for next generation space systems. Hence, building strong and resilient cyber security has thus become a worldwide priority and the development of a flexible, multilateral space and cybersecurity regime is urgently required to protect European Space assets. Cyber security consists of technologies, processes and controls designed to protect systems, networks and data. Effective cyber security reduces the risk and protects against the unauthorised exploitation or access denial of systems, networks and technologies. ESA as prime actor in the Space context needs to contribute to the security of the overall space ecosystem. This implies:

1. The protection of his own managed assets, facilities and operations. 2. The analysis of the security risks, threats, vulnerabilities and associated mitigation of ESA lead

space mission in close coordination with the relevant stakeholder and mission authorities. The derivation of cyber security requirement and standards into the design.

/24




3. The definition and implementation of technological solutions or enablers that could feed the development of Space systems, even beyond those directly managed by ESA, including the user segments key technological components, with the aim of making them more robust to cyber-attacks.

4. The stimulation of initiatives and technological developments addressing cyber security supporting the competitiveness of the European industry in the global market and limiting the dependence on non-European players.

5. The support to the evolution of the regulatory framework to protect the shared space environment and the space assets

ESA plans to address cyber security at various levels of technology innovation: 1. Identification and implementation of reference architectures for space- and ground-based data

processing system, which include flexibility and security by design, taking into account the rapidly changing nature of the cyber security threat

2. Integration of security into the ESA system engineering process and toolchains 3. Implementation of end-to-end and individual security mechanisms through standardisation

and validation of security protocols, mechanism, solutions (e.g. CCSDS SDLS) 4. Development of cost effective technologies and solutions. Cyber security – like many other

global developments – is in the end driven by economic aspects, hence the availability of affordable and efficient defence mechanisms is of very high priority

5. Depending on the context and having in mind the different nature of the various space missions, support the implementation of future proof algorithms, technologies and architectures (system, segment and/or equipment level), e.g. post quantum, and security units for long lasting mission, adapt to the more short term scenario of new commercial space business model (for instance: use of COTS, cost-driven rather than performance-driven solutions, HW/SW trade-offs for security solutions, etc.), allow post mission re-programmability as the ultimate solution for in flight configurability

6. Existing commercial security tools shall be customized or extended for the specifics of the space data processing environment. This include spin in of technology from other sectors into the space domain

The following areas have been identified as critical for future technological development

Technology addressing the security of the Data and the Links (Ground to Space/ Space to Space/Space to Ground) at the various layer (Physical /Logical/ Data /Network/Application layers), including cryptographic functions and algorithms

Technology addressing the security of the equipment against intentional interference, spoofing, jamming, at satellite, ground station and user level, including detection, mitigation, cancellation, localisation, design of robust and resilient architecture involving both hardware and software, etc.

Technology addressing the protection of the classified information on board, on ground, in process, at user and infrastructure level at device or subsystem level (e.g. tamper protection, TEMPEST)

Technology addressing the management of the keys throughout their complete life cycle for the system and user, including agreement/generation, distribution, injection, single user or multi-user scenarios.

Technology supporting testing, monitoring, mitigation, situational awareness and forensic analysis of cyber-attack, meant to support and ease AIV and Operation phases, including machine learning, AI etc.

/24




Technological enablers, and transversal building blocks, IP-Cores, e.g. secure processor, secure SW partitioning, SW integrity, random number generation, in-flight crypto reprogramming, multi-level and multi-user security, etc., meant to be used later for the design of security units, ground and user segment equipment, as well as secure avionics architectures.

Cybersecurity activities of strategic importance for the future development of space system have been identified and form the basis of the compendium. A Call for Ideas from external parties, particularly Industry and Academia, who are interested in technology focussed on Cybersecurity was launched during the 2nd quarter of 2019. The most innovative ideas submitted to the Open Space Innovation Platform (OSIP), with the widest potential impact in space applications, have been used to formulate detailed activity descriptions and included in this compendium.

/24




2. LIST OF ACTIVITIES

GEN - Generic Technologies - Cybersecurity

CD2 - Structures, Mechanisms, Materials, Thermal

Programme Reference

Activity Title Budget (k€)

Technology addressing the protection of the classified information

GT1Y-301SW Applicability of cybersecurity to protect and allow exchange of manufacturing data*

500

Total 500

CD3 - Avionic Architecture / DHS / Onboard SW / (FDIR) / GNC + AOCS / TT&C (E2E)

Programme Reference


Technological enablers, and transversal

GT1Y-302ES Trust and isolation for applications in satellites 500

GT1Y-303ES Cybersecurity by design for mixed criticality embedded systems 600

GT1Y-304ES Trusted system configuration 500

Technology addressing the management of the keys throughout their complete life cycle

GT1Y-305ES Innovative key management for spacecraft security functions 1,500

Total 3,100

CD5 - End-to-End RF & Optical Systems and Products for Navigation, Communication and Remote Sensing

Programme Reference


Technology addressing the protection of the classified information

GT1Y-306ES Low-cost resilient software defined radio platform for satellite applications 450

Technology supporting testing, monitoring, mitigation, situational awareness and forensic analysis of cyber-attack

GT1Y-307ES Space domain security testing 1,000

GT1Y-308ES On-board RF firewall: technological development for on-board Cyber-RF space security situation awareness capability

1,500

Total 2,950

/24




CD9 - Digital Engineering for Space Missions

Programme Reference


Technology supporting testing, monitoring, mitigation, situational awareness and forensic analysis of cyber-attack

GT1Y-309GD Artificial Intelligence security monitoring platform 500

GT1Y-310GD Advanced automated cyber security testing 500

Total 1,000

*Note: The activity GT1Y-301SW Applicability of cybersecurity to protect and allow exchange of manufacturing data, deals with cybersecurity in the context of Advance Manufacturing and is therefore linked to the GSTP E1 “Develop” Compendium 2019: Advanced Manufacturing ref. ESA-TECT-PL-015900.

/24




3. DESCRIPTION

GEN - Generic Technologies – Cybersecurity

CD2 - Structures, Mechanisms, Materials, Thermal

Domain Cybersecurity CD2 - Structures, Mechanisms, Materials, Thermal

Ref. Number: GT1Y-301SW Budget (k€): 500

Title: Applicability of cybersecurity to protect and allow exchange of manufacturing data

Objectives: The objective of this activity is to apply cyber security technologies, processes and best practices to protect the integrity and confidentiality of data from Manufacturing Assembly Integration or Testing process. To produce guidelines for the secure exchange of data between different industrial partners.

Description: With the growing trend of industrial digitalization, Manufacturing, Assembly, Integration and Testing (MAIT) processes rely ever more in digital files and network connectivity. For In the advanced manufacturing field, Additive Manufacturing (AM) is a clear example of this digitalization. In AM, from design to the final product the information is processed and exchanged via computer files and network connection, allowing a freedom of access and utilization of the data. On the other hand, this digitalization opens the MAIT processes to new cyber threats, starting in product integrity to intellectual property theft and company brand risk. Hence, there is a growing concern in industry, and in particular in the space sector, on how to understand and detect potential cyber threats, and to safeguard the different processes from these threats. As such, this activity intends to assess the potential applicability of the current cyber security tools in the protection of the integrity and confidentiality of data from MAIT processes for the space industry. A clear identification of the data to protect and of the cyber risks is necessary in order to select and tailor the current cyber security tools to a selected MAIT process. Finally the validation and risk assessment of the use of the developed tools shall be performed. At the end of this activity, it is expected to obtain guidelines and best practices in cyber security to protect and safely exchange the data from MAIT processes. In addition, increased awareness on cyber risks in space industry is envisioned. Therefore, the main tasks of this activity include:

Selection of case study targeting a digital-based MAIT process; Analysis of the potential cyber threats and risks associated to the selected

process; Trade-off of the current cyber security tools and selection of the most

promising (at least 2), considering the threats and risks identified above; Configuration or tailoring of the selected tools to be fit-for-purpose for the

data from MAIT process; Integration of the tools in a representative demonstrator; Testing, performance assessment and validation of the selected tool; Preparation of guidelines for space industry on cyber security of data for the

selected process, based on the output of the previous task;

/24




Assessment of the applicability of the developed guidelines to other MAIT processes in the space sector.

Deliverables: Report, Software

Current TRL: 3 Target TRL: 5 Duration (months):

18

Target Application/ Timeframe:

All missions in the AIT and AIV process.

Applicable THAG Roadmap: Not relevant to a Harmonisation topic.

/24




CD3 - Avionic Architecture / DHS / Onboard SW / (FDIR) / GNC + AOCS / TT&C (E2E)

Domain Cybersecurity CD3 - Avionic Architecture / DHS / Onboard SW / (FDIR) / GNC + AOCS / TT&C (E2E)

Ref. Number: GT1Y-302ES Budget (k€): 500

Title: Trust and isolation for applications in satellites

Objectives: The objective of the activity is to prototype and validate spacecraft platform SW security and remote attestation solutions.

Description: Satellites are carrying more and more third-party modules and applications. More than a hundred spacecraft, not only experimental but also commercial (e.g. Planet Labs Dove, SpaceX Falcon/Dragon) have flown Linux. New e.g. linux-based platforms enable software to be updated on orbit. . Solutions are needed for enforcing strong integrity and separation between components and for remote verifying the security health and integrity of the platform. Trusted computing solutions - such as trusted execution environments and remote attestation - can enable the ground segment to verify satellites’ software configuration and security state. The intended work includes the following tasks:

Consolidation of use cases and derivation of the potential requirements and design drivers;

Investigation and design of the candidate architectures and technologies, including hardware algorithms, processing capabilities, etc.;

Development and integration of the most relevant candidate into a breadboard, associated to the software features enabling the different selected use cases;

Software valdation.

Deliverables: Breadboard, Report, Software


18


All missions for enforcing strong integrity and separation between components and for remote verifying the security health and integrity of the platform.


/24






Title: Cybersecurity by design for mixed criticality embedded systems

Objectives: The objective of the activity is to design and develop a real-time operating system for spacecraft microprocessor platforms with demanding security and safety requirements, capable to safely and securely execute applications with different assurance levels (mixed criticality) concurrently.

Description: Given the unstoppable trend towards more software-driven (defined) system components as well as system safety and security awareness, dependence on on-board SW platform for mission safety and security will become critical. A new development to enhance the security of low-cost software platform solutions is considered essential. Requirements like dependability, scalability, obsolescence and re-usability shall be taken into account as well. The intended work includes the following tasks:

This new development will build on microprocessor platforms (System-on-Chip or SoC) as developed by the EU DAHLIA (Deep sub micron microprocessor for space rad-Hard application ASIC) programme that will be integrated in the NG-ULTRA SoC FPGA (Field Programmable Gate Array).

Separation of applications will be ensured by means of time and space partitioning. A partition is a logical container created and maintained by the operating system. Resources will be allocated according to partition configuration (e.g. memory, CPU time, I/O access rights).

Key drivers are re-usability and ability to support the Space Avionics Open Interface Architecture (SAVOIR).

Validation of this new operating system with respect to security.



18


Improved security monitoring capability for all ESA missions


/24






Title: Trusted system configuration

Objectives: The objective of the activity is to design and develop a trusted software management tool that provides one or several cryptographically secure mechanisms for software integrity assurance.

Description: Knowing which software runs on a platform is fundamental for software integrity assurance and, therefore, security. In a typical software management tool, a formal language is used to describe the architecture and intended configuration of the system at software, user and interface levels. This description is fed to the tool for automated deployment in production. Building on existing concepts, it is proposed to study, design and prototype a software management tool that would provide cryptographic level evidence that the deployed/running configuration is the one the user intended to have. The tool shall be designed specifically for remote management and include a secure roll-back mechanism. A possible application example would be the roll out of Launch and Early Orbit Operations (LEOP) facilities. The intended work includes the following tasks:

Consolidation of use cases (e.g. TTC, satcom, GNSS) and derivation of the potential requirements and design drivers;

Preliminary design of the candidate SW architectural options; Development and integration of the most relevant candidate into a

breadboard, associated to the software features enabling the different selected use cases;

Validation with laboratory tests, in both nominal and faulty mode.

Deliverables: Report, Software.


18


All missions.


/24





Ref. Number: GT1Y-305ES Budget (k€): 1,500

Title: Innovative key management for spacecraft security functions

Objectives: The objective of the activity is to design, develop, test and evaluate a novel key management function in support of relevant spacecraft security functions for Telecommand, Telemetry and Payload data and signals.

Description: Traditional key management functions for spacecraft security functions like Telecommand authentication or Payload data encryption have relied on symmetric key infrastructure (SKI) concept. SKI is relatively simple, robust and therefore adequate for most missions (e.g. simple mission operations network topology with one spacecraft and one space-to-ground link). However, secret keys have to be loaded into the spacecraft security functions at a certain point during assembly, integration and testing or later at launch site facilities. By implication, these are very sensitive and critical operations, where the security of the mission is at stake if those operations are compromised. Furthermore, the spacecraft itself becomes a sensitive asset, needing access protection from thereon. Studies conducted by space agencies have shown the interest of considering asymmetric key establishment techniques (optionally supported by a public key infrastructure, PKI) approach as a solution to mitigate the burden, sensitivity and operational cost of spacecraft cryptographic key material loading brought by SKI infrastructure but also in view of future space mission security architectures with constellations and/or their inter-satellite links. It is well-known that SKI concept does not scale up well for larger networks. Thus, future space networks with protected inter-satellite links could benefit from PKI concept. Furthermore, the use of asymmetric key establishment techniques can provide Perfect Forward Secrecy (PFS). In the case of key compromise, past communications sessions with different keys will not be compromised. However, asymmetric cryptographic methods require the implementation of space-qualified True Random Number Generators (TRNGs) in support of authentication and key establishment protocols. This used to be an additional barrier to their consideration and early adoption, which has nowadays been overcome. Also to be considered is the fact that most currently standardized asymmetric cryptographic algorithms are considered weak against the emerging threat of quantum computer-based cryptanalysis techniques. Standardization towards post-quantum cryptography is ongoing with non-EU based companies. In connection with this issue, it is worth mentioning that ESA identified early on the need for a capability to securely re-programme spacecraft cryptographic algorithms, which unfortunately may become obsolete with time given the continuous evolution of threats and attack techniques (e.g. quantum computer) and which may undermine the security of space missions. The development and proof-of-concept of this capability is currently being pursued under the ESA TDE. Thus, this GSTP key management activity may adopt the hardware re-programming capability of cryptography as an additional function to be implemented. The intended work includes the following tasks:

/24




Analysis and specification of a suitable asymmetric key management concept with associated key establishment protocol, concept of operations during cryptographic key life cycle, as well as security analysis;

Consideration of both lightweight implementation solutions targeting nanosat, possibly favouring software implementation, as well as more classical hardware solutions targeting larger satellites;

Design of the SW and HW spacecraft security functions architecture incorporating the required telecommand, telemetry and payload security functions, following adopted standards for secure data transmission with their associated key management.;

Implementation of the SW and HW security functions into a prototype; Verification and validation of a prototype spacecraft security function(s)

(Engineering Models) for both SW and HW.

Deliverables: Report, Software, Hardware, Engineering Model


24


Improved security for all future missions.


/24




CD5 - End-to-End RF & Optical Systems and Products for Navigation, Communication and Remote Sensing

Domain Cybersecurity CD5 - End-to-End RF & Optical Systems and Products for Navigation, Communication and Remote Sensing


Title: Low-cost resilient software defined radio platform for satellite applications

Objectives: The objective of the activity is to develop a breadboard of a secure low-cost software defined radio (SDR) platform robust against cyber-attacks, enabling resilient applications (satcom, GNSS, etc.).

Description: The evolution of SDR platforms is enabling the use of general-purpose hardware for various application, allowing hardware reuse and cost reduction, and enabling “niche” applications at rather low cost. The SDRs rapidly moved from research applications to widespread applications, including space missions. However, SDRs do not yet address well cybersecurity. The proposed concept aims to enhance cybersecurity of SDR platforms with the components and the barriers required, enabling their use in applications where the device can be subject to tampering. The proposed technology will extend to cybersecurity the concept of SDR itself, where the user does not need to design hardware but just software, allowing the user to access secure platform without need for designing it. The integration of a secure element (e.g. crypto-processor or SIM card) will protect the cryptographic material from tampering and leakage. This will remove the need for expensive security modules for applications relying on symmetric key cryptography, and protect the stored public key certificates from tampering. Moreover, easing the access to validated crypto functions implemented in hardware will also reduce the risk of cyberattacks exploiting faulty implementations of cryptographic functions. Beside the secure processors, the whole platform integrating the SDR will be designed to prevent cyberattacks. This will includes, but not limited to, secure attestation of the components/sensors and controlled latency in the communication buses inside the platform. Specific care shall also be devoted to the secure software update, in order to prevent unintended manipulation of the software from third party, increasing flexibility by SDR functions/performance upgrade. Additionally, high quality RF frontend, for instance with low phase noise, might enable security oriented signal processing techniques, such as RF fingerprinting. Such capabilities could reduce Time-to-Market and significantly ease adoption of those satellite specific features by a wider user community enhancing the cybersecurity. Beforehand, it needs to reach a TRL high enough prior to its adoption by the industry, therefore, the activity will aim the development of a breadboard and then demonstrate its capabilities for several use cases to be consolidated in the frame of the activity (e.g. Satcom, GNSS, etc.). The design will also be future-proof, covering VHF to C-band, which encompass most of the satellite bands associated to handheld or mobile devices.

/24




The intended work includes the following tasks: Consolidation of use cases and derivation of the requirements and

candidate architectures; Development and integration of the hardware; Development of the software features enabling the different selected use

cases (software drivers and applications); Validation process with field trials.

Deliverables: Breadboard


24


All missions.


/24






Title: Space domain security testing

Objectives: The objective of the activity is the implementation and validation of radio-level security processes in both flight and ground segments and characterization of space to ground communications operation and performance as well as impact on physical, link, network and application layers under radio-level and data level attacks.

Description: Cyber ranges are useful security facilities developed to support the training of security operations personnel, the exercising of security defence, the testing of system and countermeasure updates. Their scope is typically network and application layers, which can be virtualized, providing a cost-effective facility for the identified purposes. Missions implementing security countermeasures at space communications will benefit from a facility capable to recreate attacks and exercise defences. It will allow them to support integration, testing as well as training of mission operations security personnel. Cyber range extension to including the radio level is a novel proposition, a challenge (radio equipment are not easy to virtualize, real equipment is preferred) but useful since it allows to have a full system security model. Interactions between radio-level attacks and network/application operations/performance can be exercised (tested, characterized, learned...). Radio-level equipment security can be characterized and validated under realistic system model. Proposed development includes:

Simulator development of relevant satellite and ground segment functions; Develop testing procedres of physical and network layer cybersecurity; Develop methodologies (e.g. attack techniques) and adversarial

capabilities; Integration in cyber range; Validation using identified attack scenarios; Develop a procedure for space domain security to be used for personnel of

specific space mission systems.

Deliverables: Prototype, Report, Software


18


All missions.


/24






Title: On-board RF firewall : technological development for on-board Cyber-RF space security situation awareness capability

Objectives: The objective of the activity is to develop a breadboard of an on-board Cyber-RF Space Security Situation Awareness capability.

Description: Increased use of space has resulted in increased demand on the radio frequency (RF) spectrum with increased potential for RF interference, but also increasing cyber-security risks. Stakeholders such as agencies or satellite operators recognize the need for cyber monitoring of space assets. Means to detect and manage RF interference exists, but solutions are usually available for earth-to-space / space-to-earth communications, and do not cover the whole range cyber-security risk to RF signals used by a satellite. Moreover, the solutions are mostly ground-based with limited ability to pinpoint RF attack source and limited mitigation options. There are no known solutions for both cyber and RF security situation awareness in the satellite. To address the specific needs of space RF security, it is proposed to develop an innovative solution combining both cyber and RF security situational awareness in some kind of on-board RF firewall providing the following features:

Monitoring and mitigation of RF interference; Detection of unwanted intrusive signals, which could reveal an attempt of

cyber-attack; Location the above RF sources (or at least provide some element allowing

developing awareness of their location); Reporting of the relevant RF interference and jamming data to support a

ground-based security situation awareness and further mitigations (signal snapshot, monitoring and location data, etc.).

Leveraging on software defined radio methods and technologies, the foreseen solutions should adapt to most satellite radio communications capabilities (TTC, satcom, positioning) and enable automated detection and mitigation techniques within the spacecraft embedded radio systems. The intended work includes the following tasks:

Consolidation of use cases (e.g. TTC, satcom, GNSS, etc.) and derivation of the potential requirements and design drivers;

Design of the candidate architectures and technologies, including hardware (e.g. antennas, RF, digital processor), algorithms, processing capabilities, etc.;

Development and integration of the most relevant candidate into a breadboard, associated to the software features enabling the different selected use cases;

Validation with laboratory tests, in both nominal and faulty mode.

Deliverables: Breadboard, Report


24

/24





Improved security monitoring capability for all ESA missions.


/24




CD9 - Digital Engineering for Space Missions

Domain Cybersecurity CD9 - Digital Engineering for Space Missions

Ref. Number: GT1Y-309GD Budget (k€): 500

Title: Artificial Intelligence security monitoring platform

Objectives: The objective of the activity is to develop and validate a suitable Artificial Intelligence-driven security monitoring platform for space systems in order to improve on threat detection, incident response and system security monitoring capabilities for space missions.

Description: The trend of digitalization, increasing complexity and connectivity of space systems results in an ever-increasing rate and volume of security-relevant logs, alarms and events. At the same time the extent, frequency and sophistication of multifaceted attacks are increasing. Whilst many application, system and network security monitoring tools exist today, few are capable of effectively amalgamating and dealing with big-data scale rates and volumes. In such a situation, human analysts and security operations centers (SOC) can become quickly overwhelmed. AI and subdomains such as Machine/Deep Learning (ML, DL), Neural Networks (NN) and Cognitive/Autonomic Computing (CC, AC), together with data mining and streaming analytics techniques, provide a potentially promising solution to the problem. Algorithms can process and classify events faster than humans, detecting outliers which may be missed by traditional signature-based systems. Training can detect security-relevant novelties and patterns (e.g. changes in network traffic profiles, user or application behavior, threat intelligence data) and to autonomously react in defense (e.g. deploy firewall rules, disable access, apply patches). Several security monitoring tool vendors are now adopting AI-capabilities in their products, however challenges remain e.g. ensuring explainable AI, limiting false positives, robust algorithms versus adversarial examples, etc. For the often safety-critical and high-reliability domain of space, suitability must also be assessed for the bespoke space-specific systems, protocols and data. The objective of this study is to analyse existing solutions, select and/or develop a suitable solution for the space domain, and integrate and validate the proof of concept (PoC) with real system data. The activity will encompass the following tasks:

Review state of the art AI/ML techniques / technologies / algorithms applied to security monitoring, assessing suitability for space systems;

Identify relevant data sources (e.g. Corporate/Mission Operations IT, ground station networks, mission data systems);

Implement an AI-driven security monitoring platform prototype; Integrate and deploy the platform together with the system data sources,

simulating real data flow ; Validate the proof of concept to demonstrate the potential for selected use

cases or attack scenarios; Further development needs, lessons learned and future roll-out strategy;



18

/24





All ESA missions.

Applicable THAG Roadmap: Relevant to the Roadmap Functional Verification and Mission Operations Systems

/24




Domain Cybersecurity CD9 - Digital Engineering for Space Missions

Ref. Number: GT1Y-310GD Budget (k€): 500

Title: Advanced automated cyber security testing

Objectives: The objective of the activity is to develop an automated security and penetration testing framework with associated fully representative and modular test environment in order to enhance the secure system development lifecycle with effective security testing capabilities.

Description: In today’s increasingly connected and contested cyber space, effective and thorough security testing of software and systems is mandatory to achieve any level of security assurance and trustworthiness of systems for its stakeholders. In fact many organizations and owners of modern complex systems today adopt a paradigm of ensuring system resilience rather than prevention and protection, assuming that attacks and some level of compromise are inevitable and focusing on how to minimize associated disruption. Security testing at the level of disruptive penetration testing and code scanning is required by the ESA Secure Software Engineering Standard. Penetration testing in particular however is a highly-specialized, effort-intensive and expensive exercise. To allow for cost-efficient yet reliable and realistic testing, ESA has recently developed a prototype demonstration and successful proof of concept of an automated penetration testing framework ‘Penbox’. This activity shall build upon the PenBox prototype, with the objective to provide a stable automated security testing and user awareness-building capability for new ground segment software and system developments. In particular this activity encompasses the following tasks:

Improve the stability, performance and reporting capabilities of the PenBox prototype;

Enhance with additional penetration testing tools and attack capabilities, specifically targeting space-specific systems and protocols;

Develop a robust and re-usable tool execution, results parsing and logic sequences for automated security requirements verification;

Build upon existing executable attack scenarios, tailored for real space mission system configurations, from both a blackbox and whitebox perspective;

Develop the user interface and user capability to edit and tailor attack scenarios and requirements verification;

Integrate with other secure systems engineering tools and developments (e.g. risk assessment and requirements management tools) to support the secure development lifecycle through continuous security testing;

Future steps including ways to exploit artificial intelligence and machine learning capabilities to drive automated security tests.

Disruptive security testing cannot be executed on operational systems. A fully-representative test environment is required. Therefore in addition, this activity shall:

Analyse the suitability of existing ground segment and system laboratories (for example the ESA Cyber Range in ESEC, the Ground Segment Reference Facility in ESOC, the virtualized PenBox testing environment);

/24




Inter-connect the different labs and configuration and deployment systems as required to realize a fully representative test environment for an end-to-end space mission system;

Develop a maintenance and system deployment concept, building upon existing capabilities and technologies such as VMWare, Jenkins, Docker, Chef etc. in order to enable a flexible security testing service for new system developments.

Finally, scenario and requirement verification tests shall be conducted using the enhanced PenBox application and representative environment. A critical report shall be produced analyzing the tool’s effectiveness, usability, coverage and cost benefit verses traditional manual or out-sourced penetration testing approaches.

Deliverables: Reports, Software


18


All type of missions requiring security.


gstp cybersecurity compedium...

Documents