st05213-ad01.en10 gmes data security
TRANSCRIPT
-
8/7/2019 st05213-ad01.en10 GMES data security
1/52
PUBLIC
5213/10 ADD 1 1
EU SITCEN LIMITE EN
COUNCIL OF
THE EUROPEAN UNION
Brussels, 12 January 2010
5213/10
ADD 1
LIMITE
CSCGMES 1
CAB 2
CSC 3
COMPET 9RECH 6
COSDP 21
ADDENDUM TO THE NOTE
From : The Council Security Committee experts' sub-area for GMES data security
To : The Council Security Committee
Subject : Recommendations on GMES data security policy
- Analysis paper
I. Introduction
A. General framework
Data collected and processed within GMES, whether collected in support of the
European Unions policies for environment and for security may be potentially harmful
to the security of the European Union and/or its Member States, to their citizens, to
foreign policy concerns and, if relevant, to the conduct of European Union operations in
the following cases:
- they present an interest for defence and national security in a broad sense; that is thecase of security services but also some open services;
-
8/7/2019 st05213-ad01.en10 GMES data security
2/52
5213/10 ADD 1 2
EU SITCEN LIMITE EN
- they contain data coming from sources falling within the scope of control of nationalspace laws;
- they contain environmental and geographic data with dissemination restrictionsalready covered by European directives;
- they contain data coming from Third Countries of which the reliability may not beguaranteed and of which the use may present potential risks;
- non sensitive data that when merged or processed through specific algorithms fallinto the above mentioned criteria.
The potentially harmful status of a transaction is limited in time because it
immediately induces the risk evaluation process described in Heading IV. A. 1. If this
process proves the actual harmfulness of the transaction it will be dealt with using themost appropriate security response tool. One of the possible response tools may be the
classification of the data.
Before GMES enters its operational phase, the European Commission, which is
responsible for the overall implementation of the GMES initiative, has requested the
advice of the Council of the European Union on how to address the security dimension
of GMES data policy. The Council Security Committee has decided to create a
dedicated sub area 1 mandated to issue a recommendation paper by December 2009.
In this context, the principle of "full and open access to information produced by GMES
services and data collected through GMES infrastructure, subject to relevant security
restrictions" 2 is recalled. This should help promote the widest possible use and sharing
of earth observation data and information in line with the proposed Shared
Environmental Information System (SEIS) and in accordance with existing legislation
such as the INSPIRE Directive and national legislations, taking into account the Global
Earth Observation System of Systems (GEOSS) principles.
1 See doc. 13571/01/08 REV 1.2 See Art. 8,1, b) of the proposal for a Regulation of the European Parliament and of the
Council on the European Earth Observation programme (GMES) and its initial operations(2011-2013); doc. 10285/09.
-
8/7/2019 st05213-ad01.en10 GMES data security
3/52
5213/10 ADD 1 3
EU SITCEN LIMITE EN
B. Scope of the document
The aim of the document is to give recommendations to the European Commission on
the security dimension of GMES data policy and on possible dedicated security
structures for the operational phase of GMES with adequate links to its overall
governance.
The document shall cover the following items :
a)data security measures to avoid any violation of existing or future rules of security,as well as illegal or inappropriate dissemination of data collected and processed;
b)physical protection of infrastructures (hardware and software) against intentional andaccidental threats;
c)protection of GMES users and personnel involved in GMES; andd)risk assessment capabilities related to the elements listed above.
Due consideration will be taken of existing solutions developed at national or
international level for comparable systems, with a view to harmonise the security of the
system as a whole and of data collected, processed and stored. This is to ensure that thebest international standards on security (for instance ISO 27001), regarding potentially
harmful data (including classified data, if needed) are met.
C. Perimeter of the recommendations
For this purpose all efforts are to be made to define the perimeter and boundaries of the
"system of systems" to which the recommendations will apply. The same perimeter
shall cover the rules and procedures on security of systems and of data to be
implemented, considering, first of all, an evaluation of risks to the security both of
systems and of the data collected and processed.
-
8/7/2019 st05213-ad01.en10 GMES data security
4/52
5213/10 ADD 1 4
EU SITCEN LIMITE EN
The perimeter mainly covers European Union's infrastructures.
Member States contributions to GMES are also included in the perimeter, both as
owners of national systems, by which they cooperate within the GMES initiative,
providing and exchanging data and as end users of the systems. It is recognised however
that each national system participating to GMES follows its national procedures and
national laws and regulations on data policy.
The recommendations also address data exchanged with entities outside the perimeter of
GMES including third States and international organisations.
Considering the complexity of GMES the perimeter will be articulated in different
concentric circles with corresponding security requirements.
Within the perimeter of GMES a distinction should be made between :
a)Systems that are operated by the European Union and its agencies or by companiescontracted by the European Union;
b)Systems that are operated by international organisations for the European Union, itsMember States and GMES associated States (Norway, Switzerland etc);
c)Systems operated for GMES within and under the responsibility of a Member Stateof the European Union;
d)Systems operated by third States through partnerships and specific collaborations.
It is also necessary to distinguish between infrastructures, services, systems and data
managed and financed by the Commission in the framework of the GMES programme
(corresponding to points a, b and parts of the activities in point d above), on the one
hand, and other infrastructures, services and systems and data (the "GMES initiative"
coordinated by the Commission, of which the Community GMES programme is a part),
on the other hand.
-
8/7/2019 st05213-ad01.en10 GMES data security
5/52
5213/10 ADD 1 5
EU SITCEN LIMITE EN
D. Glossary and acronyms
A glossary of acronyms and definitions of the terms used in the document is to be found
in Annex 2. The definitions stated are working definitions for the purpose of the
recommendation paper (doc 5213/10) and this analysis paper.
-
8/7/2019 st05213-ad01.en10 GMES data security
6/52
5213/10 ADD 1 6
EU SITCEN LIMITE EN
II. General principles on GMES Security
The principle of "full and open access to information produced by GMES services and data
collected through GMES infrastructure, subject to relevant security restrictions" 3 is the
guiding principle to develop GMES data security. It means that security restrictions arising
from national security and foreign policy concerns can be requested if deemed appropriate.
In this respect, the GMES data control mechanism should fully take into account any
protection measure taken at national level.
The aim of GMES security is to design and deploy appropriate mechanisms to ensure that the
security risks related to GMES data are mastered, while remaining as transparent and flexiblefor the end users as possible.
A prerequisite therefore is that any GMES data is subject to a regular risk assessment. Most
data shall not be subject to specific security measures as long as no particular risk has been
identified and detected.
Upon identification of new threats or vulnerabilities the data security policy of GMES and
corresponding structures should permit a rapid adaptation of the security configuration to
meet the security environment and to reduce risks.
Changing threats, vulnerabilities or changes in likelihood or consequences can increase or
decrease security risk previously assessed. A review of security risks, including low and
accepted risks, should be undertaken periodically.
The first step of risk management is to conduct a detailed risk assessment of GMES, its data
and its components.
3 Art. 8, 1, b) of the proposal for a Regulation of the European Parliament and of the Council
on the European Earth Observation programme (GMES) and its initial operations (20112013). See doc. 10285/09.
-
8/7/2019 st05213-ad01.en10 GMES data security
7/52
5213/10 ADD 1 7
EU SITCEN LIMITE EN
A. The Security of GMES
1. Components of GMES Security
a) The security of GMES information services (GMES Service Component);b) The security of the GMES Space Component and the GMES In Situ
Component;
c) The security of physical GMES infrastructure covering space and in situsystems of the European Union or made available by Member States and
international organisations;
d) The security of GMES data, which includes collecting, processing, storing andtransmitting GMES data generated within GMES or data fed into GMES;
e) The security of GMES users, which can be put at risk by GMES data andservices;
f) The security of the European Union, its Member States and their citizens;g) The security of GMES downstream services as they can pose threat to the
national security of the Member States and as they are key contributors to
GMES economy.
2. Responsibilities
A chain of responsibility regarding GMES data handling and data security should
be established for GMES, based on the results of a risk analysis of GMES, its data
and its components.
The European Commission is responsible for the overall implementation of the
GMES initiative.
However it is necessary to distinguish among the services that will use GMES
data between the services that are under programmatic control and the parts for
which the development is left to private initiative and that will contribute to the
development of the "GMES Economy".
-
8/7/2019 st05213-ad01.en10 GMES data security
8/52
5213/10 ADD 1 8
EU SITCEN LIMITE EN
In both cases, misuse of GMES data can pose security problems and appropriate
entities must be identified to manage the security of GMES data.
a) Components under programmatic control
Who holds the responsibility of a system under programmatic control varies
according to who operates the entity.
1) Some entities are operated under the responsibility of the EuropeanCommission by its agencies or by companies contracted by the European
Union;
2) Some entities are operated under the responsibility of internationalorganisations
3) Some entities are operated under the responsibility of a Member State ofthe European Union;
4) Some entities are operated by third States through partnerships andspecific collaborations.
An harmonisation of the security procedures and the establishment of clear
interfaces between the various entities responsible for the development and
operation of GMES based services should be considered. In any case national
security needs should be duly safeguarded.
b) Data outside programmatic control, yet within the European Union
Within the European Union the proper handling of GMES data is ensured
under the responsibility of the Member State in which the activity is taking
place.
Some Member States have developed specific legal tools to manage the use of
certain geospatial information on their territory (see Annex 4 : possible
implementation tools and examples).
-
8/7/2019 st05213-ad01.en10 GMES data security
9/52
5213/10 ADD 1 9
EU SITCEN LIMITE EN
In the GMES context and more broadly, an identification exercise of national
geospatial laws, regulations and procedures should be performed and, on that
basis, the possibility for an evolution of the INSPIRE directive and/or for
harmonising national laws, regulations and procedures should be considered
with respect to potential security risks relating to geospatial data.
c) Data outside programmatic control and outside the European Union
The data security dimension should be addressed specifically in the
collaboration with third States and/or international organisations involved in
or cooperating with GMES; the specific risks related to the distribution of datashould be considered.
B. Proposed methodology
1. General principle
The methodology proposed in this document is consistent with most methodsapplied when handling security in systems, organisations or infrastructures
(irrespective of their possible classification). Subsequently to a political decision
stating the need for securing the system, it consists of :
Risk analysis Security requirements Mitigation measures
Security compliance checks
The management of GMES Security shall be based on a proven, transparent and
fully understandablerisk assessment process.
The four stages of risk management (assessment, treatment, acceptance and
communication) shall be conducted as an iterative process that is permanently
readjusted, particularly as both the nature of the risks and the services delivered
by GMES will evolve in time.
-
8/7/2019 st05213-ad01.en10 GMES data security
10/52
-
8/7/2019 st05213-ad01.en10 GMES data security
11/52
5213/10 ADD 1 11
EU SITCEN LIMITE EN
A permanent operational security monitoring instrument should be
established across the various GMES systems and components to
dynamically monitor the risks related to GMES. It should connect to
dedicated monitoring centres performing similar functions within the
European Union, Member States and associated States.
(b) Potential targets and vulnerabilities
The identification of potential targets for attacks and vulnerabilities in the
GMES components and data generated should be performed as the GMES
initiative develops.
The security awareness of staff involved in all GMES elements should be
developed, as they are best placed to evaluate the vulnerability and potential
danger of the element they are working on.
Proper training should be offered to all staff involved in GMES concerning
the security dimension of geospatial data and other risks. An efficient
reporting chain should be established within the GMES Community.
This aspect should be documented in the security documents of GMES.
(c) Risk analysis chain
A risk analysis should be performed, which includes the following stages:
identify the assets and sources to be protected identify the types and levels of threats referred to a certain system or
sub system;
indicate specific vulnerabilities of the system; identify the security measures to be adopted.
-
8/7/2019 st05213-ad01.en10 GMES data security
12/52
5213/10 ADD 1 12
EU SITCEN LIMITE EN
3. GMES Security Management Document (SMD)
A standard documentation gathering the Security Management Document (GMES-
SMD) and composed of element-specific Security Management Documents (element-
SMDs) is to be issued for the GMES system and each of its elements.
These documents, drafted on the basis of a threat and vulnerabilities assessment,
should at least mention:
the risks identified by the threats and vulnerabilities assessment, the proposed mitigation measures and related documents, the various structures performing security functions within the GMES
perimeter,
the connections to external structures performing related functions. relevant procedures
-
8/7/2019 st05213-ad01.en10 GMES data security
13/52
5213/10 ADD 1 13
EU SITCEN LIMITE EN
III. Security and the overall GMES governance
A. Requested capabilities
The following capabilities should be considered, in terms of governance, to meet the
European Union and Member States data security needs:
To address the security implications of strategic choices in the GMESprogram;
To receive and share information on the threats level, and to determineaccordingly the potential harmfulness of a transaction and, in limited cases
and if deemed appropriate, the possible need for classification;
To monitor, within the GMES perimeter, vulnerabilities, suspiciousbehaviours and attempts of breaches into the system which pose a risk;
To monitor data at the most detailed level possible (transaction level) inorder to identify potentially harmful data and take appropriate measure
whilst limiting the impact on the normal functioning of the system;
To detect, investigate and mitigate security incidents, both internally andexternally; and
To prevent in a timely manner the dissemination of data that has beendesignated as harmful by a Member State.
B. Structure and mission of the Security Board
A GMES Security Board should be established. It would be responsible for advising
the European Commission on the security issues related to GMES and its
development. The opinion of the Security Board should be duly taken into account.
1. Structure
The Security Board should be composed of security and geospatial experts from
Member States. Third States and international organisations involved in GMES
could also be represented under specific conditions to be defined.
-
8/7/2019 st05213-ad01.en10 GMES data security
14/52
5213/10 ADD 1 14
EU SITCEN LIMITE EN
2. Missions(a) To establish the GMES-SMD;(b) To make recommendations on the security implications and possible risks of
international cooperation, including the possible need for data protection-
related agreements;
C. Recommendation on the structure and mission of a GMES permanent operationalsecurity monitoring instrument
The creation of a permanent operational security monitoring instrument should be
envisaged in order to ensure the necessary reactivity requested for time sensitive
decisions and to offer security-related technical support to GMES.
1. Structure
The solution should offer an operational capability.
Implementation choices to be made later are however not prejudiced.
2.
Missions
(a) To provide security-related technical expertise to the GMES Security Boardand the various entities within GMES;
(b) to prepare and update the overall GMES SMD;(c) to interface with the security chains of the GMES elements;(d) to perform security assessments.
-
8/7/2019 st05213-ad01.en10 GMES data security
15/52
5213/10 ADD 1 15
EU SITCEN LIMITE EN
IV. Security of GMES data
A. Principles
GMES data will be processed through complex chains that will develop along with the
GMES initiative, inside but also outside the boundaries of GMES.
Many of the innovations to be expected from GMES will come out of a smart
processing of various heterogeneous data sets. The full and open access principle shall
trigger the creativity of the teams to invent and propose new services.
From a data security perspective it is necessary to be capable of tracing and controllingthe data flow within GMES, of mastering the dissemination of GMES data and of
ensuring post events investigations in case of security incidents.
1. Security handling of the data
Inside GMES data is collected, processed and stored. Most of data should be both
fully and openly accessible and disseminated, but a part of them may be
considered potentially harmful and should therefore be subject to some kind of
security controls.
-
8/7/2019 st05213-ad01.en10 GMES data security
16/52
5213/10 ADD 1 16
EU SITCEN LIMITE EN
An automatic process should be developed to identify potentially harmful
transactions (red flag). The criteria used for this exercise should be clearly
established although they would most probably have to remain undisclosed to the
public.
If and when a transaction is considered potentially harmful it is subject to a risk
evaluation that will confirm its harmfulness or not. The appropriate data security
response tool will be applied to the transaction actually considered harmful to
ensure the appropriate data dissemination; these tools can include possible control,
denial, delay or degradation of the data, as well as the classification of the data.
It is to be noted that some data or products can be potentially harmful for a verylimited period of time only (a few hours only for instance in the meteorological
sector) and that a flexible solution should be found to respond to this issue whilst
preserving the fullest open access possible after that limited period of time.
If following the transaction risk evaluation some potentially harmful data may
have to be classified, the relevant laws, regulations and procedures concerning
classified data shall apply.
-
8/7/2019 st05213-ad01.en10 GMES data security
17/52
-
8/7/2019 st05213-ad01.en10 GMES data security
18/52
5213/10 ADD 1 18
EU SITCEN LIMITE EN
2. Data management capabilities
The capability to offer reactive mitigation measures should be developed in
accordance with the analysis performed in the SMD
An appropriate mechanism should allow timely and tailored activation of the data
security mechanisms deployed at component level to mitigate any identified risk.
The following capabilities should be considered, to respond to the risks identified:
(a) to proposed and update the data dissemination plan;(b) to limit temporarily user access;(c)
to block, in certain circumstances, particular transaction(s).
3. Protection of the IT infrastructures
The IT infrastructures must be protected in function of the data that will be
received, hosted, produced or distributed.
C. Data Exchanged outside GMES
The GMES system will exchange data and products with other systems. With reference
to this exchange the following security principles should be followed and, as a
consequence, an appropriate configuration of the GMES system and security procedures
should be implemented:
-
8/7/2019 st05213-ad01.en10 GMES data security
19/52
5213/10 ADD 1 19
EU SITCEN LIMITE EN
1. Data coming from systems or entities outside GMES
A risk analysis should be performed for each data set provided to GMES from
external sources and appropriate mechanisms, including a possible dynamic
response, should be implemented, preferably in cooperation with the data
provider.
The various security mechanism proposed in this analysis paper should allow,
within the GMES perimeter, to have a certain degree of confidence in the data
exchanged and related risk.
To apply the same procedures to data coming from outside and entering GMES itis therefore necessary to trace back the origin of the data entering GMES and to
ensure interoperability with corresponding mechanisms applied on the entering
data.
The risks analysis performed on external data should include in particular the
following items :
Consequences of data denial, Reliability of the data acquired, Cyber-threats (viruses Trojan worms etc.).
2. Interoperability in the handling of data
The ongoing standardisation process regarding geospatial information, including
meta data, and international discussions by the European Union and its Member
States on that matter should cover data security.
3. Importing data from accredited systems handling classified information
a. Unclassified dataThe principles for importing unclassified data from systems handling
classified information should be the same as those for importing unclassified
data from any system or entity, cf. para IV.C.1 above.
-
8/7/2019 st05213-ad01.en10 GMES data security
20/52
5213/10 ADD 1 20
EU SITCEN LIMITE EN
b. Classified dataIn this case the relevant security regulations or agreements for the exchange of
classified information should apply.
Technical solutions should be defined, developed and implemented to assure
interconnections with systems handling classified information, in order to
allow the exchange, if needed, of classified data, by foreseeing an
accreditation of such identified and limited part of the GMES system, for this
specific purpose. In any case, the transmission of classified data should be
performed only by secured channels and following procedure set down in
relevant security regulations and on the basis of security agreements regarding
the exchange of classified information.
4. Protection of Member State(s), as owner of data flowing to GMES
Each national system participating to the GMES system follows its own national
laws, regulations and procedures regarding the access to its own system, the
tasking, programming, and uploading of the requests, the data downlink, data
processing and dissemination of data and products to the users.
Harmonisation of the various procedures related to the protection of Member
States data in GMES should be considered in order to favour interoperability and
increase overall GMES security whilst improving information exchange within
GMES.
5. Transmission of GMES data or products to, and interconnection with, systemshandling classified information
Systems using GMES data or products follow their own national laws, regulations
and procedures.
If the GMES element transmitting the data or product is a system handling
classified information, the relevant security laws, regulations and procedures
should apply and in particular the interconnection should be jointly accredited.
-
8/7/2019 st05213-ad01.en10 GMES data security
21/52
5213/10 ADD 1 21
EU SITCEN LIMITE EN
D. Data Policy and Security
1. IntroductionThe evolution of Information Technologies allows a very detailed and very
flexible implementation of data policies in the various systems including through
automatic features. It is therefore reasonable to foresee a combination of data
policy frameworks.
A general data policy of GMES is currently being defined by the European
Commission and will be referred to as the GMES Data Policy Framework
2. General principles on the security dimension of GMES data Policy
The GMES Data Policy Framework should be subject to a specific SMD which
should be discussed at the GMES Security Board. An appropriate mechanism to
allow a dynamic management of risks should be implemented.
Within the GMES data Policy Framework, any change in data policy at
component or system level should be subject to a security screening by the entities
in charge of data security and should be properly documented.
3. Documentation
For each GMES element, the data policy should be documented and include a
specific chapter on data security, referring to the SMD, with the various
responsibilities and points of contact.
Data security is a very important dimension of data policy and should be reflected
in the various documents describing GMES Data Policy.
-
8/7/2019 st05213-ad01.en10 GMES data security
22/52
5213/10 ADD 1 22
EU SITCEN LIMITE EN
For each level of GMES a specific document describing the Data Security Policy
should be issued and regularly updated in order to specify:
(a) which data is to be protected and the relevant related procedure(s);(b) the various responsibilities ;(c) the points of contact; and(d) the interfaces.
-
8/7/2019 st05213-ad01.en10 GMES data security
23/52
5213/10 ADD 1 23
EU SITCEN LIMITE EN
V. Security of GMES infrastructure at Component and Sub-Component level
The security of GMES system shall be ensured for each Component. Furthermore, specific
rules could be defined for Sub-Components, within each Component.
The security of GMES Components and Sub-Components shall be defined and developed
with the assumption that some data could be potentially harmful and should therefore be
protected or subject to dissemination restrictions. If deemed relevant, some information could
also be classified and the infrastructure could therefore need to be appropriately accredited.
A. Principles
1. Responsibility
The chain of responsibility in GMES is explained in Heading II.A.2.
The handling of security at component and system level relies on the individuals that
are responsible for system operations. Single points of contact should be identified
for security purposes.
2. Security assessment
The understanding of the risk environment related to the operation of a specific
GMES element must be shared :
between the individuals that operate it and thus develop a unique competencein understanding the security implications risks and vulnerabilities related to
their system; and
between the security governing bodies which can offer a dedicated securityexpertise and an overall and dynamic risk assessment regarding GMES.
A permanent dialogue should be established between them in order to perform
efficient data security. It is therefore necessary to develop within GMES a culture
of security.
-
8/7/2019 st05213-ad01.en10 GMES data security
24/52
5213/10 ADD 1 24
EU SITCEN LIMITE EN
3. Procedures
All GMES elements should perform a security risk analysis and be covered by a
SMD describing the various risks, mitigation measures, security structures as
described in Heading II.B.3.
The data policy including data security for each element should be documented as
described in Heading IV.D.2.
4. Security Organisation
The security organisation of a GMES element is under the responsibility of the
operator as presented in Heading V.A.1.
The security organisation and related procedures should constitute a dedicated
chapter of the corresponding SMD and any organisational or procedural change
related to data security should be submitted to the appropriate decision level.
B. Specific Infrastructures
1. Security of GMES In Situ and Service (and other non Space) physicalinfrastructures
In Situ data is operated in GMES under the responsibility of the Member States
which have evaluated the security constraints on the basis of existing services
delivered.
The contribution of Member States to GMES will generate new services to the
benefit of the European citizen.
It is possible that the criticality of these infrastructures will evolve along with the
success of GMES.
-
8/7/2019 st05213-ad01.en10 GMES data security
25/52
5213/10 ADD 1 25
EU SITCEN LIMITE EN
The re-evaluation of the risk and updating of security procedures will require a
global view on the risks and the security environment of GMES.
A regular dialogue should be set up between the managers of infrastructures
contributing to GMES on security matters.
2. Security of GMES Space infrastructure
(a) Introduction
The Space Component is a very important element of the Earth Observation
infrastructure of GMES.
The Space Component of GMES is composed of three types of systems :
1. Systems that are developed by the European Commission and theEuropean Space Agency specifically for GMES;
2. Contributing missions that are being developed within Member Statesincluding dual use systems;
3. Commercial missions, some of which are operated by countries outsidethe European Union.
(b) Specific risks related to the Space Mission
The Space Component consists of a space segment composed of one or
several spacecraft(s) and the associated ground facilities and one or several
payload(s) with their corresponding infrastructures.
The space mission is subject to a number of risks which are well mastered
and documented by the various space agencies and industries in Europe,
such as:
Launching Risks; Design Risks; Risk related to the Space Environment (collisions, solar flares).
-
8/7/2019 st05213-ad01.en10 GMES data security
26/52
5213/10 ADD 1 26
EU SITCEN LIMITE EN
However depending on the sensitivity of the mission some additional
vulnerabilities may need to be considered :
The ground facilities of the Space Segment can be targeted to disrupt oraccess the space system;
Data links of both payload and spacecraft are vulnerable to jamming,interception, or hacking;
Payloads can be temporarily or permanently disabled.
The SMD created for the space component should take the specificity of the
space missions into account and space experts included in the evaluation.
(c) Distribution of data from spaceThe distribution of the data in the case of a space mission can differ from in
situ data. The progress in space communication allows a diversity of
communication means:
Data can be broadcasted directly to the end users from a GMES payload; Data can be broadcasted via data relay satellites.
The use of space technology to distribute GMES data should meet generic
security constraints including data access control.
(d) Case of GMES dedicated space missions
The European Commission and the European Space Agency have developed
several space missions dedicated to GMES: the Sentinels. Data security has
been addressed in accordance with the principles mentioned above.
Regarding risks assessment that have been performed on the space missions
it is necessary to apply the principles described for the management of the
transition period and especially to review the risk analysis performed for the
Space Mission with Security experts in light with the overall risk assessment
of GMES.
-
8/7/2019 st05213-ad01.en10 GMES data security
27/52
5213/10 ADD 1 27
EU SITCEN LIMITE EN
The space missions dedicated to GMES should be subject to a risk analysis
and necessary update should be foreseen to meet the resulting security
requirements on the systems.
(e) Case of commercial space contributing missionsFor the commercial space mission or missions that are not under control of
the European Union or of its Member States additional risks should be
considered:
Denial of data which can be requested by the operating State or throughexclusive license right; and
Acquisition of wrong data. Unless the data is certified, it is very difficultto detect.
A specific risk analysis should be performed for the use by GMES of data
from space missions that are not under direct control of GMES States and an
appropriate interface security management should be developed.
3. Security of Information Technology (IT) infrastructure
(a) Introduction
GMES is an information system of systems.
In order to promote cross-fertilization between the various GMES services,
and to develop a GMES economy, interconnection and shared information
systems will play a key role in the development of GMES.
It is therefore logical to consider the GMES IT infrastructure from a global
standpoint although it is composed of several networks and heterogeneous
systems.
-
8/7/2019 st05213-ad01.en10 GMES data security
28/52
5213/10 ADD 1 28
EU SITCEN LIMITE EN
(b) Data Security and IT Infrastructure
GMES IT infrastructure is composed of systems, sub systems and elements
which will collect, process, store and distribute data across the various
components of GMES.
The specific constraints on GMES data and suggested capabilities have been
addressed in chapter IV. Most of these will have a direct impact on the IT
infrastructure which will be locally managed.
It is necessary to protect the IT infrastructure and to apply the principles of
IT security.
(c) Cyber-threats and cyber-defence
With the development of large IT infrastructure that have a increasing
impact on the world economy new risks are emerging.
Computer attacks differ from traditional criminal or terrorist action because
they can reach massive scales very rapidly, they are extremely difficult to
detect, trace, and investigate.
Most organisations dealing with large or sensitive IT infrastructure have
developed internally or have outsourced their protection through dedicated
security services such as Computer Emergency Response Teams (CERTs).
Experience shows that cyber attacks are often specific to the targeted
infrastructure and their mitigation requires both a competence in IT security
but also a good understanding of the domain and of the risks induced.
Given the importance of GMES and more generally of geospatial
information on Europe economy, it seems appropriate to develop, along
with GMES, a dedicated capability to cover geospatial cyber security using
the expertise that contributes to the development of the GMES initiative.
-
8/7/2019 st05213-ad01.en10 GMES data security
29/52
5213/10 ADD 1 29
EU SITCEN LIMITE EN
A specific expertise related to the IT risks related to GMES geospatial
information infrastructure should be maintained and should be interfaced
with the various entities and components within GMES.
-
8/7/2019 st05213-ad01.en10 GMES data security
30/52
5213/10 ADD 1 30
EU SITCEN LIMITE EN
VI. Management of existing components and transition period.
GMES as a system of systems will rely on many existing infrastructures, including several
elements that have been developed by the European industry in the framework of the various
research projects sponsored by the European Commission in the context of Research and
Development Framework Programs and by the European Space Agency.
Data security issues have often been addressed and several solutions exist to reduce the risks
associated with the handling, processing and distribution of GMES data.
The data security recommendation should take this heritage into account and ensure that the
recommendations formulated will allow a smooth integration of the existing solutions whileglobally mastering the risks related to GMES data security.
A. Review the process
An inventory of all data security analyses and studies that have been performed in
the framework of GMES, or by organisations that will be involved in GMES
operations, should be made and this material should be used in the context of the
GMES SMD.
B. Connect to the GMES Security Governance
All data security mechanisms (user access control, public key infrastructures etc)
that have been developed in the framework of GMES, or by organisations that will
be involved in GMES operations, should be identified and possible interfaces with
the GMES security structures as proposed in this document should be worked on.
C. Take if necessary complementary measures
The GMES Security Board should have the capability to make recommendations to
the Commission on possible improvements in the data security of existing GMES
components.
-
8/7/2019 st05213-ad01.en10 GMES data security
31/52
5213/10 ADD 1 31
EU SITCEN LIMITE EN
_____________________
-
8/7/2019 st05213-ad01.en10 GMES data security
32/52
5213/10 ADD 1 32
ANNEX 1 EU SITCEN LIMITE EN
ANNEX 1
Background on GMES
1. GMES (Global Monitoring for Environment and Security) is a European initiative for theimplementation of information services dealing with environment and security. It is being
built up gradually.
2. GMES is a civil system under civil control and will comprise an observation infrastructure(the GMES Space Component and the GMES In-Situ Component) and Information services
(GMES Service Component). The GMES Space Component will rely on existing or planned
European space infrastructure (satellites of ESA, EUMETSAT and those made available byMember States) and space infrastructure co-financed by the European Union and ESA,
which is developed specifically for GMES (Sentinels). The GMES In-Situ Component will
rely on a large number of facilities, instruments and services owned and operated at national,
regional and intergovernmental levels inside and outside the European Union 4. Regarding
the GMES Service Component, it is foreseen that co-funding of operational services should
be ensured by the GMES programme. The European Union will be responsible for
developing a data policy, to include data security, for data and information produced under
its control, i.e. in particular information produced by GMES services and data collected
through infrastructures the development of which is co-financed by the European Union.
3. The GMES initial period (2001-2003) was launched by Council Resolution 2001/C 350/02of 13 November 2001 5, which also called for an action plan aimed at achieving an
operational capability based on the development of an extended range of high added-value
integrated services. The GMES pilot phase started in 2004. Three fast-track services
(emergency response, land monitoring, and marine) have been presented in September 2008
at the occasion of a "GMES Forum" held in Lille. A communication to the Council and the
European Parliament, "Global Monitoring for Environment and Security (GMES) : we care
for a safer planet" 6, was adopted by the Commission on 12 November and the Council has
adopted conclusions on the matter at its meeting on 2 December 2008 7.
4 See communication by the Commission, doc. 14906/08 + ADD 1 + ADD 2
5O.J. C350 of 11.12.2001, p. 4.
6 Doc. 14906/08 + ADD 1 + ADD 2.7 Doc. 16722/08.
-
8/7/2019 st05213-ad01.en10 GMES data security
33/52
5213/10 ADD 1 33
ANNEX 1 EU SITCEN LIMITE EN
4. The GMES operational phase, foreseen to start by 2011, will represent a challenge withregard to the programme's financial viability, since Community pre-competitive research
funding cannot be used to fund operational activities. It is anticipated that a first part of the
GMES governance and financing8
- two building blocks for the operational phase - should
be defined in the course of 2010.
5. GMES services must be able to guarantee the required quality of service, all the more sowhen the customers also include public decision-makers. This calls inter alia for defining an
overall GMES data policy, which will be coordinated by the Commission. Data security is
one specific aspect of the GMES overall data policy.
6. Effective handling of data security within GMES must take due account of Member States'data security requirements, since some of the GMES earth observation data and products
could have security implications for Member States of the European Union. It would also
help GMES operational services fulfil basic data security criteria especially for security
users, by identifying and mitigating risks such as proliferation of data and products,
disclosure of interest or doubts about the reliability of GMES services.
8 See doc. 10285/09 + ADD 1 + ADD 2.
-
8/7/2019 st05213-ad01.en10 GMES data security
34/52
5231/10 ADD 1 34
ANNEX 2 EU SITCEN LIMITE EN
ANNEX 2
Glossary of acronyms and working definitions
Accreditation : process leading to a formal statement by the Security Accreditation Authority
(SAA) that a system is approved to operate with a defined level of classification, in a
particular security mode in its operational environment and at an acceptable level of risk,
based on the premise that an approved set of technical, physical, organisational and
procedural security measures has been implemented. [See doc. 13885/09 Appendix A,
Council Regulation on the security rules for protecting EU classified information]
Authenticity: the guarantee that information is genuine and from bona fide sources. [See doc.13885/09 Annex IV, Council Regulation on the security rules for protecting EU classified
information]
Availability: the property of being accessible and usable upon request by an authorised entity. [See
doc. 13885/09 Annex IV, Council Regulation on the security rules for protecting EU
classified information]
Confidentiality: the property that information is not disclosed to unauthorised individuals, entities
or processes. [See doc. 13885/09 Annex IV, Council Regulation on the security rules for
protecting EU classified information]
Data Policy Framework: The general data policy document of GMES that is currently being
defined by the European Commission. The Framework will serve as the reference for the
various data policies that will be implemented at component and system level.
ESA : European Space Agency
Full and open access: general principle proposed by the European Commission in line with the
GEOSS data sharing principles. " full and open access to information produced by GMES
services and data collected through GMES infrastructure, subject to relevant security
-
8/7/2019 st05213-ad01.en10 GMES data security
35/52
5231/10 ADD 1 35
ANNEX 2 EU SITCEN LIMITE EN
restrictions " [See Art. 8,1, b) of the proposal for a Regulation of the European Parliament and
of the Council on the European Earth Observation programme (GMES) and its initial
operations (2011-2013); doc. 10285/09]
GEOSS : Global Earth Observation System of Systems
GMES : Global Monitoring for Environment and Security
GMES data: any piece of information that is used and exchanged within the GMES perimeter.
GMES element : GMES Component, GMES service or GMES system or sub system.
GMES product / GMES service: Product / service provided by a GMES service provider.
Hidden Security: security, procedures, equipment or systems transparent for the GMES users.
Integrity: the property of safeguarding the accuracy and completeness of information and assets.
[See doc. 13885/09 Annex IV, Council Regulation on the security rules for protecting EU
classified information]
Metadata (or ancillary data) : information describing data sets and data services and making it
possible to discover, inventory and use them.
Non-repudiation: the ability to prove an action or event has taken place, so that this event or action
cannot subsequently be denied. [See doc. 13885/09 Annex IV, Council Regulation on the
security rules for protecting EU classified information]
Potentially harmful transaction: data set characterised by its information content, target area, time
of generation and data exchange actors, that has been judged, against clearly established
criteria, to potentially cause a threat to security of the European Union and/or its Member
States, to their citizens, to foreign policy concerns and, if relevant, to the conduct of European
Union operations. This status, limited in time, induces a risk evaluation and the choice of the
relevant response tool to be applied.
-
8/7/2019 st05213-ad01.en10 GMES data security
36/52
5231/10 ADD 1 36
ANNEX 2 EU SITCEN LIMITE EN
Programmatic Control: areas under programmatic control of the European Union are all
infrastructures, services and systems that are developed and/or exploited directly by the
European Union, or by other entities on behalf of the European Union. In line with the
Financial Regulation of the European Commission, the contractual arrangements for the
centralised or de-centralised management of these development and exploitation activities
must contain detailed rules for the scrutiny of these activities, and the appropriate security
rules, where applicable
Restriction due to national security or foreign policy concerns : possibility for the entities
responsible for GMES security to exert control or restrict dissemination on potentially
harmful GMES transactions.
Risk : the potential that a given threat will exploit internal and external vulnerabilities of an
organisation or of any of the systems it uses and thereby cause harm to the organisation and to
its tangible or intangible assets. It is measured as a combination of the likelihood of threats
occurring and their impact. [See doc. 13885/09 Appendix A, Council Regulation on the
security rules for protecting EU classified information]
Security needs : needs identified by specific user communities for their secure use of GMES data.
SMD : Security Management Document
GMES-SMD : GMES Security Management Document
Element SMD : Element Security Management Document
Threat : a potential cause of an unwanted incident which may result in harm to an organisation
of or any of the systems it uses; such threats may be accidental or deliberate (malicious) and
are characterised by threatening elements, potential targets and attack methods. [See doc.
13885/09 Appendix A, Council Regulation on the security rules for protecting EU classified
information]
Traceability : recording of the path followed by a data within a system, or more globally a
production process, by means of documented recorded identification.
-
8/7/2019 st05213-ad01.en10 GMES data security
37/52
5231/10 ADD 1 37
ANNEX 2 EU SITCEN LIMITE EN
Vulnerability : a weakness of any nature that can be exploited by one or more threats. A
vulnerability may be an omission or it may relate to a weakness in controls in terms of their
strength, completeness or consistency and may be of a technical, procedural, physical,
organisational or operational nature. [See doc. 13885/09 Appendix A, Council Regulation on
the security rules for protecting EU classified information]
________________________
-
8/7/2019 st05213-ad01.en10 GMES data security
38/52
5231/10 ADD 1 38
ANNEX 3 EU SITCEN LIMITE EN
ANNEX 3
Examples of Data security Needs and Risks
I. Examples of users' needs regarding data securityA. Meteorology
During a dedicated workshop, the case of meteorology was addressed as an example
of what future operational GMES services and GMES architecture could be. The data
security needs from the space component EUMETSAT, of the network component
EUMETNET and of a Member State's weather service provider (Finland) have beenpresented were very similar.
Actors of meteorology insist on :
1. Long term nature and need for confidence in quality of data for climate andclimate change users requires:
Protecting data from malicious attack Storing data for future use Creating a stable long term high quality climate data series Ensuring data sources are sustainable for future use (funding, technology
compatibility, )
2. Wide variety of data and broad user base requires a data policy : To ensure the information is used by the right people e.g.
Military information Aviation information Commercial users
To ensure the authenticity of the information e.g. Warnings from national authorities National climate data sets
-
8/7/2019 st05213-ad01.en10 GMES data security
39/52
-
8/7/2019 st05213-ad01.en10 GMES data security
40/52
5231/10 ADD 1 40
ANNEX 3 EU SITCEN LIMITE EN
This is certainly an issue that needs further examination in a multidisciplinary
approach.
C. GEO needs for military operations
Geospatial data is critical for operations.
For Planning GEO Products ranging from 1:500K to 1:100K are requested while
Imagery Products are increasingly used.
The age of mapping products and method of production as well as the existence of up
to date sources is key.
The aim is to provide designated version of the Recognised Environmental Picture
(REP) common to the EUMS, the OHQ, FHQ and Battle Groups.
II. Examples of identified risks related to Geospatial data
The list below is not exhaustive. It cannot substitute or be used for a risk analysis but aims at
illustrating some of the discussions that have taken place in the workshops of the CSC
GMES.
A. OSINT
Open Source Intelligence is the collection and analysis of information from open
sources which are sources publicly available and legally obtainable (as opposed to
covert or classified sources).
In OSINT dispersed pieces of the puzzle are : no lack of information, but an overload.
The challenge is to locate what is relevant in an ocean of material.
Instead of being exclusive, obtained information can be complementary and highlight
and help to understand other information obtained.
Internet was created to let the information flow freely but the right information in
the wrong hands can be a source of problems
Applied to GMES data OSINT Techniques could divert GMES services not intended
to produce sensitive information into criminal or hostile activities.
-
8/7/2019 st05213-ad01.en10 GMES data security
41/52
5231/10 ADD 1 41
ANNEX 3 EU SITCEN LIMITE EN
B. Cyber threatsAs any major information infrastructure GMES can be target of Cyber-attacks.
This threat is increasing.
Few recent large scale events took place in the recent years:
Data Denial of Service attacks on Estonian networks (April-May 2007) Defacement attacks on more than 300 private and official sites in Lithuania
(June-July 2008)
Three major cables cuts in the Mediterranean (January, February andDecember 2008)
At the same time entry barriers for malicious attackers are lowering
According to UK House of Lords report on Personal Internet Security, thecompetition to supply botnets has decreased the cost of renting a platform for
spamming to around 3-7 US cents per zombie per week
One report averaged the weekly rental rate for a botnet at USD 50 60 per 1000 2 000 bots.
Considering GMES in the framework of Critical Information Infrastructures Protection
as proposed by the European Commission in the Strategy for a Secure Information
Society COM(2006)251 could be considered.
C. Use of geospatial data for criminal, terrorist or adversary purposes
The EUSC has presented how geospatial services based upon geo information not
primarily designed for security can be used for security including criminal, terrorist or
adversary purposes.
-
8/7/2019 st05213-ad01.en10 GMES data security
42/52
5231/10 ADD 1 42
ANNEX 3 EU SITCEN LIMITE EN
1. Detection of smuggling routesFor instance use of low resolution land cover imagery have been used to allow
identification of possible smuggling role that can be used by both smuggler or
border control authorities.
2. High resolution mapsBy combining different layers of data including maps, Google data, satellite
imagery, etc a product more relevant, accurate and up to date (updated with recent
satellite imagery) can be produced which can lead to a potential detrimental use
Terrorist could use such products to plan an attack. They would get benefit from
accurate, recent and very detailed information useful for their objectives.For example the Mumbai terrorist attacks have been planned using Google Earth
Imagery.
3. Geospatial Contingency Support Packages (GCSP)As for event planning products, GCSP are bringing together data from several
sources including in some case terrain data with precise geo-location (photos of
embassies, governmental buildings, etc). They can be used to prepare and conduct
non combatant evacuation operations
Rebels or terrorists could use such products to plan an attack.
-
8/7/2019 st05213-ad01.en10 GMES data security
43/52
5213/10 ADD 1 43
ANNEX 4 EU SITCEN LIMITE EN
ANNEX 4
Possible implementation tools and examples
I. Examples of legal tools
A. National Laws, regulations and procedures
1. French geospatial law
The Law n2008-518 (3 June 2008) relative to space operations in its Title VII"Data originating from space" relates to primary operator programming or
receiving data originating from space on French territory:
Art 23 states that primary operators for data of a specified quality must first make a
declaration
Art 24 the administrative authority verifies that operators activities do not
jeopardize fundamental national interest, international commitments and foreign
policy; it can restrict operators activities at any time
2. German national data security policy for space-based earth remote sensing
The Satellitendatensicherheitsgesetz SatDSiG of the 30. Sep. 2009 aims at
fostering the civil use and commercialization of remote sensing data by
maximizing the data flow to scientific and commercial users and creating legal
certainty, while safeguarding security and foreign policy interests of German, EU,
NATO, friendly or allied countries.
This law is limited to German satellites, satellites operated by German nationals or
legal persons, satellites operated from Germany non-military satellites; High-
Grade earth remote sensing systems. High Grade derives from the systems
capacity for acquiring data of particularly high information content, first-time or
primary marketing/dissemination.
-
8/7/2019 st05213-ad01.en10 GMES data security
44/52
5213/10 ADD 1 44
ANNEX 4 EU SITCEN LIMITE EN
Based upon a sensitivity check at transaction level (detailed below) that is self
implemented by the operator the data can be directly disseminated or require a
permit that is delivered through a computer assisted decision process within a
competent body of the German Government.
3. Italian regulation on data policy
A document approved on March 7th, 2007, Politica dei dati e Condivisione delle
Risorse (National Data Policy and Resource Sharing- DPRS ) lays down general
principles of national Data Policy of distribution of data regarding the civil
component of the CSK system. According to these regulations:
Raw data generated by the CSK system are not available for commercialusers. Moreover the categories of data that may be distributed for commercial
purposes (standard products and high level products) are defined;
Data and product below a meter (sub-metric products) generated by CSKsystem are on the exclusive availability of IT MoD only;
CSK system, both during the programming of requests and for the distributionof data a and products operate under Shutter Control, exercised by IT
governmental security organizations;
-
8/7/2019 st05213-ad01.en10 GMES data security
45/52
5213/10 ADD 1 45
ANNEX 4 EU SITCEN LIMITE EN
An specific Committee, called Organo di Indirizzo e Coordinamento con leIstituzioni (OICI), formed by representative appointed by ASI, IT MoD and of
IT Security organizations has been envisaged. It is in charge to:
- Define guidelines for the utilization of the civil component of the system;- assure the coordination with other Ministers and internal governmental
Bodies in order to harmonize the distribution of data and products
according to the security and foreign policy needs.
As CSK is a dual system, specific attention has been reserved to the security of
infrastructures of various subsystem on which it is based, first of all in order to
protect the data; Some Security Requirements (SSRS)have been layed down, referred to each
sub-system on which CSK system is based ;
These sub-system and the whole CSK system have been evaluated ITCE.VA(Security Evaluation Centers) and accredited by a Certification Body
(IT NSA).
B. European Directives
1. INSPIRE (Directive 2007/2/EC)
The main objectives of Directive 2007/2/EC of the European Parliament and
of the Council of 14 March 2007 establishing an Infrastructure for Spatial
Information in the European Community (INSPIRE) are to :
establish a European Spatial Data Infrastructure; exchange spatial information between public services for the performance
of public tasks with a direct or indirect impact on the environment.
In its Art. 1, the INSPIRE Directive lays down general rules to establish an
infrastructure for spatial information in Europe :
for the purposes of Community environmental policies and; policies or activities which may have an impact on the environment.
-
8/7/2019 st05213-ad01.en10 GMES data security
46/52
5213/10 ADD 1 46
ANNEX 4 EU SITCEN LIMITE EN
A secondary objective is to provide access to spatial data and services for
citizens
The following remarks can be made.
INSPIRE is to be based on the infrastructures for spatial informationestablished and operated by the Member States;
INSPIRE is a distributed infrastructure; INSPIRE does not require collection of new spatial data; INSPIRE does not affect existing Intellectual Property Rights.
Article 13 of the INSPIRE Directive says :"1. By way of derogation from Article 11(1), Member States may limit public
access to spatial data sets and services through the services referred to in point
(a) of Article 11(1) where such access would adversely affect international
relations, public security or national defence.
By way of derogation from Article 11(1), Member States may limit public
access to spatial data sets and services through the services referred to in
points (b) to (e) of Article 11(1), or to the e-commerce services referred to in
Article 14(3), where such access would adversely affect any of the following:
(a) the confidentiality of the proceedings of public authorities, where such
confidentiality is provided for by law;
(b) international relations, public security or national defence;
(c) the course of justice, the ability of any person to receive a fair trial or the
ability of a public authority to conduct an enquiry of a criminal or disciplinary
nature;
(d) the confidentiality of commercial or industrial information, where such
confidentiality is provided for by national or Community law to protect a
legitimate economic interest, including the public interest in maintaining
statistical confidentiality and tax secrecy;(e) intellectual property rights;
-
8/7/2019 st05213-ad01.en10 GMES data security
47/52
5213/10 ADD 1 47
ANNEX 4 EU SITCEN LIMITE EN
(e) the confidentiality of personal data and/or files relatind to a natural person
where that person has not consented to the disclosure of the information to the
public, where such confidentiality is provided for by national or Community
law;
(f) the interests or protection of any person ho supplied the information
requested on a voluntary basis without being under, or capable of being put
under, a legal obligation to do so, unless that person has consented to the
release of the information concerned;
(g) the protection of the environment to which such information relates, suct
as the location of rare species.
2. The grounds for limiting access, as provided for in paragraph 1, shall beinterepreted in a restrictive way, taking into account for the particular case the
public interest served by providing this access. In every particular case, the
public interest served by disclosure shall be weighed against the interest
served by limiting or conditioning the access. Member States may not, by
virtue of points (a), (d), (f), (g) and (h) of paragraph 1, limit access to
information on emissions into the environment.
3. Within this framework, and for the purposes of the application of point (f)
of paragraph 1, Member States shall ensure that the requirements of Directive
95/46/EC are complied with."
According to Article 17(7) of the INSPIRE Directive, "By way of derogation
from this Article, Member States may limit sharing when this would
compromise the course of justice, public security, national defence or
international relations."
2. Critical infrastructure protection (Directive 2008/114/EC)
The Council Directive 2008/114/EC of 8 December 2008 on the identification
and designation of European critical infrastructures and the assessment of the
need to improve their protection is part of an overall EU programme for the
protection of critical infrastructure (EPCIP) which also includes
-
8/7/2019 st05213-ad01.en10 GMES data security
48/52
5213/10 ADD 1 48
ANNEX 4 EU SITCEN LIMITE EN
a financial programme (CIPS); external relations; contingency planning; Support for Member States concerning National Critical Infrastructure; Measures designed to facilitate the implementation of EPCIP, including
the EPCIP action plan.
According to the Directive, Critical Infrastructure (CI) means any asset,
system or part thereof that is essential for the maintenance of vital societal
functions, health, safety, security, economic or social well-being, the
destruction or disruption of which would have a significant impact. AEuropean Critical Infrastructure is a CI the destruction or disruption of which
would have a significant impact on at least two Member States
Directive 2008/114 is based on the following principles:
all-hazards approach, but priority to threat from terrorism; step-by step, sector-based approach currently covering Transport and
Energy; and subsequently other sectors such as ICT;
ultimate responsibility for ECI protecting with MS and operators; complements and builds on existing work; trust and confidentiality.
Once a Member State has designated a CI as ECI in agreement with those MS
affected, this entails in particular the obligation to:
inform other MS which may be affected; engage in bilateral or multilateral discussions with those MS; inform the infrastructure operator of ECI of the designation.
In all designated ECI, an operator security plan should be in place, including
an identification of important assets, a risk analysis and Identification,
selection and prioritisation of counter-measures and procedures, distinguishing
between permanent and graduated security measures. Additionally, MS must
designate a security liaison officer for each ECI.
-
8/7/2019 st05213-ad01.en10 GMES data security
49/52
5213/10 ADD 1 49
ANNEX 4 EU SITCEN LIMITE EN
The role of the Commission is to :
assist MS in the identification of ECI (on request); draw the attention of a MS to the possible existence of ECI; develop (non-binding) guidelines; consider further developments on the basis of reports from the MS.
II. Examples of data control tools
Mechanisms using metadata (or ancillary data) could be implemented with a view to
ensuring maximum traceability in data exchanges and remain as transparent as possible to
the end users. They could include :
A. User Access Control: example of EUMETSAT
In the framework of the Initial Joint Polar System (IJPS) with U.S., EUMETSAT has
the obligation to be capable of implementing selective denial on access to data from
U.S. instruments on EUMETSAT satellites in case of crisis or war. This has been
implemented through EUMETCast with data encryption and individual user
identification. The system has been tested and approved by U.S. DoD Metop-A is now
the operational U.S. NOAA satellite in the mid-morning orbit. No similar procedure
currently exists for EUMETSAT Members.
A network established to give clear contact points to all users worldwide :
NMSs of Member States act as EUMETSAT Licensing Agents for real-timeusers in their countries. Some have delegated part of their duties to EUMETSAT.
EUMETSAT is in charge of all licences outside Member States, internationalorganisations, and delegated activities.
EUMETSAT is also central distributor for all derived products, archived data,software.
-
8/7/2019 st05213-ad01.en10 GMES data security
50/52
5213/10 ADD 1 50
ANNEX 4 EU SITCEN LIMITE EN
Slide: 38 Council Security Committee, Brussels 18 February 2009
Components: Parts and Typical Costs of a EUMETCast Terminal
DVB Standard Hardware
LNB Ku-/C-band & Satellite Dish 200/1500 EUR
DVB PCI Card 100 EUR
DVB Multicast Client Software 60 EUR
PC, Hard Disk, Ethernet 1000 EUR
1.400/2700 EUR
EUMETCast Key Unit (EKU) 40 EUR
There is a central entry point: EUMETSAT web site where all users register on-line.
Most users are licensed electronically, through web-based tool.
User registration are passed to Licensing Agent where relevant.
Each user of real-time data needs decryption key unit (EKU) (cf picture) managed
centrally at EUMETSAT.
B. Transaction ControlExample of transaction control through an algorithmic definition of sensitivity (source
SatDSiG).
If the data request is sensitive, a permit is required.
-
8/7/2019 st05213-ad01.en10 GMES data security
51/52
5213/10 ADD 1 51
ANNEX 4 EU SITCEN LIMITE EN
C. Data dissemination plans example of LRIT
The long-range identification and tracking (LRIT) of ships aims to enhance security for
government authorities. LRIT provides ship identity and current location information in
sufficient time for a government to evaluate the security risk posed by a ship off its
coast and to respond, if necessary, to reduce the risk.
LRIT Data Distribution Plan (DDP): defines rules and access rights (i.e. which users
can receive what LRIT info). The DDP Server is managed by IMO and is populated by
SOLAS Contracting Governments, following IMO technical specifications.
The LRIT Data Distribution Plan (DDP) is principally a database that holds information
needed to allow the international LRIT system to operate correctly. The DDP is
-
8/7/2019 st05213-ad01.en10 GMES data security
52/52
consulted by any Data Center in order to determine whether a request for LRIT
information should be allowed under the rules for the distribution of LRIT data.
The DDP information includes:
1. a list of the unique identification codes assigned to key elements in the LRITsystem;
2. the coordinates which define the various geographical areas declared by ContractingGovernments within which they wish to exercise their rights to receive or restrict the
distribution of LRIT information as a Flag or Coastal State; and
3. a list of the ports and port facilities within the territory and places under thejurisdiction of each Contracting Government.
LRIT System Security
Current LRIT information can have both a security and a commercial value. It must
therefore be strictly protected from unauthorized access in storage and when it is being
exchanged. The LRIT Performance Standard provides for the protection of LRIT data
through the protection not only of the databases themselves, but also the communication
links used to exchange data. Recommended methods of data protection include:
authorization prior to access; authentication of those accessing the data; confidentiality
(usually by encryption of the data) and data integrity checking.
III. Other capabilities that can be used for security
A. CertificationTelecom example : self-certification.
B. LicensingEach user of GMES (with the exception of the owners) could be granted the use of data
and products according to terms and conditions described in a licence of use.