ESA and Telindus: Pushing the frontiers of cybersecurity

While new players like Elon Musk’s SpaceX and Jeff Bezos’ company Blue Origin may be competing with each other in what seems like a billionaire space race to send humans back to the moon, this accrued interest in our final frontiers raise the question whether a radical review of cybersecurity in space is not needed to avoid potentially catastrophic attacks.

How essential is the security of space systems and operations in today’s context, according to you?

Marcus Wallum, Operations Data Systems Engineer at ESA: “Today, space systems and the data, products and services they provide are increasingly relied upon for supporting critical infrastructures and services, communication, scientific study, exploration, policy and decision making. This increased reliance of society on space assets also increases their attractiveness as targets for adversaries. As we have seen, the number of governmental but also new private actors in the space domain are rapidly increasing as barriers to entry are lowered and new technologies enable more cost-effective access to space.

As new actors enter the market and supporting infrastructure on ground becomes cheaper, more ubiquitously available and utilized, the potential attack surface and governance challenge increases, as well as the proportional cost of security compared to the costof the mission itself. At the same time, the extent and frequency of reported cyber security breaches and disclosures of critical vulnerabilities in widely used terrestrial software, hardware, platforms and systems is increasing.

Together with the increasing complexity and tight coupling between space and terrestrial-based systems and emerging disruptive technologies such as hosted solutions which demand specific security treatments, it is apparent that the security of space systems, and a need to manage its effective application, has never been more important.”

Raising awareness among developers, stakeholders and decision-makers is key.

Marcus Wallum, Operations Data Systems Engineer at ESA

What is ESA's perception regarding the degree of exposure of the space industry to cyber risk?

M.W. : “Space systems and operations are almost entirely cyber-dependent, so of course there will always be exposure. More unique to the space industry are the security challenges that come with technology obsolescence, large and distributed supply chains, multidisciplinary engineering teams and the need to address security concerns beyond the controls and risk management approaches from well-known IT frameworks to account for particularities not covered by generic terrestrial systems.”

What policies and practices are in place in the agency to cope with the growing cyber threat?

M.W. : “ESA has a mature security governance framework with traceability from top-level regulations to directives to policies to implementation. This includes an accreditation and certification scheme, associated responsible roles and an ISO-27001 certified Information Security Management System. Despite the increased focus, there is still much work to be done. For example raising sufficient awareness such that security requirements are supported from the start of a program or mission and flown down to the engineering level.

The space system engineering lifecycle itself and associated standards require amendment to ensure that security is baked in by design. This is especially important as the complexity of systems continues to increase, demanding a need to fully understand any associated uncertainty. Emerging technologies such as AI, cloud infrastructure and digitalization similarly require thorough security analysis to avoid introducing uncertainty and vulnerability.”

Is the PenBox project part of a specific strategy? What are its major points and who is it intended for?

M.W. :”The PenBox permits to execute generic penetration tests against a system in an easy and repeatable way for non-expert users, significantly lowering the cost and allowing repeatability of testing. Space mission-specific attack scenarios flag a potential real mission impact, greatly improving user and system-owner awareness. An easy-to-use user interface permits to visualize ongoing attacks and explore obtained results highlighting security requirement violations, discovered vulnerabilities and warnings. Report generation capabilities permit to capture detailed session results, for example for regression testing or security audits.

Attack scenarios are configurable and adaptable to any kind of system and can be tailored to target only the desired systems. Security experts may finetune attacks, link new tools, etc. to improve the tests. There is still some work to do to fine-tune the executable scenarios and the requirements verification logic specific to the space ground segment environment – work now foreseen in a potential follow up project, however the proof of concept has been largely achieved.

Disruptive security and penetration testing are essential tools to integrate security into the ground segment system and software engineering lifecycle. An automated testing capability is therefore a key building block for the wider goal of achieving a DevSecOps type approach, where security is addressed continuously and throughout all stages of the lifecycle.”

How important is the user in the security chain?

M.W. : “System security is only ever as strong as the weakest link in that system and, frequently, that link is the user. Raising awareness, also among developers, stakeholders and decision-makers is therefore key.”

Are you planning to roll out the use of the PenBox tool to other ESA departments or to industrial partners?

M.W.: “The PenBox was developed in collaboration with Telindus, under ESA contract, so there is flexibility in terms of distribution to interested parties. Strong interest in the tool has been expressed both by external industry and even other agencies, as well as by many departments of ESA, indicating the need for such a solution and justifying further investment in the future to improve on the prototype.”