In the latest edition of its U&US Magazine, Telindus shared a case study with ESA, through the interview of Marcus Wallum, Operations Data Systems Engineer.

Security of space systems and operations is essential for protecting critical infrastructure that affects every aspect of daily life. Communications, air transport, maritime, financial and business services, as well as weather monitoring and defense systems, would face serious disruption if satellites and space infrastructure were targeted in a cyber-attack. With the PenBox project, Telindus helps the European Space Agency (ESA) protect its assets and intellectual property, in particular through automating penetration tests and increasing user awareness. Marcus Wallum, Operations Data Systems Engineer at ESA, gives us some insights into the project and the issues at stake.

In a research paper published 3 years ago, The Chatham House – one of the most important think tank in international issues – raised the question of whether space was the final frontier for cybersecurity. The institute concluded its study by emphasizing that a radical review of cybersecurity in space was needed to avoid potentially catastrophic attacks.


Has the situation evolved since this observation, according to you?

If anything, the situation has become even more pronounced. Space systems and the data, products and services they provide are increasingly relied upon for supporting critical infrastructures and services, communication, scientific study, exploration, policy and decision making. This increased reliance of society on space assets also increases their attractiveness as targets for adversaries. At the same time, the number of governmental but also new private actors in the space domain are rapidly increasing as barriers to entry are lowered and new technologies enable more cost-effective access to space. As new actors enter the market and supporting infrastructure on ground becomes cheaper, more ubiquitously available and utilized, the potential attack surface and governance challenge increases, as well as the proportional cost of security compared to the cost of the mission itself.

At the same time, the extent and frequency of reported cyber security breaches and disclosures of critical vulnerabilities in widely used terrestrial software, hardware, platforms and systems is increasing. Together with the increasing complexity and tight coupling between space and terrestrial based systems and emerging disruptive technologies such as hosted solutions which demand specific security treatments, it is apparent that the security of space systems, and a need to manage its effective application, has never been more important.


What is ESA's perception regarding the degree of exposure of the space industry to cyber risk?

Space systems and operations are almost entirely cyber-dependent, so of course there will always be exposure. More unique to the space industry are the security challenges that come with technology obsolescence, large and distributed supply chains, multidisciplinary engineering teams and the need to address security concerns beyond the controls and risk management approaches from well-known IT frameworks to account for particularities not covered by generic terrestrial systems.


What policies and practices are in place in the agency to cope with the growing cyber threat?

Today, cyber security is one of Europe’s paramount concerns, which has triggered policy and institutional structuring efforts aimed at building a core cyber security culture and capability. At ESA for example, it will form one of the common underlying elements to the programmatic pillars presented at the upcoming ministerial council, emphasizing the need for a strong and comprehensive approach to cyber security and safety across all ESA programs.

ESA has a mature security governance framework with traceability from top-level regulations to directives to policies to implementation. This includes an accreditation and certification scheme, associated responsible roles and an ISO-27001 certified Information Security Management System.

Despite the increased focus, there is still much work to be done. For example raising sufficient awareness such that security requirements are supported from the start of a program or mission and flown down to the engineering level. The space system engineering lifecycle itself and associated standards require amendment to ensure that security is baked in by design. This is especially important as the complexity of systems continues to increase, demanding a need to fully understand any associated uncertainty. Emerging technologies such as AI, cloud infrastructure and digitalization similarly require thorough security analysis to avoid introducing uncertainty and vulnerability.


Is the PenBox project part of a specific strategy? What are its major points and who is it intended for?

The PenBox permits to execute generic penetration tests against a system in an easy and repeatable way for non-expert users, significantly lowering the cost and allowing repeatability of testing. Space mission-specific attack scenarios flag a potential real mission impact, greatly improving user and system-owner awareness. An easy-to-use user interface permits to visualize ongoing attacks and explore obtained results highlighting security requirement violations, discovered vulnerabilities and warnings. Report generation capabilities permit to capture detailed session results, for example for regression testing or security audits. Attack scenarios are configurable and adaptable to any kind of system and can be tailored to target only the desired systems. Security experts may finetune attacks, link new tools, etc. to improve the tests. There is still some work to do to fine-tune the executable scenarios and the requirements verification logic specific to the space ground segment environment – work now foreseen in a potential follow up project, however the proof of concept has been largely achieved.

Disruptive security and penetration testing are essential tools to integrate security into the ground segment system and software engineering lifecycle. An automated testing capability is therefore a key building block for the wider goal of achieving a DevSecOps type approach, where security is addressed continuously and throughout all stages of the lifecycle.


How important is the user in the security chain?

System security is only ever as strong as the weakest link in that system and, frequently, that link is the user. Raising awareness, also among developers, stakeholders and decision-makers is therefore key.


Are you planning to roll out the use of the PenBox tool to other ESA departments or to industrial partners?

The PenBox was developed under ESA contract so there is flexibility in terms of distribution to interested parties. Strong interest in the tool has been expressed both by external industry and even other agencies, as well as by many departments of ESA, indicating the need for such a solution and justifying further investment in the future to improve on the prototype.


What were the reasons prompting ESA to collaborate with Telindus on this project? Were your expectations met? Are you considering collaborating with Telindus on other projects?

Telindus won the bid in open competition in which there were a number of strong competitors, which indicates the quality of their proposal. Overall, the result is promising – some further work is required to realize realistic space ground segment-specific scenario execution and tailored attacks as well as reliable requirement verification logic. However, with the majority of the framework in place, this is  not too far off and I am confident this could be achieved in any follow up activity. Having acquired yet more experience in ESA project work, Telindus continue to strengthen their position to compete for such future collaborations with ESA.


Communicated by Telindus

“Telindus won the bid in open competition in which there were a number of strong competitors, which indicates the quality of their proposal”


“Raising awareness among developers, stakeholders and decision-makers is key.”

Publié le 30 mars 2020