What policies and practices are in place in the agency to cope with the growing cyber threat?
Today, cyber security is one of Europe’s paramount concerns, which has triggered policy and institutional structuring efforts aimed at building a core cyber security culture and capability. At ESA for example, it will form one of the common underlying elements to the programmatic pillars presented at the upcoming ministerial council, emphasizing the need for a strong and comprehensive approach to cyber security and safety across all ESA programs.
ESA has a mature security governance framework with traceability from top-level regulations to directives to policies to implementation. This includes an accreditation and certification scheme, associated responsible roles and an ISO-27001 certified Information Security Management System.
Despite the increased focus, there is still much work to be done. For example raising sufficient awareness such that security requirements are supported from the start of a program or mission and flown down to the engineering level. The space system engineering lifecycle itself and associated standards require amendment to ensure that security is baked in by design. This is especially important as the complexity of systems continues to increase, demanding a need to fully understand any associated uncertainty. Emerging technologies such as AI, cloud infrastructure and digitalization similarly require thorough security analysis to avoid introducing uncertainty and vulnerability.
Telindus won the bid in open competition in which there were a number of strong competitors, which indicates the quality of their proposal.
Is the penbox project part of a specific strategy? What are its major points and who is it intended for?
The PenBox permits to execute generic penetration tests against a system in an easy and repeatable way for non-expert users, significantly lowering the cost and allowing repeatability of testing. Space mission-specific attack scenarios flag a potential real mission impact, greatly improving user and system-owner awareness. An easy-to-use user interface permits to visualize ongoing attacks and explore obtained results highlighting security requirement violations, discovered vulnerabilities and warnings. Report generation capabilities permit to capture detailed session results, for example for regression testing or security audits. Attack scenarios are configurable and adaptable to any kind of system and can be tailored to target only the desired systems. Security experts may finetune attacks, link new tools, etc. to improve the tests. There is still some work to do to fine-tune the executable scenarios and the requirements verification logic specific to the space ground segment environment – work now foreseen in a potential follow up project, however the proof of concept has been largely achieved.
Disruptive security and penetration testing are essential tools to integrate security into the ground segment system and software engineering lifecycle. An automated testing capability is therefore a key building block for the wider goal of achieving a DevSecOps type approach, where security is addressed continuously and throughout all stages of the lifecycle.
How important is the user in the security chain?
System security is only ever as strong as the weakest link in that system and, frequently, that link is the user. Raising awareness, also among developers, stakeholders and decision-makers is therefore key.
Are you planning to roll out the use of the penbox tool to other esa departments or to industrial partners?
The PenBox was developed under ESA contract so there is flexibility in terms of distribution to interested parties. Strong interest in the tool has been expressed both by external industry and even other agencies, as well as by many departments of ESA, indicating the need for such a solution and justifying further investment in the future to improve on the prototype.
What were the reasons prompting esa to collaborate with telindus on this project? Were your expectations met? Are you considering collaborating with telindus on other projects?
Raising awareness among developers, stakeholders and decision-makers is key.
Telindus won the bid in open competition in which there were a number of strong competitors, which indicates the quality of their proposal. Overall, the result is promising – some further work is required to realize realistic space ground segment-specific scenario execution and tailored attacks as well as reliable requirement verification logic. However, with the majority of the framework in place, this is not too far off and I am confident this could be achieved in any follow up activity. Having acquired yet more experience in ESA project work, Telindus continue to strengthen their position to compete for such future collaborations with ESA.
You can read the full article: here
Discover our solutions: here