a primer on data security how do we protect our satellites l.
Skip this Video
Loading SlideShow in 5 Seconds..
A primer on data security - How do we protect our satellites? PowerPoint Presentation
Download Presentation
A primer on data security - How do we protect our satellites?

Loading in 2 Seconds...

play fullscreen
1 / 36

A primer on data security - How do we protect our satellites? - PowerPoint PPT Presentation

  • Uploaded on

A primer on data security - How do we protect our satellites?. Daniel Fischer OPS-GDA / Uni Lux 3 November 2006. Introduction. Weakest Link Principle. The overall security of a system is only as strong as the security of its weakest link.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

A primer on data security - How do we protect our satellites?

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
a primer on data security how do we protect our satellites

A primer on data security- How do we protect our satellites?

Daniel Fischer

OPS-GDA / Uni Lux

3 November 2006

weakest link principle
Weakest Link Principle

The overall security of a system is only as strong as the security of its weakest link

  • All security aspects have to be recognised in order to realise a secure system

Example: A strong access control system is useless if the passwords are written on a yellow piece of paper that sticks on the computer

data security
Data Security

Data Security is more than just encryption and firewalls!

  • Data Security is a process not an add-on
    • It has to be present through the whole development cycle of a system
    • It requires security aware thinking of system developers and users
    • It should increase the general responsibility awareness
data security objectives
Data Security Objectives
  • The goal of data security is to achieve the following fundamental objectives
    • Availability
    • Confidentiality
    • Integrity
    • Non-Repudiation
    • Access Control
    • Authentication
risk assessment
Risk Assessment

From what do we need to protect an information system and which countermeasures are most urgent?

  • Risk Assessment can answer that question
  • In data security, risk is defined as a function of three terms:
    • The probability of a threat
    • The probability that there is a certain vulnerability
    • The potential cost of the impact

Risk = P(Threat)*P(Vulnerability)*C(Impact)


What kind of threats are in existence?

  • General
    • Denial of Service
    • Eavesdropping
    • Integrity violation / Corruption
    • Hijacking / System Takeover
    • Destruction of information and/or hardware
  • Further threats possible depending on the nature of the system
  • Threats are measured in probability of occurrence
  • Threats are largely dependent on the motivation, funding and qualification of the threat agent i.e. the potential attacker

System vulnerabilities are the entrance doors for successful attacks

  • Vulnerabilities are measured in probability of occurrence
  • Bugs in software implementations and operating systems
  • Missing security awareness among users
  • Improper configuration
  • Weak data protection methods

Successful exploitation of one or more vulnerabilities can have a more or less critical impact on a system

  • Examples:
    • Loss of a spacecraft
    • Data base destruction
    • Email espionage
    • Loss of customer confidence
  • Impacts are classified through their severity and measured in concrete values like concrete cost
summary on risk assessment
Summary on Risk Assessment
  • Before applying all kinds of (good sounding) countermeasures at various points in a system, a risk assessment is a vital undertaking
    • Afterwards the answer to a specific threat might be clearer
    • The level of countermeasures is more appropriate (do not shoot flies with cannons…)
    • Unnecessary redundancies can be identified before
    • A maximum level of transparency can be guaranteed
    • The risk assessment might uncover new risks that were not known beforehand
  • Countermeasures can be classified
    • Detection
    • Protection
    • Recovery
  • What countermeasures exist in data security?
    • Cryptography
    • Security Policies
    • System Evaluation
    • Filtering and Monitoring
    • User Training
  • The key term is synergy!



  • Cryptography represents the classical understanding of data security
  • A cryptographic operation is applied to a data structure
  • Input:
    • Data Structure
    • Secret Information (=Key)
    • Other parameters
  • Output:
    • Protected Data Structure





cryptographic key principles
Cryptographic key principles

There are two cryptographic design principles that form the basis for all crypto primitives

  • Symmetric Cryptography
    • The same key is used for a cryptographic function and its inverse function
  • Asymmetric Cryptography
    • Different keys for a crypto function and its inverse function

Message = D ( E (Message, Key), Key )

Message = D ( E (Message, EncKey), DecKey )

EncKey != DecKey

cryptographic primitives
Cryptographic Primitives





Secret Key


Public Key








security policies
Security Policies

Security Policies are guidelines of any kind that have the goal to increase the level of security

  • ESA Security Policies are developed by the security office or ESACERT
  • They can be of any form
    • Technical Guidelines
    • Access Restriction Regulations
    • User Behaviour Regulations
    • Key Management Regulations
    • System Configuration Regulations
    • Protocol and application usage Regulations
    • Virus Detection and Reaction Regulations
system evaluation
System Evaluation

System Evaluation protects against vulnerabilities resulting from a poor system design or implementation

  • International Standards like Common Criteria define evaluation assurance levels
    • E.g. CC EAL 3: Methodically tested and checked
  • Evaluation can be a long and expensive process
  • Security can already be increased by just evaluating the security critical parts of a system
  • Most extreme case is formal verification
  • Governments also have national evaluation schemes for crypto equipment protecting classified information
user training
User Training

User training sessions increase security sensitivity of users

  • Training sessions shouldbe scheduled on a regularbasis
  • Topics could be:
    • Secure usage of computer systems (e.g. protection from Trojan Horses)
    • Secure choice and storage of passwords
    • Introduction to secure software and protocols
  • This goes hand in hand with security policies
filtering and monitoring
Filtering and Monitoring

Filtering and Monitoring of network traffic can uncover or prohibit many attacks

  • Monitoring
    • Intrusion Detection Systems
    • Attack patterns can be recognised
    • Port Surveillance
      • Which ports are open and why?
  • Filtering
    • Packet Filter
    • Stateful Inspection
      • Content Inspection
    • Ingress Filtering
  • Both countermeasures are very punctual
protocol analysis engineering
Protocol Analysis/ Engineering
  • ESA and other space agencies are using of space tailored communication protocols
    • These protocols do not aim on providing security
    • Protocol analysis and security hardening is an important countermeasure
      • Transparency and interoperability should be kept if possible
  • Special purpose security protocols need to be designed
    • Key Exchange/ Agreement
    • (Mutual) Authentication
  • Techniques such as formal verification may become important here as well
summary of countermeasures
Summary of Countermeasures
  • Each countermeasure provides only a few aspects of data security
    • In general, one countermeasure alone cannot counter a certain risk
    • There is no single “silver bullet”
    • Defence in depth
  • Countermeasures must work together to archive the protection of the system
    • Weakest Link Principle
    • Synergy!
security by obscurity
Security by Obscurity
  • Many people think that a security system becomes more secure if its internal structure is secret
    • Example: A secret encryption algorithm
  • BUT: The exact opposite is the case
    • Open and standardised systems are subject to constant analysis by the international research community
    • Secret systems can only be analysed by internal specialists
      • Unless an agency or company has a huge budget, severe and constant analysis of internal security systems is not possible
  • The Kerckhoff principle in cryptography
    • The security of a crypto system shall always and only depend on the secrecy of the key
    • This means that everything of the algorithm except for the keys shall be open
what about esa esoc
What about ESA/ESOC?

Where stands ESA/ESOC in terms of data security?

  • Current situation critical
    • Data security countermeasures are generally limited on monitoring and filtering
    • Security is seen as a kind of obstacle for workflows
    • No awareness of the work of ESACERT
    • Very limited security policies
      • Usage of insecure protocols in the networks
    • No cryptographic techniques e.g. for protected data transfer inside ESOC
    • Security unaware users

Login: root

Password: toor

where do we have to improve
Where do we have to improve?
  • A long way to go to a secure ESOC
    • However, already small improvements can significantly increase the security level
  • Implementation of ESACERT guidelines
  • Introduction and enforcement of a few simple policies:
    • Password Handling
    • Protocol Handling
  • On the long term
    • Usage of the complete set of security policies that will be developed by the ESA security office
    • Introduction of a public key infrastructure
    • Usage of evaluated software
some simple examples
Some simple examples
  • Standard remote console protocol in ESOC is Telnet
    • All user names, passwords and other information are transmitted in plaintext
    • Migration to the free secure shell (SSH) would solve the problem
  • For many user accounts, the password is very simple and easy to hack
    • A secure password can easily be generated by a nice little sentence
      • Metop is our #1polar orbiter -> Mio#1po
  • Many machines run old and unpatched server processes such as Apache
    • Regular updates close a lot of security holes
  • ESA Computer and CommunicationsEmergency Response Team
    • http://www.esacert.esa.int/
  • ESACERT provides data security solutions for ESA
    • Intrusion Detection
    • Incident handling
    • Alerts and Announcements
    • Collaboration and Coordination
    • Vulnerability and Artefact Analysis and Response
    • System Scanning and Certification
    • Training and Awareness
    • Consulting and Risk Analysis
    • etc.
incident example
Incident Example
  • On 3/02/06 a successful attack was driven on the mcs30 machine
  • The attack resulted in
    • Complete destruction of the MySQL database that supports the ELog application
    • Denial of Service
    • Deletion of attack traces
  • ESACERT analysis identified the following possible break-in process:
    • Attack began via a very old version of Apache resulting in theft of the passwd/shadow file(s)
    • Because of the weak passwords the attacker succeeded in cracking them and obtaining root access very quickly
    • With root rights he did the rest
incident analysis conclusion
Incident Analysis Conclusion

The attack on mcs30 was of extremely simple nature and would not have been possible if a few security regulations were followed

  • Two main factors that helped the attacker:
    • Old and vulnerable software installed
    • Weak passwords in place
  • Both could have been prevented easily
  • However, there was no reaction
project overview
Project Overview
  • Reasons for starting the project:
    • Currently, only very few existing and upcoming ESA missions support security features (Metop, ATV, Sentinel-1,…)
    • Lack of standardisation in the area of security leads to high costs for every new mission
    • ESAs ground segment in its current form is not able to handle space link security
    • In the future, many missions will have security requirements defined
project work
Project Work
  • Work on a standardisation for space link security
    • On CCSDS level
    • On ESA/ECSS level
  • Perform analysis of currently existing security mechanisms and standards
    • Check whether they can be used in the future and where ESA needs to improve
    • Example: PSS TC authentication system causes a lot of trouble both on the authentication algorithm and the technical implementation in ESA systems
    • Buzzwords: Interoperability, Transparency, Open systems
results and further objectives
Results and further objectives
  • Study has already produced some promising results
    • Analysis of PSS authentication standard has revealed several basic problems with TC authentication
    • A ground segment analysis has identified several weaknesses in the ground infrastructure security
    • A recommendation of security inclusion in the packet TM/TC standards is provided with proper justification
  • Further objectives
    • Investigate the topic of key management for ground and space link key distribution
    • Provide further suggestions for increasing the security situation in the ground segment
    • Investigate impact of security on satellite emergency situations
    • End-to-End security and the problems with interoperability services such as SLE
  • This presentation has given a very high level overview on security enhancing techniques
    • The maximum security is achieved by a synergy of all these techniques
  • How do we protect our satellites?
    • Risk Assessment on our systems
    • Implementation of appropriate countermeasures
      • Simple countermeasures can easily be implemented
      • A long term plan must also be developed
  • Development of standardised security supporting protocols for the space link
tank you for your time
Tank You for Your time

Any questions?