Report Concerning Space Data System StandardsSECURITY GUIDE FOR MISSION PLANNERS Informational Report CCSDS xxx.x-x-1 GREEN BOOK October 2007... CCSDS SECURITY GUIDE FOR MISSION PLANNERS
Trang 1Report Concerning Space Data System Standards
SECURITY GUIDE
FOR MISSION PLANNERS
Informational Report CCSDS xxx.x-x-1
GREEN BOOK
October 2007
Trang 2CCSDS SECURITY GUIDE FOR MISSION PLANNERS
AUTHORITY
Issue: Green Book, Issue 1Date: October 2022Location: Not Applicable
This document has been approved for publication by the Management Council of theConsultative Committee for Space Data Systems (CCSDS) and reflects the consensus oftechnical panel experts from CCSDS Member Agencies The procedure for review and
authorization of CCSDS Reports is detailed in the Procedures Manual for the Consultative
Committee for Space Data Systems.
This document is published and maintained by:
CCSDS Secretariat
Office of Space Communication (Code M-3)
National Aeronautics and Space Administration
Washington, DC 20546, USA
Trang 3CCSDS SECURITY GUIDE FOR MISSION PLANNERS
FOREWORD
This document is a CCSDS report that describes the threats that could potentially be appliedagainst space missions It characterizes threats against various types of missions and examinestheir likelihood and the results of their having been carried out
Through the process of normal evolution, it is expected that expansion, deletion, ormodification of this document may occur This document is therefore subject to CCSDS
document management and change control procedures which are defined in the Procedures
Manual for the Consultative Committee for Space Data Systems Current versions of CCSDS
documents are maintained at the CCSDS Web site:
http://www.ccsds.org/
Questions relating to the contents or status of this document should be addressed to the CCSDSSecretariat at the address indicated on page i
Trang 4CCSDS SECURITY GUIDE FOR MISSION PLANNERS
At time of publication, the active Member and Observer Agencies of the CCSDS were:Member Agencies
– Agenzia Spaziale Italiana (ASI)/Italy
– British National Space Centre (BNSC)/United Kingdom
– Canadian Space Agency (CSA)/Canada
– Centre National d’Etudes Spatiales (CNES)/France
– Deutsches Zentrum für Luft- und Raumfahrt e.V (DLR)/Germany
– European Space Agency (ESA)/Europe
– Federal Space Agency (Roskosmos)/Russian Federation
– Instituto Nacional de Pesquisas Espaciais (INPE)/Brazil
– Japan Aerospace Exploration Agency (JAXA)/Japan
– National Aeronautics and Space Administration (NASA)/USA
Observer Agencies
– Austrian Space Agency (ASA)/Austria
– Belgian Federal Science Policy Office (BFSPO)/Belgium
– Central Research Institute of Machine Building (TsNIIMash)/Russian Federation.– Centro Tecnico Aeroespacial (CTA)/Brazil
– Chinese Academy of Space Technology (CAST)/China
– Commonwealth Scientific and Industrial Research Organization (CSIRO)/Australia.– Danish Space Research Institute (DSRI)/Denmark
– European Organization for the Exploitation of Meteorological Satellites
(EUMETSAT)/Europe
– European Telecommunications Satellite Organization (EUTELSAT)/Europe
– Hellenic National Space Committee (HNSC)/Greece
– Indian Space Research Organization (ISRO)/India
– Institute of Space Research (IKI)/Russian Federation
– KFKI Research Institute for Particle & Nuclear Physics (KFKI)/Hungary
– Korea Aerospace Research Institute (KARI)/Korea
– MIKOMTEK: CSIR (CSIR)/Republic of South Africa
– Ministry of Communications (MOC)/Israel
– National Institute of Information and Communications Technology (NICT)/Japan.– National Oceanic & Atmospheric Administration (NOAA)/USA
– National Space Organization (NSPO)/Taipei
– Space and Upper Atmosphere Research Commission (SUPARCO)/Pakistan
– Swedish Space Corporation (SSC)/Sweden
– United States Geological Survey (USGS)/USA
Trang 5CCSDS SECURITY GUIDE FOR MISSION PLANNERS
Current issue
Trang 6CCSDS SECURITY GUIDE FOR MISSION PLANNERS
CONTENTS
Section Page
1 INTRODUCTION 7
1.1 PURPOSE 7
1.2 SCOPE 7
1.3 APPLICABILITY 7
1.4 RATIONALE 7
1.5 DOCUMENT STRUCTURE 7
1.6 DEFINITIONS 8
1.7 REFERENCES 10
2 OVERVIEW 11
2.1 TARGET AUDIENCE 11
2.2 SECURITY CONCEPTS 11
2.3 SECURITY MANAGEMENT 11
3 SECURITY PLANNING 12
3.1 SECURITY POLICY 12
3.1.1 SYSTEM CATEGORIZATION 13
3.2 SECURITY INTERCONNECTION POLICY 13
3.3 THREAT ASSESSMENT 13
3.4 MISSION SECURITY ARCHITECTURE 13
3.4.1 SECURITY CONTROLS 14
3.4.2 SECURITY REQUIREMENTS 14
3.4.3 USE OF STANDARDS 14
3.5 SECURITY OPERATING PROCEDURES 14
3.6 SECURITY PLAN 15
3.6.1 SYSTEM DEFINITION 15
3.6.2 RISK ASSESSMENT 15
3.6.3 APPROVAL AND LIFE CYCLE 16
4 SECURITY CONTROLS FRAMEWORKS 17
4.1 ISO 17799 17
4.1.1 SECURITY POLICY 17
4.1.2 ORGANIZATION 17
4.1.3 ASSET MANAGEMENT 17
4.1.4 HUMAN RESOURCES SECURITY 17
4.1.5 PHYSICAL AND ENVIRONMENTAL SECURITY 18
4.1.6 COMMUNICATIONS AND OPERATIONS MANAGEMENT 18
4.1.7 ACCESS CONTROL 18
4.1.8 ACQUISITION, DEVELOPMENT AND MAINTENANCE 18
4.1.9 SECURITY INCIDENT MANAGEMENT 19
4.1.10 BUSINESS CONTINUITY MANAGEMENT 19
4.1.11 COMPLIANCE 19
4.2 OTHER FRAMEWORKS 19
4.3 SPECIAL CONSIDERATIONS FOR SPACE SYSTEMS 19
4.3.1 TELECOMMAND & TELEMETRY (TC/TM) CONTROLS 19
4.3.2 CONTINGENCY SCENARIO CONTROLS 20
4.3.3 GROUND PROCESSING CONTROLS 20
Trang 7CCSDS SECURITY GUIDE FOR MISSION PLANNERS
4.3.4 PHYSICAL CONTROLS 20
1 SYSTEM NAME/TITLE 22
2 DATA CATEGORIZATION: 22
3 INFORMATION SYSTEM OWNER: 22
4 AUTHORIZING OFFICIAL: 22
5 OTHER DESIGNATED CONTACTS: 22
6 ASSIGNMENT OF SECURITY RESPONSIBILITY: 22
7 INFORMATION SYSTEM OPERATIONAL STATUS: 22
8 INFORMATION SYSTEM TYPE 22
9 GENERAL SYSTEM DESCRIPTION/PURPOSE 23
10 SYSTEM ENVIRONMENT 23
11 SYSTEM INTERCONNECTIONS/INFORMATION SHARING 23
12 RELATED LAWS/REGULATIONS/POLICIES 23
13 MINIMUM SECURITY CONTROLS 23
14 INFORMATION SYSTEM SECURITY PLAN COMPLETION DATE 23
15 INFORMATION SYSTEM SECURITY PLAN APPROVAL DATE 23
Figure
Trang 8CCSDS SECURITY GUIDE FOR MISSION PLANNERS
1 INTRODUCTION
1.1 PURPOSE
This Guide is intended to provide guidance to mission planners in developing themanagement, operational and technical security controls appropriate to the value of theirsystem and the information processed in it
1.2 SCOPE
THE INFORMATION CONTAINED IN THIS REPORT IS NOT PART OF ANY OF THECCSDS RECOMMENDED STANDARDS In the event of any conflict between anyCCSDS Recommended Standard and the material presented herein, the CCSDSRecommended Standard shall prevail
Other CCSDS Recommended Standards and “Green Book” informational reports listed insection 1.7, “References”, provide more detail on particular aspects of assessing risks andimplementing technical security measures
1.3 APPLICABILITY
1.4 RATIONALE
The purpose of this guide is to introduce the reader to best practices in information security,and to provide a structured process flow and templates to help ensure that security aspectspertinent to space systems are not overlooked
To date, space missions have implemented a wide variety of generally mission-specificprotections for space systems and data Information security best practices have onlyrecently been defined and agreed-to as recognized standards across industries and nationalboundaries As space systems become increasingly more interconnected with ground-basedI/T networks even including the Internet, it becomes more important to provide anintegrated approach to addressing not only the security concerns traditionally understood tospace systems designers, but also those more typical of I/T environments
1.5 DOCUMENT STRUCTURE
This document is organized as follows:
Section 2 provides an introduction to security, defines terms that are used in this report, andidentifies generic space mission security threats
Section 3 describes the security planning process from policy definition through riskassessment and security control selection, to architecture and requirements
Section 4 presents an introduction to common security controls and describes some controlsspecific to space data systems
Trang 9CCSDS SECURITY GUIDE FOR MISSION PLANNERS
Authentication: (1) Verification of the identity of a user, device, or other entity in acomputer system, often as a prerequisite to allowing access to resources in a system (2)Verification of the integrity of data that have been stored, transmitted, or otherwise exposed
to possible unauthorized modification
Authorization: The granting of access rights to a user, program, or process
Compensating Controls: Any control that is used in a system to compensate for the absence
of another control that is prescribed or expected The use of compensating controls needs
to be thoroughly documented and the risks understood
Common Controls: Security controls that are applied to more than one system throughshared organizational procedures or infrastructure
Confidentiality: Assurance that information is not disclosed to unauthorized entities orprocesses
Configuration Management: Process of controlling modifications to the system’s hardware,firmware, software, and documentation which provides sufficient assurance the system isprotected against the introduction of improper modification before, during, and after systemimplementation
Data Integrity: Condition that exists when data is unchanged from its source and has notbeen accidentally or maliciously modified, altered, or destroyed
Denial of Service: Any action or series of actions that prevents any part of a system fromfunctioning in accordance with its intended purpose This includes any action that causesunauthorized destruction, modification, or delay of service
Identification: The process that enables recognition of an entity by a system, generally bythe use of unique machine-readable user names
Masquerading: Attempts to gain access to a system by posing as an authorized user or as aprocess This is a form of spoofing
Residual Risk: The portion of risk that remains after security measures have been applied.Risk: A combination of the likelihood that a threat will occur, the likelihood that a threatoccurrence will result in an adverse impact, and the severity of the resulting adverse impact
Trang 10CCSDS SECURITY GUIDE FOR MISSION PLANNERS
NOTE – Risk is the loss potential that exists as the result of threat and vulnerability
pairs It is a combination of the likelihood of an attack (from a threat source)and the likelihood that a threat occurrence will result in an adverse impact (e.g.,denial of service, loss of confidentiality or integrity), and the severity of theresulting adverse impact Reducing either the threat or the vulnerability reducesthe risk
Risk Analysis: An analysis of system assets and vulnerabilities to establish an expected lossfrom certain events based on estimated probabilities of the occurrence of those events Thepurpose of a risk assessment is to determine if countermeasures are adequate to reduce theprobability of loss or the impact of loss to an acceptable level
Security Policy: The set of laws, rules, and practices that regulate how information ismanaged, protected, and distributed
NOTE – A security policy may be written at many different levels of abstraction For
example, a corporate security policy is the set of laws, rules, and practiceswithin a user organization; system security policy defines the rules andpractices within a specific system; and technical security policy regulates theuse of hardware, software, and firmware of a system or product
Threat: Any circumstance or event with the potential to cause harm to a system in the form
of destruction, disclosure, adverse modification of data, and/or denial of service
Threat Agent: A method used to exploit a vulnerability in a system, operation, or facility.Threat Analysis: The examination of all actions and events that might adversely affect asystem or operation
Threat Assessment: Formal description and evaluation of threat to a system
Trojan Horse: A computer program with an apparently or actually useful function thatcontains additional (hidden) functions that surreptitiously exploit the legitimateauthorizations of the invoking process to the detriment of security or integrity
Virus: A program that can ‘infect’ other programs by modifying them to include a, possiblyevolved, copy of itself
Vulnerability: Weakness in an information system, or cryptographic system, or components(e.g., system security procedures, hardware design, internal controls) that could beexploited to violate system security policy
Vulnerability Analysis: The systematic examination of systems in order to determine theadequacy of security measures, identify security deficiencies, and provide data from which
to predict the effectiveness of proposed security measures
Vulnerability Assessment: A measurement of vulnerability which includes the susceptibility
of a particular system to a specific attack and the opportunities available to a threat agent tomount that attack
Trang 11CCSDS SECURITY GUIDE FOR MISSION PLANNERS
[1] Security Guide for Interconnecting Information Technology Systems National
Institute of Standards and Technology Special Publication 800-47
Gaithersburg, Maryland: NIST, August 2002
[2] Information Technology—Security Techniques—Evaluation Criteria for IT Security—
Part 1: Introduction and General Model International Standard, ISO/IEC 1:2005 2nd ed Geneva: ISO, 2005
15408-[3] Information Technology—Security Techniques—Evaluation Criteria for IT Security—
Part 2: Security Functional Requirements International Standard, ISO/IEC 2:2005 2nd ed Geneva: ISO, 2005
15408-[4] Information Technology—Security Techniques—Evaluation Criteria for IT Security—
Part 3: Security Assurance Requirements International Standard, ISO/IEC 3:2005 2nd ed Geneva: ISO, 2005
15408-[5] File Transfer Protocol STD 9 Reston, Virginia: ISOC, October 1985.
[6] “Kerberos: The Network Authentication Protocol.” Massachusetts Institute of Technology <http://web.mit.edu/Kerberos/> (4/27/2007)
[7] Remote Authentication Dial In User Service (RADIUS) RFC 2865 Reston,
Virginia: ISOC, June 2000
[8] Cross Support Reference Model—Part 1: Space Link Extension Services
Recommendation for Space Data System Standards, CCSDS 910.4-B-2 Blue Book Issue 2 Washington, D.C.: CCSDS, October 2005
NOTE – Refer to appendix E of reference [1] for a complete list ofreferences relevant to the development of the original NIST document
Trang 12CCSDS SECURITY GUIDE FOR MISSION PLANNERS
2 OVERVIEW
2.1 TARGET AUDIENCE
This document is intended to provide the mission planner, program manager, and/orengineering lead with a basic understanding of the strategy, purpose, and process flow ofintegrating security early into the development of a space system
Each organization should develop, document, and implement an organization-wide program
to provide information security for the information and information systems that support theoperations and assets of that organization