European Space Agency

Objectives

The high level objectives of the SECOPS project are to:

  • Define the requirements and a high level design for an independent Security Operations services for Space (SECOPS) to offer to future GOVSATCOM telecommunications service providers;
  • Define the specification of a secure Virtual Satellite Operator (sVSO) capability, leveraging Eutelsat Quantum, a configurable communication satellite, as a tangible use case for analysis and exemplifying the pooling and sharing concept.

In particular, the study aims at clearly identifying and establishing:

  • The set of security controls (requirements) enabling protected delivery of configurable satellite communications services to meet government requirements under a ‘Pooling and Sharing’ use case, including a risk assessment;
  • The specification of security service requirements (e.g., technologies and operational procedures) for continuous cyber security monitoring services to meet the identified set of security requirements;
  • A gap analysis and design change assessment of the Quantum configurable satellite communications system, as an applicable use case, to meet the identified set of security requirements;
  • Conduct a cost/benefit analysis of the actual market viability of proposed system and service capability.

The outcome of the study includes a preliminary high-level design of:

  • a configurable satellite communications service able to meet the GOVSATCOM model expectations;
  • a Security Operations Service able to provide security monitoring services to GOVSATCOM providers and operators. 

Challenges

The project faces several challenges.

The first one is related to the definition of actual use cases applicable to a GOVSATCOM scenario, that is still under definition. As a consequence, the collection of the actual requirements in an effective manner, for a service not yet in place, is not trivial.

Another challenge derives from the sensitivity of the information and the types of stakeholders involved, which are mainly in the government sector. Some Stakeholders may be reluctant to provide this kind of information and they may express their requirements at a very high level, not sufficient to define the actual needs of the system.

Finally, the project aims at the definition of a broker-like security operations service independent from the actual GOVSATCOM provider, where providers and services of such kind are not commercialised yet.

Benefits

This project shows how European space industry can support the EU’s GOVSATCOM initiative to provide secure and guaranteed access to satellite communications for a wide range of governmental applications, like civil protection, border surveillance, humanitarian aid.

In particular it supports the definition and specification of the different stakeholders requirements, with respect to actual use cases, and it defines a model for a security service independent operator able to offer security monitoring services to GOVSATCOM providers.

It also outlines the need for an independent Security Operations Services for Space in the Govsatcom context and more in general in a pooling and sharing system. Specific services and features necessary to delivery such service are specified in the course of the study and a high level design is provided, considering several alternative deployment types.

A specific business case for the Eutelsat Quantum has been developed to perform a cost/benefits analysis related to the provision of SecOps service bundled with the Eutelsat Quantum offering.

Features

The system is composed of:

  • Eutelsat Quantum: Flexible satellite enabling customer controlled dynamic reconfiguration of coverage, spectrum (bandwidth, connectivity, and translation), power, and network configuration. It supports up to eight (8) networks; each network is capable of being operated by an independent secure Virtual Satellite Operator (VSO).
  • Communication Mission Reconfiguration Software (CMRS): Customer premises software, providing access to planning, simulation and configurable functions of Eutelsat Quantum satellite aimed to support the sVSO capability. 
  • Security Operations for Space Service: a Service able to provide real-time monitoring and detection service of security events and support decision and responsiveness in the frame of security incident detection and handling. The service provides a set of core functions including Security Events detection, classification and Alert management, Proactive security incident detection, Security incident handling, Investigation and investigation support, Advisory on containment actions, and Advisory services on preventive actions. The service also provide complimentary services including End-to-end security compliance assessment and management; Security certification/accreditation service; Security audit; End-to-end security posture management including Risk assessment service, vulnerability management service, penetration testing service, secure code review service, Threats intelligence, Malware analysis, and Forensics analysis. SECOPS can be integrated in the different GOVSATCOM options and more in general in a “commercially-secure pooling and sharing system” where different Security Monitoring and Control Services would be operating. Different models have been analysed to show how SECOPS could integrate in context with a central security hub but also in a fully decentralised approach where it could provide coordination and information exchange capabilities.
  • Customer premises sensors: commercial off the shelf products, collecting relevant security data needed for security monitoring analysis; additionally purpose-built sensors may be developed to gather a better understanding of the full system security status (including the spacecraft). This topic will be exploited in a following technology phase.
  • Operator premises security service: local Security Monitoring and Control service that could interface and interact with SECOPS in several fashions to provide added-value and trust to the served customers

System Architecture

In the design of SecOpS three different deployment options have been assessed, that define the scope and boundaries of the SECOPS service:

  • Direct End-to-end security operations: operations are delivered by a central entity named Govsatcom SOC (GSOC), collecting security information from the Hub and all participating entities.
  • Indirect end-to-end security operations: the Govsatcom hub is monitored by the GSOC, while the other participating entities (e.g., Govsatcom service providers) are monitored by third-party SOC (either their own or outsourced), supported by collaborative incident management capability for coordination of activities among each other and with the GSOC.
  • Direct plus Indirect end-to-end security operations: A combination of the above type 1 and 2.  Accounts for cases where some third-party entities will allow sensors to be added, but also some do not.

The figure below represents all the descripted options

The architecture consists of:

  • A technical infrastructure aimed to collect, correlate and process relevant events
  • The security operation service aimed to perform managed threat detection and response, leveraging the defined infrastructure.

The infrastructure includes:

  • A SIEM (Security Information and Event Management System): A central security events and incidents detection system able to collect, aggregate and normalise logs and security telemetry from the different sources in order to identify anomalies and security events
  • A set of log collectors properly sized and located at the different entities: satellite provider, service provider, final customer and end user;
  • A set of security sensors (agents and network-based) deployed at network and/or system level at the different entities to enhance the quality of the information received from the common logs;
  • A coordination and security information exchange platform to support communications in a distributed environment where different Security M&C are operating

Service operations consists of:

  • A security operations team made of skilled and trained security analysts;
  • A set of security operating policy and procedures aimed to deal with all the activities provided by SECOPS from event collection to security incident handling and follow-up;
  • A service desk able to interface with all involved entities and necessary authorities to perform security event and incident management, including communications with necessary third parties.

Plan

The project started on March 2018 and the first phase is concluded in June 2019.

It was developed in two steps.

Step 1:

This step addressed the security requirements elicitation, analysis and definition of both the SECOPS and sVSO sub-system leveraging Eutelsat Quantum. Phase 1 concludes with the Security Requirements definition for SECOPS.

Step 2:

The second step addressed:

  • the comparison assessment activity aimed at assessing current security capabilities, of both RHEA security services and Eutelsat Quantum system, to identify current vs. required security services capabilities;
  • the requirements for the different Govsatcom options to deliver a security monitoring capability
  • the change assessment aimed to provide a Preliminary Design of SECOPS related service capabilities and Eutelsat Quantum sVSO, upgrades including technical and market oriented cost vs. benefits analysis.

Step 2 provided a Preliminary Design of the SecOps and the additional security requirements to be considered in Eutelsat Quantum to address the needs of an sVSO in a commercially secure pooling and sharing environment.

Current status

The definition study is completed.

Status date

Tuesday, January 12, 2021 - 15:31