Author: Space Economy Academy
1- Introduction to ECSS
The ECSS-E-ST-80C is a new discipline belonging to the Space Engineering disciplines issued on 1st July 2024.
“This standard considers the wide variety of security aspects that must be examined during the lifetime of a space system, including potential certification needs, allowing a tailoring to adapt to specific missions and services. It also considers the interaction between security of the system and its lifecycle, and the corporate security of the organisations involved. This standard is applicable to unclassified missions and projects, and used or tailored, as needed, abiding by national and inter-governmental rules for classified governmental security projects that often require additional processes and controls (such as formal System Security Accreditation); however, System Security Accreditation process is out of scope of this standard. Corporate security is usually specific to each organisation and may be constrained by national regulations or standards. Therefore, this standard avoids imposing unnecessary constraints that conflict with corporate security of the organisations involved in the lifecycle.”
The aim of this essay is to give indications and references for how to describe, based on European (EU) Regulations, EU Commission Decisions, EU Council Decisions and other standards, a possible security accreditation process in European Union for a space project/system/product that now is out of scope of ECSS.
2- New ECSS Discipline “Information Security Assurance” in Q branch
The discipline that aims to describe a possible security accreditation process for a space project/system/product should be included in the Space Product Assurance Branch (the Q branch) of ECSS.
The new discipline should describe a set of requirements for Information Security Assurance (Q-XX Information Security Assurance) to be implemented throughout the phases of a space project/system/product.
The reason why I would include this discipline in the Q-branch of the ECSS is because the security accreditation process is made up of a series of activities/decisions made by a Security Accreditation Authority which are often based on evidence from security assessments, controls, audits, statement of compliant checks.
3- Security Accreditation Definitions
In accordance with [B-02] Article 35, “‘Accreditation’ means the formal authorisation and approval granted to a communication and information system by the Security Accreditation Authority (SAA) to process European Union Classified Information (EUCI) in its operational environment, following the formal validation of the Security Plan and its correct implementation;
‘Accreditation Process’ means the necessary steps and tasks required prior to the accreditation by the Security Accreditation Authority. These steps and tasks shall be specified in an Accreditation Process Standard;”.
To be more specific, I would adopt the following definition taken from [B-01] Appendix A and slightly modified to suit to ECSS: “‘Accreditation’ means the process leading to a formal statement by the Security Accreditation Authority (SAA) that a system is approved to operate with a defined level of classification (the information processed by the system can be classified or sensitive), in a particular security mode in its operational environment and at an acceptable level of residual risk, based on the premise that an approved set of technical, physical, organisational and procedural security measures have been implemented.”.
4 -Security Accreditation Authority
For each project/system/product that should go under security accreditation following the previous definition a Security Accreditation Authority (SAA) shall be established.
The Security accreditation activities for all of the Programme’s components shall be conducted in accordance with the general principles listed in the [B-03] Article 37.
The main responsibilities of the SAA are listed in the [B-01] Annex IV as regards the security accreditation of a Communication and Information System (CIS). The [B-03] Article 38, that refers to the Security Accreditation Board (SAB) which on the basis [B-03] Article 36 is the SAA for all of the Programme’s components identified in [B-03], listed the tasks specific for the space components. Below is just an extract with the most important tasks: “
- defining and approving a security accreditation strategy […];
- taking decisions on security accreditation, in particular on the approval of satellite launches, the authorisation to operate the systems set up under the Programme’s components or the elements of those components in their different configurations and for the various services they provide, up to and including the signal in space, and the authorisation to operate the ground stations; […]
- examining and approving the security risk assessment […]
- endorsing the selection of approved products and measures which protect against electronic eavesdropping (TEMPEST) and of approved cryptographic products used to provide security for the Programme’s components;
- approving or, where relevant, participating in the joint approval, together with the relevant entities competent in security matters, of the interconnection between the systems established under the Programme’s components or under parts of those components and other systems; […]”.
5 – Information Assurance Operational Authority
For each project/system/product that should go under security accreditation following the previous definition a Information Assurance Operational Authority (IAOA) shall be established. The main responsibilities of the IAOA are listed in the [B-01] Annex IV as regards the security accreditation of a Communication and Information System (CIS).
6 -Security Accreditation Strategy
In accordance with [B-03] Article 38(2)(a), the Security Accreditation Strategy (SAS) “sets out:
(i) the scope of the activities necessary to perform and maintain the accreditation of the Programme’s components or parts of those components and any interconnections between them and other systems or components;
(ii) a security accreditation process for the Programme’s components or parts of those components, with a degree of detail commensurate with the required level of assurance and clearly stating the accreditation conditions;
(iii) the role of relevant stakeholders involved in the accreditation process;
(iv) an accreditation schedule that complies with the phases of the Programme’s components, in particular as regards the deployment of infrastructure, service provision and evolution;
(v) the principles of security accreditation for networks connected to systems set up under the Programme’s components or for parts of those components, and for equipment connected to systems established by those components, which shall be performed by the national entities of the Member States competent in security matters;”.
Below it is listed the main sections with the related descriptions that should be contained in a SAS:
- Roles and Responsibilities for the SAS.
The Commission Decision [B-04] clearly reports and specifies all the roles and responsibilities of the principal security actors, which should be identified in a SAS. In particular:
- Security Accreditation Authority
- TEMPEST Authority
- Crypto Approval Authority
- Crypto Distribution Authority
- Information Assurance Operational Authority
- Identification of a security accreditation perimeter
This section should identify at a high level the part of the space project/system/product that should be subject to security accreditation. The architecture reported and described in this section should show all subcomponents, internal and external to the perimeter, and interconnections with relative classification levels.
- Site Security Accreditation
This section should outline the process by which the SAA may take the decision to authorize the site that will host the system.
The objective of this process is to ascertain whether sensitive system equipment up to a given classification level can be securely deployed to the site.
The first step is to identify which is the Local Security Authority (LSA) of the country in which the site is located.
In accordance to [B-03] Article 42(5), the LSA will carry out security checks on the site, in particular it will verify whether the security requirements applicable to the site and the local security procedures are respected by issuing the relevant reports containing the outputs of the checks to the SAA.
The SAB may take the decision to issue the authorisation for the site based on previous reports and its own further assessments and checks.
An example of a checklist for site inspection/visit is shown in Common Criteria Methodology for Information Technology Security Evaluation [B-05].
- System and Service Security Accreditation
In accordance to [B-03] Article 38, the SAA may take a decision to grant a time-limited authorisation to operate a system or part of a system and to provide the service. This section should outline the process by which the SAA takes the decision to authorise the system and the service to operate. The SAA shall check the implementation of security measures by undertaking or sponsoring security assessments, inspections, audits or reviews. All the security checks/assessments/audits/reviews/inspections performed by SAA should be reported and described in this section.
- Space Segment Security Accreditation
The SAA may take the decision on satellite launch approval based on evidence that security procedures have been respected throughout the launch campaign and that the applicable security requirements for the launch campaign have been correctly implemented and that the satellites have successfully passed all tests.
- Maintenance and decommissioning
This section should describe all the activities and checks that will allow the correct maintenance of security accreditation decisions taken by SAA. Moreover, it should also list the events that may impact on a security accreditation decision and in which case the decision can be revoked. Finally, this section should also describe the conditions and processes that lead the SAA to take the decisions on the decommissioning of sites and satellites.
- List of documents
This should list the documents and evidence that the system/project owner shall provide to SAA for each decision described in the previous points.
7 -Security Accreditation and Certification Plan
The Security Accreditation and Certification Plan (SACP) is the document that should describe how the system/project owner and the supplier intend to implement the SAS. This document should report and detail the plan and the schedule to reach all the decisions listed in SAS if applicable and the final accreditation.
Learn more with our Course and Certificate in ECSS Standard