On "Mission Security"
Measures to increase IT security are becoming increasingly important wherever the risk of cyberattacks rises with an increasing degree of networking. The aim is to ensure the highest level of confidentiality, integrity, availability and authenticity of digital infrastructures and applications, especially when these are classified as critical for governments, the economy and civil society.
Failure is not an option
But does what is already common practice on Earth apply to space infrastructures today? In the past, space systems were mostly used for scientific purposes, such
as exploring the solar system and more distant galaxies. Today, satellites are already an integral part of and the basis for essential services in communication, navigation, financial transactions, meteorology, crisis coordination and defense. "Failure is not an option" also applies to space-based IT and communication systems of the New Space Initiative. There are therefore increasing demands for the same protection goals to apply here as for cyber security on Earth.
In the context of the EU Space Strategy for Security and Defence
A lot of the things we do in space are crucial for the functioning of our society and economy. It keeps essential services running for public administrations, private companies and citizens.
Margrethe Vestager
Executive Vice-President for A Europe Fit for the Digital Age
Minimum IT standards for space
For the ground and user segment, "terrestrial" requirements, standards and recommendations have already been established in many countries. However, there is still a need for action when it comes to space infrastructures, as the framework conditions in space differ significantly in some cases - in terms of requirements alone. There is hope in the emerging legislation for space.
For example, the European Commission has announced a new EU Space Act at the end of 2023, which is to cover the perspectives of resilience, security and sustainability. However, this still has to overcome several obstacles in order to become a functioning and useful harmonized piece of legislation.
Topic areas of our activities
Ground segment
With the entry into force of EU NIS-2 and EU RCE, the EU Commission obliges operators of critical infrastructure (KRITIS) to comply with minimum requirements for cyber security and resilience. New: The requirements and measures now also apply to ground stations and missions that will fall under the KRITIS Regulation in the future.
Network and Information Security Directive (NIS-2)
According to NIS-2 and BSI KritisV, Annex 7, Part 3, No. 1.7.2, ground stations of a satellite navigation system are considered critical infrastructure in Germany. The threshold value is defined by REGULATION (EU) No. 1285/2013 on the establishment and operation of European satellite navigation systems. Although only the European GALILEO mission is currently affected by the regulation, this may change quickly.
Audit according to §8a BSIG
As an operator of critical infrastructure ground stations (KRITIS), you must prove every two years that your IT security is state of the art in accordance with Section 8a of the BSI Act. According to the BSI Kritisverordnung (BSI KritisV), proof is provided by means of a corresponding audit in accordance with §8a BSIG.
Critical Entities Resilience Directive (EU CER)
The EU RCE Directive or CER Directive on the protection of critical facilities was adopted at the end of 2022. At its core, it deals with the resilience and availability of critical infrastructures, including space ground stations. National implementation in Germany will take place by October 2024 through the KRITIS Umbrella Act (KRITIS-DachG). It obliges operators of ground stations to draw up a resilience plan.
BCM according to ISO 22301
Business continuity management systems (BCMS) are an important component of operational and organizational resilience management. TÜVIT experts evaluate and check the current status of BCM implementation in your company organization and assess conformity with ISO 22301 standards.
Space segment
Information security for the space-side information network of satellites depending on the protection requirement classification of space missions.
Development of IT security concepts for minimum protection for satellite missions with "normal" protection requirements in accordance with the BSI IT Grundschutz profile for space infrastructures with reference to the space-side information network "satellite" including life cycle processes and procedures as well as all technical components such as applications, IT systems, rooms and buildings that support these processes and procedures (compatibility with ISO 27001 and based on CCSDS, ECSS and NIST).
Development of IT security concepts for satellite missions with "high and very high protection requirements" according to BSI TR-03184 'Information Security for Space Systems' with reference to the satellite platform and its communication link in all life phases - from planning to decommissioning - and taking into account the development, testing and launch processes on the ground (to be a guide for obtaining a VS approval that may be planned later).
User segment
IT infrastructures, systems and components – all secured! But what about the human factor? Without a high level of security awareness among employees in all stakeholder areas, the doors are still wide open for attackers.
Employees of space organizations, such as engineers, scientists and technicians, but also the workforce of the supplier industry can be targets of phishing attacks. Using social engineering or sophisticated phishing methods, attackers try to steal confidential information that allows access to systems or sensitive data - with fatal consequences for sensitive space missions or critical use cases of space infrastructures and systems.
Social engineering & phishing campaigns
We fake phone calls, send phishing emails or distribute prepared USB sticks and test the helpfulness, curiosity or trust of employees.
Physical penetration tests
Testing access to the security areas of your mission or the development and production areas of the supplier industry by finding potential weaknesses in access systems in buildings, such as locks, sensors or cameras.
Our service modules
Our service modules strengthen resilience and IT security throughout the entire ecosystem and are aimed at mission operators and ground station operators, as well as the supplier industry in the ground, space and launch segments, right through to the end user.
Concepts & studies
in regulation
Fundamentals of IT security requirements and international standardization in the context of multi-level regulation and verification methodology
Penetration testing & attack simulation
Penetration tests for IT networks, systems and applications for the preventive identification of vulnerabilities across all segments and depending on the criticality of the mission
(Pre-) Audits & evaluations
Information security and continuity management audits as well as testing of space components & systems based on national and international standards/guidelines
The EU Space Law is also a matter of security as in the current geopolitical context, the protection of our space system from systemic security risks is a must.
Thierry Breton – European Commissioner for the Internal Market
Regulations for a coherent approach
Security: collision avoidance and space debris containment.
Resilience: risk management and cybersecurity tailored to the space sector.
Sustainability: assessing the life cycles of space activities and avoiding light pollution of the night sky.
Roadmap & current status
10 March 2023: Communication on an EU space strategy for security and defence.
13 September 2023: State of the Union by the President of the Commission Ursula von der Leyen included a proposal on EU space law as one of her key initiatives for 2024.
9 April 2024: Commissioner Thierry Breton mentioned that the publication of the legislative proposal for a space law might be postponed to be released later in 2024.
On tour
Upcoming: Space Tech Expo Europe
DLR Bauteilekonferenz (Components Conference)
Cysat
SSSIF
Networking
Expert group on cyber security in space
Matthias Petsch
Expert International Standardization
m.petsch(at)tuvit.de
Jacques Kruse Brandao
Expert security requirements
J.KruseBrandao(at)tuvit.de
Experienced in space
The Digital & Semiconductor business unit bundles the expertise of ALTER and TÜVIT in the areas of semiconductors, IT security and communication technologies. Knowledge of artificial intelligence, quantum and nanotechnologies and new space is also consolidated here. ALTER is an experienced and reliable service provider in the development and testing of EEE components and devices for the space and other technology markets.
Small satellites
