On "Mission Security"
Measures to increase IT security are becoming increasingly important wherever the risk of cyberattacks rises with an increasing degree of networking. The aim is to ensure the highest level of confidentiality, integrity, availability and authenticity of digital infrastructures and applications, especially when these are categorised as critical.
Does what is already common practice on Earth apply to space infrastructures today? In the past, space systems were mostly used for scientific purposes, such as exploring the solar system and more distant galaxies. Today, satellites are already an integral part of and the basis for essential services in communication, navigation, financial transactions, meteorology, crisis coordination and defence. "Failure is not an option" also applies to space-based IT and communication systems of the New Space Initiative. There are therefore increasing calls for the same protection goals to apply here as for cyber security on Earth.
Much of what we do in space is crucial to the functioning of our society and economy and keeps important services running for public administrations, private companies and citizens.
Margrethe Vestager
Vice-President and Commissioner for Digital Affairs at the EU Commission
For the ground and user segment, "terrestrial" requirements, standards and recommendations have already been established in many countries. However, there is still a need for action when it comes to space infrastructure, as the framework conditions in space differ significantly in some cases - if only in terms of requirements. The emerging legislation for space offers hope: for example, the European Commission has announced a new EU Space Act at the end of 2023, which is to include the perspectives of resilience, security and sustainability. However, this still has to overcome several obstacles in order to become a functioning and useful harmonised piece of legislation.
With the entry into force of EU NIS-2 and EU RCE, the EU Commission obliges operators of critical infrastructures (KRITIS) to comply with minimum requirements for cyber security and resilience. New: The requirements and measures now also apply to ground stations and missions that will fall under the CRITIS Regulation in the future.
Network and Information Security Directive (NIS-2)
According to NIS-2 and BSI KritisV, Annex 7, Part 3, No. 1.7.2, ground stations of a satellite navigation system are considered critical infrastructure in Germany. The threshold value is defined by REGULATION (EU) No 1285/2013 on the implementation and operation of European satellite navigation systems. Although only the European GALILEO mission is currently affected by the regulation, this may change quickly.
Audit in accordance with Section 8a BSIG
As an operator of critical infrastructure ground stations (KRITIS), you must prove every two years that your IT security is state of the art in accordance with Section 8a of the BSI Act. According to the BSI Criticism Ordinance (BSI-KritisV), proof is provided by means of a corresponding audit in accordance with Section 8a BSIG.
Critical Entities Resilience Directive (EU CER)
The EU RCE Directive or CER Directive on the protection of critical entities was adopted at the end of 2022. At its core, it deals with the resilience and reliability of critical infrastructure, including space ground stations. National implementation in Germany will take place by October 2024 through the KRITIS Umbrella Act (KRITIS-DachG). It obliges operators of ground stations to draw up a resilience plan.
BCM in accordance with ISO 22301
Business continuity management systems (BCMS) are an important component of operational and organisational resilience management. TÜVIT experts evaluate and check the current status of BCM implementation in your company organisation and assess conformity with ISO 22301 standards.
Information security for the space-side information network of satellites depending on the protection requirement classification of space missions.
Creation of IT security concepts for minimum protection for satellite missions with "normal" protection requirements in accordance with the BSI IT baseline protection profile for space infrastructures with reference to the space-side information network "satellite" including life cycle processes and procedures as well as all technical components such as applications, IT systems, rooms and buildings that support these processes and procedures (compatibility with ISO 27001 and based on CCSDS, ECSS and NIST).
Creation of IT security concepts for satellite missions with "high and very high protection requirements" in accordance with BSI TR-03184 'Information Security for Space Systems' with reference to the satellite platform and its communication link in all phases of life - from planning to decommissioning - and taking into account the development, testing and launch processes on the ground (be a guide to obtaining any VS approval planned at a later date).
IT infrastructures, systems and components - all secured! But what about the human factor? Without a high level of security awareness among employees in all stakeholder areas, the doors are still wide open to attackers.
Employees of aerospace organisations, such as engineers, scientists and technicians, but also the workforce of the supplier industry can be targets of phishing attacks. Using social engineering or sophisticated phishing methods, attackers try to steal confidential information that allows access to systems or sensitive data - with fatal consequences for sensitive space missions or critical use cases of space infrastructures and systems.
Social engineering & phishing campaigns
We fake phone calls, send phishing emails or distribute prepared USB sticks and test the helpfulness, curiosity or trust of employees.
Physical penetration tests
Testing access to the security areas of your mission or the development and production areas of the supplier industry by finding potential vulnerabilities in access systems in buildings, such as locks, sensors or cameras.