[CESG] FW: [EXTERNAL] Fw: SEA SecWG request for "security in all docs"

Shames, Peter M (US 312B) peter.m.shames at jpl.nasa.gov
Tue Nov 14 15:49:34 UTC 2023 

Dear CESG,
It appears that the Security WG did provide a response to the request for examples of security issues being addressed in Green Books.  I think their examples are useful and germane.  Please review and see if you concur.
If we have consensus on this topic I would then propose including such a change in the next revision of the CCSDS Org & Proc YB, A02.1-Y-4.
Thanks, Peter


________________________________
From: Weiss, Howard [US-US]
Sent: Friday, June 9, 2023 3:15 PM
To: Shames, Peter M (US 312B)
Cc: Weiss, Howard [US-US]
Subject: RE: SEA SecWG request for "security in all docs"


Peter,



In a non-scientific but informed examination of the existing published Green Books (excluding those produced by the security working group), here are my top X picks that should include security:


·         CCSDS 130.0-G: Overview of Space Communications Protocols (revised April 2023) – this document references many security documents and mentions security including SCPS-SP.  But there is no detailed treatment of security and it doesn’t even appear in Figure 2-1 “space communications protocols reference model” which depicts layering.
·         CCSDS 130.12-G: CCSDS Protocols over DVB-S2 – another protocol document that should at least discuss security and should really incorporate security (but doesn’t).  Not even one instance of the word ‘security.’
·         CCSDS 140.1-G: Real-Time Weather and Atmospheric Characterization Data – The word ‘security’ doesn’t even appear once in this document which is concerned with the capture and use of real-time weather data which at least should be aware of data integrity if nothing else.
·         CCSDS 312.0-G: Reference Architecture for Space Information Management – claims to describe a reference space information management architecture ‘that encompasses the capture, management, access, and exchange of data…’  But no mention or discussion of security.
·         CCSDS 706.1-G: Motion Imagery and Applications – document alludes to security but only brushes on the topic despite the need for integrated security mechanisms.
·         CCSDS 706.2-G: Voice Communications – acknowledges the need for security and includes section 3.2.3.3 (Security) which says that ‘security for voice links is important’ but little else is discussed.
·         Data Archive Information GBs (e.g., CCSDS 64x series, CCSDS 651.2-G) – Documents that describe how data should be archived for storage and interchange. There should be, at a minimum, data integrity mechanisms as well as access controls and maybe even security of data at rest.



I hope this helps to explain the request from the Security Working Group.  Would it help to have a WebEx with Klaus Jurgen and Tim (others?)?



Regards



howie





From: Shames, Peter M (US 312B) <peter.m.shames at jpl.nasa.gov>
Sent: Saturday, June 3, 2023 3:21 PM
To: Weiss, Howard [US-US] <Howard.Weiss at parsons.com>
Cc: SEA-Sec <sea-sec at mailman.ccsds.org>
Subject: [EXTERNAL] SEA SecWG request for "security in all docs"



Howie,



Ask and yea shall receive (just maybe not what was hoped for).



In the recent CESG and CMC meetings I brought your request forward.  The response from the CESG was lukewarm, and they were concerned with the impact on work flow.



I pointed out that all WGs were required to produce a Security section for all Blue and Magenta Books, and that little added study or other effort should be needed to add a paragraph about this to a Green Book.  Orange Books are already covered, and Yellow Book test reports for Blue Books are already covered.



The CMC’s response was this:

  *   => Request to Security WG  for a few examples of GB material

     *   Include examples in Resolution to CESG & CMC

They want you to pick a “few” candidate Green Books, analyze what you think would belong in such a GB as the “paragraph of security material”, and then provide these back to the CESG and CMC for review.  I suspect that you can do this easily, so please do so.

The other question that came up, from Tim Pham, was just what you meant to do with…
·         => "adoption" of Aerospace version of SPARTA (ATT&CK Framework for Space).  Will this be a MB or BB, do we need to modify it for our use or just use it as it is?

The slides were not clear about whether you planned to adopt this, adapt it, cover page it, or just point to it.  If it is to become a new SecWG project you will need to add it to the Project list.

Thanks, Peter





NOTICE: This email message and all attachments transmitted with it may contain privileged and confidential information, and information that is protected by, and proprietary to, Parsons Corporation, and is intended solely for the use of the addressee for the specific purpose set forth in this communication. If the reader of this message is not the intended recipient, you are hereby notified that any reading, dissemination, distribution, copying, or other use of this message or its attachments is strictly prohibited, and you should delete this message and all copies and backups thereof. The recipient may not further distribute or use any of the information contained herein without the express written authorization of the sender. If you have received this message in error, or if you have any questions regarding the use of the proprietary information contained therein, please contact the sender of this message immediately, and the sender will provide you with further instructions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.ccsds.org/pipermail/cesg/attachments/20231114/ff664efd/attachment-0001.htm>

More information about the CESG mailing list