[CESG] CESG-P-2021-11-004 Approval to publish CCSDS 350.1-G-3, Security Threats against Space Missions (Green Book, Issue 3)

CCSDS Secretariat thomas.gannett at tgannett.net
Mon Jan 10 15:03:20 UTC 2022 

Dear CESG Members,

Conditions for approval of CCSDS 350.1-G-3, Security Threats against 
Space Missions (Green Book, Issue 3) have been disposed to the 
satisfaction of the AD(s) who voted to approve with conditions. The 
Secretariat will now proceed with CMC polling to authorize publication.
-------------- next part --------------
From:	Howard.Weiss at parsons.com
Sent:	Monday, January 10, 2022 9:12 AM
To:	Jonathan W
Cc:	Daniel Fischer; CCSDS Secretariat; Shames, Peter M (JPL-312B)[JPL Employee]
Subject:	Re: FW: [EXTERNAL] Re: CESG-P-2021-11-004 Approval to publish CCSDS 
350.1-G-3, Security Threats against Space Missions (Green Book, Issue 3)

Categories:	Poll Condition Closure

Thanks Jonathan.   I will make the changes and send an updated version to Tom Gannett. 


regards

howie


________________________________
HOWARD WEISS, CISSP

PARSONS Federal
7110 Samuel Morse Drive
Columbia, MD 21046
443-430-8089 (office) / 443-494-9087 (cell) howard.weiss at parsons.com www.parsons.com Please 
consider the environment before printing this message


________________________________________
From: Jonathan W <joe.nathan.wilmot at gmail.com>
Sent: Monday, January 10, 2022 8:13 AM
To: Weiss, Howard [US-US]
Cc: Daniel Fischer; CCSDS Secretariat; Shames, Peter M (JPL-312B)[JPL Employee]
Subject: Re: FW: [EXTERNAL] Re: CESG-P-2021-11-004 Approval to publish CCSDS 350.1-G-3, Security 
Threats against Space Missions (Green Book, Issue 3)

Howie,

   Sorry for the long delay. I am transitioning to NASA Emeritus and it has been moving slowly. My NASA 
email should be restored later this week.

I am fine with your updates, so we can consider these conditions closed.
In general, I am trying to get the different CCSDS areas to start considering the impacts to standards 
when have crewed systems at lunar distances where everything is not control by ground mission 
operators.

In the near term, the Gateway mission is having to consider onboard security and guidance from CCSDS 
would be helpful. In particular, they are debating how crew laptops interface to the command and 
telemetry systems.

    Kind regards,

           Jonathan


On 12/30/2021 11:25 AM, Wilmot, Jonathan J. (GSFC-5800) wrote:
>
> -----Original Message-----
> From: Howard.Weiss at parsons.com <Howard.Weiss at parsons.com>
> Sent: Thursday, December 30, 2021 11:15 AM
> To: Wilmot, Jonathan J. (GSFC-5800) <jonathan.j.wilmot at nasa.gov>
> Cc: Daniel Fischer <Daniel.Fischer at esa.int>; Howard.Weiss at parsons.com; 
> CCSDS Secretariat <thomas.gannett at tgannett.net>; Shames, Peter M 
> (JPL-312B)[JPL Employee] <peter.m.shames at jpl.nasa.gov>
> Subject: RE: [EXTERNAL] Re: CESG-P-2021-11-004 Approval to publish 
> CCSDS 350.1-G-3, Security Threats against Space Missions (Green Book, 
> Issue 3)
>
> Hi Jonathan,
>
> I will address your conditions in-line below. See sections with starting with >>>>> (unfortunately I can't 
change fonts or colors because the email is text-based).
>
> Happy New Year.
>
> Regards
>
> howie
>
> ----------
>
> HOWARD WEISS, CISSP
> 7110 Samuel Morse Dr, Suite 200
> Columbia, MD 21046
> howard.weiss at parsons.com
> 443-430-8089 (office) / 443-494-9087 (mobile)
>
>
>
> -----Original Message-----
> From: CCSDS Secretariat <thomas.gannett at tgannett.net>
> Sent: Monday, December 13, 2021 5:16 PM
> To: Weiss, Howard <Howard.Weiss at parsons.com>
> Cc: jonathan.j.wilmot at nasa.gov
> Subject: [EXTERNAL] Re: CESG-P-2021-11-004 Approval to publish CCSDS 
> 350.1-G-3, Security Threats against Space Missions (Green Book, Issue 
> 3)
>
> Dear Document Rapporteur,
>
> The CESG poll to approve publication of CCSDS 350.1-G-3, Security Threats against Space Missions 
(Green Book, Issue 3) concluded with conditions. Please negotiate disposition of the conditions directly 
with the AD(s) who voted to approve with conditions and CC the Secretariat on all related 
correspondence.
>
>
> CESG E-Poll Identifier:  CESG-P-2021-11-004 Approval to publish CCSDS 350.1-G-3, Security Threats 
against Space Missions (Green Book, Issue 3) Results of CESG poll beginning 26 November 2021 and 
ending 10 December 2021:
>
>                   Abstain:  0 (0%) Approve
> Unconditionally:  3 (75%) (Merri, Shames, Aguilar Sanchez) Approve 
> with Conditions:  1 (25%) (Wilmot) Disapprove with Comment:  0 (0%)
> CONDITIONS/COMMENTS:
>
>       Jonathan Wilmot (Approve with
> Conditions):  3.4.10 UNAUTHORIZED ACCESS should also address crew interfaces which do not 
interface through ground systems. An issue to discuss is crew inability to safe themselves when 
inappropriate  security measures lock them out.
> Consider adding a Tainted Software section similar to 3.4.11 TAINTED HARDWARE COMPONENTS. 
Same logic could apply.
>
>>>>> Howard Weiss comments:
> I see your logic for adding a specific space-segment access discussion.  However, I don't believe that 
recovery by a crew to a lock-out/unauthorized access is in scope of this section. I believe that the 
"Description" in 3.4.10 is ok. However, I see that the "Possible Mission Impact" section only discusses 
issues with the ground system and nothing directly onboard a spacecraft - mostly because we were not 
thinking in terms of a crewed mission.  Certainly a crew could go nuts and start smashing buttons 
onboard and the likelihood of such a thing happening will go higher in the future with space tourism 
growing.  But, if something inappropriate occurs to cause an onboard lock-out, the crew should have 
*authorization* to do manual corrections.  However, those would be *authorized* actions and, in my 
opinion, are not relevant to the 3.4.10 discussion on "unauthorized access."
>
> But I propose to add words to include the possibility of a crew person trying to execute unauthorized 
action such as: "An access control breach would allow an *unauthorized* entity the ability to take 
control of a ground system, ground system network, shut down a ground system, upload unauthorized 
commands to a spacecraft, *execute unauthorized commands aboard a crewed mission*, obtain 
unauthorized data, contaminate archived data, or completely shut down a mission."   I propose to 
remove the word *unauthorized* and to add the words between the stars *execute unauthorized 
commands aboard a crewed mission*.
>
> Would this be agreeable?
>
> As for adding a section about tainted software akin to tainted hardware, that already exists in section 
3.4.9 entitled Software Threats.
>
> Consider adding some discussion on how "Probabilities" were determined 
> in treat analysis tables. That would be very useful to the target audience.
> Consider adding some discussion on time distribution. Accurate clocks are key to navigation and 
communications protocols such as DTN.  Missions have proposed NTP for vehicle to vehicle time 
synchronization which brings issues with jumps in time forward/backwards, time convergence latency, 
... which could be threats either intended or unintended.
>
>>>>> Howard Weiss comments:
> As it states in the footnotes for each of the tables in Section 5: "These probabilities (in this and all 
subsequent tables) are for illustrative purposes only.  Mission planners should perform a threat analysis 
to determine actual probabilities for specific missions."  The probabilities in the tables are a best guess 
estimate as determined by the Security WG with no formal, deterministic analysis performed based 
solely on Security WG member experience and subject matter expertise and provided for illustration 
only.
>
> I agree that time distribution is critical.  However it is just one of many critical aspects of a mission that 
must rely on *authentication and integrity* mechanisms.  It falls in the same category as command 
uploads, cryptographic rekey, software upload/manipulation, engineering telemetry, etc.  All of these 
must be authenticated and not corrupted or all bets are off.
>
>
> Total Respondents:  4
>
> No response was received from the following Area(s):
>
>       CSS
>       SIS
>
>
>
> SECRETARIAT INTERPRETATION OF RESULTS:  Approved with Conditions
> PROPOSED SECRETARIAT ACTION:            Generate
> CMC poll after conditions have been addressed
>
> * * * * * * * * * * * * * * * * * * * * * * * *
>
>
> NOTICE: This email message and all attachments transmitted with it may contain privileged and 
confidential information, and information that is protected by, and proprietary to, Parsons Corporation, 
and is intended solely for the use of the addressee for the specific purpose set forth in this 
communication. If the reader of this message is not the intended recipient, you are hereby notified that 
any reading, dissemination, distribution, copying, or other use of this message or its attachments is 
strictly prohibited, and you should delete this message and all copies and backups thereof. The recipient 
may not further distribute or use any of the information contained herein without the express written 
authorization of the sender. If you have received this message in error, or if you have any questions 
regarding the use of the proprietary information contained therein, please contact the sender of this 
message immediately, and the sender will provide you with further instructions.

=

More information about the CESG mailing list