[Moims-sc] Issues with SM&C MO Ref Model, CCSDS 520.1-P-1.1, as identified in CESG poll CESG-P-2021-04-002

Mehran Sarkarati Mehran.Sarkarati at esa.int
Wed Jun 30 19:26:33 UTC 2021

Dear Peter,

I need to react to your note. I will focus on facts:

  *   SM&C and Security WGs interacted in 2018 and 2019. Joint meetings were held in both years. Last joint meeting was in Spring 2019. Security WGs MoM of both Technical Meetings are attached to this email.
  *   Security WG had on request of SM&C WG performed a through and detailed analysis of SM&C set of standards.  A dedicated prototype had been implemented to further deepen the implementation aspects
  *   Very detailed recommendations and changes to SM&C books were provided by Security WG to SM&C WG mid 2019. These were at the level of changes of text/sentences in the SM&C Books.
  *   Dedicated follow up technical session were hold between the technical lead of SM&C WG and the experts of Security WG.
  *   I refer to the MoM of the Security WG, which are attached to this email:
     *   “The Security WG presented suggested updates to call affected SM&C books in the form of a redlined version. The affected books are fortuitously in the process of being revised or in draft. SM&C was very receptive to the proposals and will include them in the document updates.”
  *   I have reached out to the Deputy Chair of the Security WG and quote his response:
     *   “Update of the SM&C books: This was done subsequently with Sam and presented as well at the next CCSDS meeting. The Security WG considers this business closed to their satisfaction.”
  *   The reference Model was sent to review one year after the close interactions between SM&C WG and the Security WG. In CCSDS terms and considering the speed of our processes this is like a “minute ago” if not a second ago. In our meeting yesterday, you repeatedly claimed interactions were years ago and you had asked members of security WG and they considered things have changed dramatically since. This is a very wrong statement.
  *   The reference Model Book was updated and sent to review under NASA leadership of the WG. Dan Smith was the lead and coordinated this books update and I trust he has certainly ensured correct and adequate implementation of proposed changes.
  *   The SM&C WG is currently undertaking a major effort of updating all its books under the Umbrella Term MO 2.0. The resources for this undertaking are massive and we are facing sever challenges of prioritizing our efforts
  *   It is for our WG difficult to understand that when we have a dedicated WG in CCSDS for Security, how can it be that the Area director of that WG holds a very different position than the WG itself.
  *   From our perspective we have followed what is exactly expected in CCSDS among the expert WGs. We have reached out and consulted the Security WG. From the minutes and confirmed by the Deputy Chair and the members of the WG (even in your attached emails) the two WGs worked perfectly well together and there was no disagreement. All recommendations were accepted and Security WG considered the issue as closed. It is extremely frustrating to see that having gone through this process, we are facing broad, generic and unsubstantiated claims, raised by the Area director of the same WG (even wrt years you talked yesterday about 5 years ago, now you say  about 3 year ago instead of saying less than a year between the interaction and update of the book and sending of the book to review). I find this very deceptive and passing a very wrong picture.
  *   The Reference Model is frankly not on the top of our priorities right now with the update of the MAL, Bindings, M&C Book, Mission Data Product Distribution Service and others on our plate.
  *   Of course, there may be mistakes and it may be that one or the other recommendation of the Security WG is not implemented to your full satisfaction. We can review the comments raised by Security WG and track them back in the updated book and demonstrate due diligence. The problem is, all of this is extremely effort and time consuming and we would like to report back to CMC and CESG on the sever impact of this on the schedule of our WG for the MO 2.0 updates.

I consider all of the above simple facts, which have been checked with those in leading role before I took over the chairmanship of the SM&C WG.

Now I leave the world of facts and enter the domain of perception:
We observe that in any review of any of book that has an MO element, be it from the  SM&C WG and MP&S WGs we always face severe “problems”, resistance and delays coming always only from one and the same direction, which is you in your role as the AD.
This is true for the charter of the MP&S WG, the approval of the Blue Book of the MP&S, the approval of the MAL, the binding books, the SM&C books, …
You keep on coming back on the same issues again and again , even when we see that your concerns are overruled by CESG and CMC. You raise the same comments nonetheless in any opportunity.
This is apparent when we see the same type of comments raised on the “unchanged” part of a book that was already approved and published, when it goes through the 5 years review.

We value your expertise and do not question your authority, nor your opinion. But as you yourself say, we are in CCSDS a consensus organization. To me this means that when you have a reservation wrt to MO in general and have raised this reservations over the years again and again, nonetheless the CCSDS organization (in form of CESG and CMC) have decided otherwise, it is the fair play that you do not look for any opportunity to slow down the process of our WG and refrain from bringing up the same point again in the next book review.

I put a disclaimer on the top of these points and repeat again that this is mine and WG’s perception and not facts. This is how we perceive your repetitive comments on any book that has something with MO.
I apologies if this is a wrong perception, nonetheless from your side it would be important that you acknowledge how your interaction with our WG is perceived by the majority of the WG (I am not referring only to this case).
I have not conducted a vote on this in the WG and am passing the message of direct interactions with many of the members of our WG.

Now, back to the process, I believe since both you and me are referring to the Security WG and at least for my side I am not comfortable to talk on their behalf, I will request a clarification to the Chair and Deputy Chair of the Security WG.
I will also double check if any of the recommendations of the Security WG was not implemented.

For now, we in the SM&C WG need however to discuss in our WG, if we can afford spending resources on detailed analysis of your comments and detailed demonstration of the history and “proving” that we have done everything ok.
We have currently more important issues with the update of our books on hand.

I would like to formally report to the CESG and CMC that the consequence of this perceived “pattern” is concretely resources and expenditure on the participating agencies of our WG and ask for guidance of how to handle the entertaining of this process in view of sever lack of resources and higher priority tasks.

One last point is, our WG has very tight schedule and we have regular bi-weekly and monthly splinters and WG meetings to close the MO 2.0 updates.
I would like to ask you, in case you wish to discuss with SM&C WG something, please inform me in advance and I will see how best to organize dedicated meeting, if and when the resources and availability of the WG allows.

Kind Regards

From: "Shames, Peter M (US 312B)" <peter.m.shames at jpl.nasa.gov>
Date: Wednesday, 30 June 2021 at 22:30
To: Mehran Sarkarati <Mehran.Sarkarati at esa.int>, "moims-sc at mailman.ccsds.org" <moims-sc at mailman.ccsds.org>
Cc: CCSDS Engineering Steering Group - CESG Exec <cesg at mailman.ccsds.org>, SEA-Sec <sea-sec at mailman.ccsds.org>
Subject: Issues with SM&C MO Ref Model, CCSDS 520.1-P-1.1, as identified in CESG poll CESG-P-2021-04-002

Dear Mehran and the SM&C WG,

Yesterday, on 29 Jun 21, you held an SM&C WG meeting where one of the topics on the agenda was the CESG Poll results on SM&C MO Ref Model, CCSDS 520.1-P-1.1, as identified in CESG poll CESG-P-2021-04-002.  Since I had voted to disapprove this document, for a set of clearly stated reasons, I did you the courtesy of coming to the meeting so that I could answer any questions and clarify any concerns you might have.  From my point of view the outcome of that meeting was quite unsatisfactory, and I wish you all to understand why.  I would not normally take the time to do this, but in this situation a clear and unambiguous response seems warranted.

I’m going to start by providing a little background about where I am coming from since there appears to be a lack of understanding of the role that I, and all other CESG members, play in CCSDS processes.  I am the CCSDS Systems Engineering Area Director (SEA AD).  As such I am responsible for the SEA and the Security WG which is within that Area.  As one of the six CCSDS Area Directors (AD) I am also a member of the CCSDS Engineering Steering Group (CESG), which has responsibility for reviewing and approving every single document that the CCSDS produces.

It seems that I must remind you that the CCSDS Organization and Processes document, CCSDS A02.1-Y-4, guides and controls all of our work.  I have taken the liberty of extracting, and underlining, the key sections that you appear to have forgotten or are unaware of: CESG Operating Principles
d)  Consistency. An important job of the CESG is to watch over the output of all of the WGs to help prevent CCSDS specifications that are at odds with each other. This is why ADs and DADs are required to review the drafts coming out of Areas other than their own as part of the consensus process leading up to their adoption into the program of work. The quality of the CCSDS Recommended Standards comes both from the review that they get in the WGs and the review that the WG products get from the CESG.
e)  Anticipation. The CESG must be able to look ahead and anticipate new standards that stakeholders will most likely require, and begin prospective planning for their development so that there is sufficient time to complete them once a hard requirement emerges. This implies working with technology and experimental communities to vector research resources into the standardization process.
And CESG Responsibilities
The CESG is specifically responsible for the following:
a)  maintaining and upholding the overall technical quality and consistency of the evolving set of CCSDS Recommended Standards and Practices;
b)  providing the CCSDS-wide forum where the work programs of the Areas may be coordinated and synchronized in the context of an overall architecture for space- mission cross support and the needs of individual customers;
i)  periodically reviewing the technical work of each Area to ensure that it is progressing toward common goals, that the process of consensus is being observed and that the needs of CCSDS stakeholders (2.2) are being satisfied in a timely manner (the ADs shall be responsible for reporting on all work items within their Area);
j)  identifying “red flag” items where technical work in a proposed CCSDS document is not of the required quality or nature, where technical work is not progressing satisfactorily, where resources are inadequate, or where significant issues exist, and raising these to the attention of the CMC for corrective action;
I am providing this as a reference because you seemed to be of the impression that having a discussion between the SM&C WG and the Sec WG three years ago was sufficient “to disposition” the security and other issues that I identified in my PID.  It is not.  And, as we shall see, the earlier interactions with the SecWG did not, in any event, “disposition” the issues that were raised three years ago (Fall 2018).  Based on my review it is clear that these issues remain and they are viewed by me, and the SecWG, as being even more serious now than they were then.

An abbreviated form of the key issues that I raised in the CESG PID were these:

There are two major issues that must be contended with, and neither of them are adequately addressed: 1) The SM&C MAL is undergoing a major revision, one of which is to remove the COM, but that is not addressed; 2) a solid security approach, for single systems, but most especially for multi-mission systems, is essential, but the mechanisms in this document remain vague, weak, and poorly articulated.

Since one of the stated desires is to use this framework for major, multi-mission, and multi-agency, deployments we also looked at it from that point of view.   The following comment, quoted from one [SecWG] reviewer, should provide further insights:

"I have read all the MO books and followed the SM&C WG for ten years now (although its meetings always conflict with my own WGs).  When I have a hard time figuring out how security fits into MO services, a non-CCSDS reader can expect even more difficulty.

JSC gave up active participation in SM&C WG due to a perceived lack of ROI for our missions.  Compared to the mature operational capabilities already implemented for ISS in custom software, MO services were viewed as redundant.  The single most important features deemed lacking, which would have recommended MO above a custom implementation, were precisely those security capabilities necessary to support multiple complex missions across multiple agencies/contractors each with their own access restriction requirements.  But work on MO security services has been deferred indefinitely by the SM&C WG (and reading the MO 2.0 list of topics, appears to be absent yet again).”

Another point to be made, in the context of CCSDS "reference model" Magenta Books is that MB are intended to be normative content.  This permits them to not be "directly implementable", but it also requires that they "provide normative, controlling, guidance rather than purely descriptive material."  While the word "normative" is used a lot, and there is liberal use made of UML diagrams, which give the appearance of concrete recommendations, on closer examination all of the figures are abstractions and there are really no concrete examples to reference and tie these abstractions to reality.  At almost every turn these very real concrete concerns are just dismissed as "implementation" or "deployment" details.  This makes the document vague and does not provide concrete examples to substantiate that the stated claims can be achieved.  This is especially true of the security sections, but it is also true throughout, particularly where multi-mission deployments are considered.
I am going to just focus on the security issues for now, but the others also remain unresolved.  During the telecon you asserted that the SM&C WG had met with the SecWG three years ago and that all of the security concerns that they had raised at that time had been resolved.  I told you that even though I do have a strong background in distributed systems architectures and secure systems I had consulted with members of the SecWG just prior to submitting my PID.  They confirmed my concerns and completely supported my analysis.
Because of your statements just after the SM&C meeting on Tuesday, 29 June, I again contacted the SecWG to determine what their knowledge was of the situation.  These are the replies I  got:

From: "Biggerstaff, Craig (JSC-CD42)[SGT, INC]" <craig.biggerstaff at nasa.gov>
Date: Tuesday, June 29, 2021 at 10:17 AM
To: Howie Weiss <Howard.Weiss at parsons.com>, Peter Shames <peter.m.shames at jpl.nasa.gov>, "Sheehe, Charles J. (GRC-LCN0)" <charles.j.sheehe at nasa.gov>
Cc: "Radulescu, Costin (US 9300)" <cradule at jpl.nasa.gov>
Subject: RE: [EXTERNAL] RE: Issues with SM&C MO Ref Model treatment of security topics

Security analysis produced by ESA, posted in the SM&C WG meeting materials from Fall 2018:

·         https://cwe.ccsds.org/moims/docs/MOIMS-SMandC/Meeting%20Materials/2018/Fall/MOS_Security_CCSDS_161018.pptx?d=w6be12e1a154d41a7b3fe4a126d59adde<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.us%2Fv3%2F__https%3A%2Fcwe.ccsds.org%2Fmoims%2Fdocs%2FMOIMS-SMandC%2FMeeting*20Materials%2F2018%2FFall%2FMOS_Security_CCSDS_161018.pptx%3Fd%3Dw6be12e1a154d41a7b3fe4a126d59adde__%3BJQ!!PvBDto6Hs4WbVuu7!ZASh8ARy3w73YAeFEYVr5ReOkHVZ9zONUObvTqad9T6Cd0q3CPf5BB6B9ADG18oVUXI%24&data=04%7C01%7CMehran.Sarkarati%40esa.int%7C65ef09ea3a8e45a7087908d93bf0f54c%7C9a5cacd02bef4dd7ac5c7ebe1f54f495%7C0%7C0%7C637606728358516854%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hvA8DnzSMYKxQ9KzfDlLX%2B%2B7VgzECMRUy7qOc%2BTcFKY%3D&reserved=0>

More security analysis produced by ESA, posted in the SM&C WG meeting materials from Fall 2019:

·         https://cwe.ccsds.org/moims/docs/MOIMS-SMandC/Meeting%20Materials/2019/Fall%202019/Security_Authentication%20and%20Access%20Control%20for%20MO%20Services_final.pdf<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.us%2Fv3%2F__https%3A%2Fcwe.ccsds.org%2Fmoims%2Fdocs%2FMOIMS-SMandC%2FMeeting*20Materials%2F2019%2FFall*202019%2FSecurity_Authentication*20and*20Access*20Control*20for*20MO*20Services_final.pdf__%3BJSUlJSUlJSU!!PvBDto6Hs4WbVuu7!ZASh8ARy3w73YAeFEYVr5ReOkHVZ9zONUObvTqad9T6Cd0q3CPf5BB6B9ADGFD2KSgo%24&data=04%7C01%7CMehran.Sarkarati%40esa.int%7C65ef09ea3a8e45a7087908d93bf0f54c%7C9a5cacd02bef4dd7ac5c7ebe1f54f495%7C0%7C0%7C637606728358526842%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=W5A1WS%2BSNxwTrmf4cQNHGTyLDJRepvqRC6wb8ClsZyQ%3D&reserved=0>

·         https://cwe.ccsds.org/moims/docs/MOIMS-SMandC/Meeting%20Materials/2019/Fall%202019/Security_Proposed%20modification%20of%20standards_final.pdf<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.us%2Fv3%2F__https%3A%2Fcwe.ccsds.org%2Fmoims%2Fdocs%2FMOIMS-SMandC%2FMeeting*20Materials%2F2019%2FFall*202019%2FSecurity_Proposed*20modification*20of*20standards_final.pdf__%3BJSUlJSU!!PvBDto6Hs4WbVuu7!ZASh8ARy3w73YAeFEYVr5ReOkHVZ9zONUObvTqad9T6Cd0q3CPf5BB6B9ADG0IOL8Yo%24&data=04%7C01%7CMehran.Sarkarati%40esa.int%7C65ef09ea3a8e45a7087908d93bf0f54c%7C9a5cacd02bef4dd7ac5c7ebe1f54f495%7C0%7C0%7C637606728358536837%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=X%2BTvoi71PTv12H6jxBrLu2eVENvDkq3PMs%2B70wd66GE%3D&reserved=0>

You will find many of the same issues in these documents that Howie and I identified in reply to your email.  I could not find any SM&C WG meeting minutes that mentioned that a security discussion occurred, much less listed any actions.


From: Weiss, Howard <Howard.Weiss at parsons.com>
Sent: Tuesday, June 29, 2021 10:53 AM
To: Shames, Peter M (JPL-312B)[JPL Employee] <peter.m.shames at jpl.nasa.gov>; Sheehe, Charles J. (GRC-LCN0) <charles.j.sheehe at nasa.gov>; Biggerstaff, Craig (JSC-CD42)[SGT, INC] <craig.biggerstaff at nasa.gov>
Cc: Radulescu, Costin (JPL-9300)[JPL Employee] <cradule at jpl.nasa.gov>
Subject: Re: [EXTERNAL] RE: Issues with SM&C MO Ref Model treatment of security topics



From my recollections, we last met with them at the NASA/Ames meeting a couple of years ago.  Daniel Fischer typically acted as the liaison between Security and SM&C, mostly because he worked for Mario and Mario had been the head of SM&C.  From a technical perspective, we mostly worked with Sam.  I believe we gave them a very detailed list of issues at the Ames meeting but I'd have to dig around to see if I have it.  Daniel, as the primary interface, might have more than I have.  I remember that the list of issues was lengthy and detailed.


7110 Samuel Morse Drive
Columbia, MD 21046
443-430-8089 (office) / 443-494-9087 (cell)
howard.weiss at parsons.com<mailto:howard.weiss at parsons.com>
Please consider the environment before printing this message


I downloaded the presentation and the paper that Daniel Fischer and his colleagues from ESA had provided back in Fall 2018 and again in Fall 2019.  In their analyses they identified, and carefully documented, the very same issues that I had raised.  And they described the basis of their concerns in even greater depth, pointing out that the documented SM&C security mechanisms are susceptible to even fairly primitive “man  in the middle” attacks, let alone more sophisticated approaches.  At that time, three years ago, they also proposed specific fixes and extensions that could have been adopted to fix these problems.  It appears that these issues were swept aside then, much as you chose to do yesterday.   It also seems clear, given what was in the document and SM&C plans presented in the last CESG and CMC meetings, that in the intervening three years nothing has been done, and according to you, there are no plans to fix this now.
I must conclude that the statements you made yesterday about “We met with the SecWG 3 years ago and they agreed that we did everything we needed to.” were inaccurate and rather misleading.  In point of fact these same issues remain, the limitations of not having adequate security for multi-mission systems remans, and the potential consequences of not having adequate security have increased.   I must also point out that the way that these issues were handled,  previously, and in yesterday’s meeting, are in violation of CCSDS principles for consensus operation.  There is no part of the documented CCSDS process that says “ignore issues and brush them aside”.
I do not believe that we can allow these issues to be ignored any longer,  and that the CESG, as the appointed guardians of CCSDS architecture, processes, document content, and quality, must insist that these issues are remedied before this document can be published.
Regards, Peter Shames


Peter Shames
CCSDS Systems Engineering Area Director

Jet Propulsion Laboratory, MS 301-490
California Institute of Technology
Pasadena, CA 91109 USA

Telephone: +1 818 354-5740,  Fax: +1 818 393-6871

Internet:  Peter.M.Shames at jpl.nasa.gov<https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2FPeter.M.Shames%40jpl.nasa.gov%2F&data=04%7C01%7CMehran.Sarkarati%40esa.int%7C65ef09ea3a8e45a7087908d93bf0f54c%7C9a5cacd02bef4dd7ac5c7ebe1f54f495%7C0%7C0%7C637606728358546829%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=XhMLoBA9%2FYnmIXP0G%2F5L%2F%2FkvphQIte25dhzVBOVhpyM%3D&reserved=0>

We must recognize the strong and undeniable influence that our language exerts on our ways of thinking and, in fact, delimits the abstract space in which we can formulate - give form to - our thoughts.

Niklaus Wirth

This message is intended only for the recipient(s) named above. It may contain proprietary information and/or protected content. Any unauthorised disclosure, use, retention or dissemination is prohibited. If you have received this e-mail in error, please notify the sender immediately. ESA applies appropriate organisational measures to protect personal data, in case of data privacy queries, please contact the ESA Data Protection Officer (dpo at esa.int).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.ccsds.org/pipermail/moims-sc/attachments/20210630/193f70f7/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SecWG Meeting Notes - May2019.doc
Type: application/msword
Size: 184832 bytes
Desc: SecWG Meeting Notes - May2019.doc
URL: <http://mailman.ccsds.org/pipermail/moims-sc/attachments/20210630/193f70f7/attachment-0002.doc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SecWG Meeting Notes - Oct2018.doc
Type: application/msword
Size: 172544 bytes
Desc: SecWG Meeting Notes - Oct2018.doc
URL: <http://mailman.ccsds.org/pipermail/moims-sc/attachments/20210630/193f70f7/attachment-0003.doc>

More information about the MOIMS-SC mailing list