A Standardized Approach for Providing Information Security to Space Projects

Kurzfassung

Over the last years, information security became more and more important for space operations. Widely available connectivity provided by modern communication technology not only resulted in an increasing threat for attacks on the infrastructure but also offered possibilities like teleworking leading to new challenges in respect to system security. A variety of space projects is being operated from our multi-mission control center (GSOC), each having its own requirements regarding information security. As cost-reduction is also a key factor for space operations these days, there is a need for being able to provide information security to all of these projects in an organized and standardized way so that synergies can be used wherever possible - both in the implementation and in the operational phases of the mission. Nevertheless both the methods and processes used as well as the implemented controls must not be too rigid in order to be able to respond to mission-specific requirements resulting e.g. from different classification levels or special needs of a customer. In order to realize the aspects mentioned above, we chose the ISO/IEC 27001 standard as the baseline, guaranteeing - in contrast to national standards - international publicity and acceptance. This standard allows management of information security on a risk oriented basis. Furthermore this approach offers the opportunity to obtain a certification. In this paper we will describe how the information security management system at GSOC (ISMS) was designed and how general information security guidelines covering important aspects like secure operations, user management, secure network and much more have been developed based on ISO 27001, taking into account important processes for space operations. Using the example of the EDRS mission, we show how these general guidelines can be used to set up security concepts for upcoming space missions while taking benefit from already implemented systems. In addition to that, we explain how project-specific processes collude with the general guidelines and how special requirements can be incorporated. We will show the procedures which were evolved for managing the complete ISMS and for identifying gaps quickly, giving the opportunity to space projects to take corrective measures in order to be compliant with the security policies. Due to its flexibility, the ISMS also showed to be able to bear with the changes caused by the update of the ISO 27001 in 2013.