Final Report Summary - PROGRESS (Protection and Resilience Of Ground based infRastructures for European Space Systems)
Global Navigation Satellite Systems’ (GNSS) Positioning, Navigation and Timing (PNT) products are used in almost all important sectors and this trend will continue. These products’ performances are characterised by e.g. accuracy, availability, continuity and integrity parameters as well as the confidentiality of data in motion and at rest. In our opinion, the development of downstream service business models relying on advanced GNSS requirements, such as those to be fulfilled by Galileo (and EGNOS), will make the need to ensure the resilience of European GNSS quality of service even more critical.
PROGRESS focused on the detection and mitigation of intrusions to GNSS from highly educated attackers whose numbers may increase in the near future. The ultimate goal is to enable expanded intelligence in GNSS architectures so as to ensure uninterrupted performance of services. The potential impact of attacks is to be reduced through protective solutions, attacks are to be detected and analysed for impact and where necessary affected elements of the GNSS are to be reconfigured.
The combination of the PROGRESS foreground results enables a comprehensive approach towards increasing the resilience of GNSS. In a first stage, a thorough risk assessment enables the identification of potential weaker points in the system architecture and physical infrastructure. In a second stage protection and detection methods and technologies for the types of attack threats worked upon in PROGRESS (cyber; Radio Frequency (RF) interference and spoofing, explosive and high-power microwaves) can be added into the system architecture and physical infrastructure. The detection technologies enable on-line threat monitoring and severity assessment. The Security Monitoring System (E-SMoS) and Security Control Centre (E-SCC) process alarms generated by the detection technologies for their impact on overall quality of service taking into consideration the implemented protection measures in the system and physical infrastructure. (The E-SMoS and E-SCC have by design also the preconditions to process alarms from other sensor systems.) Depending on the risk of the impact on the overall Quality of Service (QoS), mitigation procedures can be implemented through reconfiguration of affected units and/or elements also taking into account protection/mitigation measures available in the system architecture. Depending on the part of the system affected / potentially affected and the overall architecture, reconfiguration is achieved automatically or first following human intervention. An additional element of the solution is the use of advanced TT&C link encryption between ground stations and satellites.
Understanding the location and impact of the threats promptly will enable operators to understand the “health” of the overall GNSS, where to look for the attacks and how to maximise the exploitation of available redundancy at all levels of the system. Hence, the degree of redundancy in the system and accordingly cost of the system can be kept to a minimum.
The main technological project results were validated in laboratories which lead the consortium to the conclusion that they have reached at least the Technology Readiness Level (TRL) 4. In our evaluation, PROGRES results demonstrated the ability of the E-SMS and further protection solutions developed in the project to improve the resilience of GNSS.
Roadmaps have been developed detailing the activities and connected timelines and costs foreseen as needed to increase the Technology Readiness Levels (TRLs) of the project results. Ideally, these activities could be funded through a customer(s) ready to pay the development in order to implement the solutions. A further possibility could be to obtain co-funding through international or national programmes such as the European Union’s H2020 programme.
Many of the approaches and tools developed in PROGRESS could also be applied to infrastructure in further sectors, such as transport and energy.
Project Context and Objectives:
Project context
Global Navigation Satellite Systems’ (GNSS) Positioning, Navigation and Timing (PNT) products are used in almost all important sectors and this trend will continue. These products’ performances are characterised by e.g. accuracy, availability, continuity and integrity parameters as well as the confidentiality of data in motion and at rest.
PROGRESS focused on the detection and mitigation of intrusions to GNSS from highly educated attackers whose numbers may increase in the near future. The ultimate goal is to enable expanded intelligence in GNSS architectures so as to ensure uninterrupted performance of services. The potential impact of attacks is to be reduced through protective solutions, attacks are to be detected and analysed for impact and where necessary affected elements of the GNSS are to be reconfigured.
Objectives
The specific project objectives were:
1) Development of a risk assessment methodology and tool to assess threats on generic GNSS ground based infrastructure and assets operating space systems and their secure communication links to satellites and a prioritisation of the threats for which detection, protection and mitigation solutions should be developed
2) Development of detection solutions for: cyber attacks (Denial of Service (DOS) attacks and spoofing); Radio Frequency (RF) interference (jamming and spoofing) detection and localization and physical attacks (explosive, and High Powered Microwave (HPM); these detectors were integrated in an Integrated Ground Station Security Monitoring System (IGSSMS).
3) Development of threat protection and mitigation solutions for the cyber, RF interference and physical attacks: guidelines and proposed best practices, architecture solutions and specific countermeasures and procedures to be implemented once an attack(s) is identified.
4) Development of a Security Control Centre prototype (E-SCC) to analyse the impact of detected threats and to propose mitigation procedures, incl. system reconfiguration.
5) Development and integration of a prototype to prove the PROGRESS innovative security concepts, including the IGSSMS and E-SCC. This aspect included the development of tools to generate the attack scenario addressed in the project.
6) Testing and evaluation of the prototype Security Management Solution (E-SMS) through the PROGRESS prototype testbeds.
7) Further development of strategies to exploit the results of the project in commercial products and services.
Project Results:
The main results identified in the project which can be exploited are:
- Security Management Solution (E-SMS)
The main purpose of this foreground is to improve the security and resilience of complex ground segments of space systems. This was at the core of the PROGRESS project. The prototype solution or at least parts of it is however transferable to other sectors, particularly critical infrastructure sectors such as transport.
It provides capabilities to protect, detect and mitigate against cyber; Radio Frequency (RF) interference and spoofing; explosive; and high-power microwave attacks. When attacks are detected, information on their estimated locations and severity are provided for analysis of their impact on the overall ground segment’s functionality and ultimately the GNSS services. Understanding the location and impact of the threats promptly will enable operators to understand the “health” of the overall GNSS, where to look for the attacks and how to maximise the exploitation of available redundancy at all levels of the system. Hence, the degree of redundancy in the system and accordingly cost of the system can be kept to a minimum. PROGRESS focussed on the detection of threats whose likelihood of occurrence has grown in the last years and this growth is expected, unfortunately, to continue.
The E-SMS is composed of an Integrated Ground Station Security Monitoring System (IGSSMS) and a Security Control Centre (E-SCC) in combination with their sub-modules and the knowledge behind each of the modules. These systems and sub-modules are described below.
- Integrated Ground Station Security Monitoring System (IGSSMS)
The purpose of the “Integrated Ground Station Security Monitoring System (IGSSMS)” is to detect terrorism, sabotage, criminality and malicious behaviour from cyber attacks, radio frequency (RF) Interference and physical attacks (high powered microwave (HPM) and explosives). The IGSSMS provides sensor- and network-based information on the severity of an attack and the direction of its source to the E-SCC. The IGSSMS processes and forwards the alarm information from the detection sub-modules to the E-SCC. The IGSSMS consists of three different sub-modules that provide the user with specific alerts: Cyber Attack Detection System (CADS); Interference Detection and Localization System (IDLS); and the Physical Attacks Detection System (PADS); and the sub-module which receives manages and indexes the messages from the sensors: the Security Monitoring System (E-SMoS).
- Cyber Attack Detection System (CADS)
The purpose of “Cyber Attack Detection System (CADS)” is to detect intrusion and anomaly in network traffic patterns. This includes statistical anomaly based N-IDS solutions, i.e. traffic patterns based on sender/receiver, protocols, ports and expected bandwidth usage. The CADS is an integral part of the IGSSMS.
- Interference Detection and Localization System (IDLS) with spoofing detection and localization algorithms
The purpose of “Interference Detection and Localization System (IDLS)” is to identify/detect RF threats to GNSS (e.g. jamming and spoofing) and to attempt to localize the source of interferer. The IDLS is an integral part of the IGSSMS.
- Physical Attacks Detection System (PADS)
The purpose of “Physical Attacks Detection System (PADS)” is to detect and identify physical threats and attacks, such as high powered microwave (HPM) and explosives. This feature utilises a multi-sensor network node: to clearly confirm that the cause of the incident was an intentional disruption (as opposed to reliability related failure of a component or unintentional damages etc.); to understand where the attack was initiated; and to immediately receive a feedback on the physical load or approximate effect this attack has had at the sensor node position to allow for impact analysis of ground station functionality. The PADS is an integral part of the IGSSMS.
- Security Monitoring System (E-SMoS)
The purpose of “Security Monitoring System (E-SMoS)” is to receive, retrieve and store data coming from the detection systems. This information can then be used by the E-SCC for impact analysis and reconfiguration of the system. The E-SMoS is a combination of open source Commercially available Off-The-Shelf (COTS) software. In PROGRESS, the E-SMoS depends on reports of attacks from the detection systems. The Logstash service, which is part of the E-SMoS, would enable to interface easily with any other threat monitoring systems. The “Security Monitoring System” makes together with the IDLS, CADS and PADS the IGSSMS and as such is the bridge between the detection systems and the E-SCC described below.
- Infrastructure protection methods/tools – networks (IPMT-N)
The purpose of “Infrastructure protection methods/tools – networks (IPMT-N)” is to ensure the relevant data exchange within the GNSS Ground Segment Network to ensure the Quality of Service (QoS). The IPMT-N work very closely with the CADS described above and is an integral part of the E-SMS as also described above. The IPMT-N are summarised under the following headings: physical security, security architecture and design, access control, software security, cryptography and security operations. All are targeted at reducing the likelihood that a threat will be successful and the impact on primary and supporting assets. Initially the IPMT-N provides input into the design of the physical security (e.g. site design), architecture (e.g. using for example hot and cold redundancy) and operational organisation (e.g. access and software security). At a further level they provide a response to attacks preventing the success of attacks (e.g. by terminating the network connection).
- Infrastructure protection methods/tools – Radio frequency (IPMT-RF)
The purpose of the “Infrastructure protection methods/tools – Radio frequency (IPMT-RF)”are firstly to limit the likelihood of an attack using jamming spoofing and/or meaconing of a GNSS signal and secondly, to reduce the impact on primary and supporting assets following an attack. The IPMT-RF work very closely with the IDLS described above and is an integral part of the E-SMS as also described above. The IPMT-RF were provided as guidelines.
- Infrastructure protection methods/tools – blast protection (IPMT-B)
The purpose of the “Infrastructure protection methods/tools – Blast (IPMT-B)”are firstly to limit the likelihood of a physical attack using explosives and secondly, to reduce the impact on primary and supporting assets following an attack. The IPMT-B work very closely with the PADS described above and is an integral part of the E-SMS also described above. The IPMT-B are summarised under areas including the following: simplified design methods and guidelines and rules against attacks.
- Infrastructure protection methods/tools – high powered microwaves (IPMT-HPM)
The purpose of the “Infrastructure protection methods/tools – high powered microwave (IPMT-HPM)”are firstly to limit the likelihood of a physical attack using high powered microwaves and secondly, to reduce the impact on primary and supporting assets following an attack. The IPMT-HPM work very closely with the PADS described above and is an integral part of the E-SMS also described above. The IPMT-B are summarised under the following headings: HPM protection – application to a generic architecture, measurement and verification of shielding effectiveness and organisational tools.
- Security Control Centre (E-SCC)
The purpose of “Security Control Centre” is to analyse the impact of the reported attacks on the system performance and Quality of Service (QoS) and to propose mitigation strategies, including automatic/proposed system reconfiguration for Ground Mission Segments (GMS) and Ground Control systems (GCS). The E-SCC consists of two modules: impact analysis and reconfiguration. The “Security Control Centre” is an integral part of the “E-SMS” as described above. In PROGRESS the E-SCC depends on reports of attacks from the detection systems through the Security Monitoring System (E-SMoS). The design of the system should allow for input potentially from other threat monitoring systems. The impact analysis must also take into consideration the architecture and protection of the GNSS system and particularly the primary and/or secondary assets subject to attack and where relevant implement results from the IPMT results described above. The reconfiguration modules must take into consideration the result of the impact analysis and the architecture and protection of the GNSS system and particularly the primary and/or secondary assets subject to attack and the protection/mitigation measures deployable to ensure the system performance and Quality of Service (QoS).
- Attack Scenario Generation Tools (ASGT) for network attacks
The purpose of “Attack Scenario Generation Tools – (ASGT) for network attacks” was to test and evaluate the CADS and the E-SMoS/E-SCC as part of the E-SMS based on prioritised network domain attack scenarios.
- Attack Scenario Generation Tools (ASGT) for Radio Frequency (RF) attacks
The purpose of “Attack Scenario Generation Tools – (ASGT) for Radio Frequency (RF) attacks” was to test and evaluate the IDLS and the E-SMoS/E-SCC as part of the E-SMS based on prioritised interference and spoofing attack scenarios.
- Attack Scenario Generation Tools (ASGT) for physical attacks
The purpose of “Attack Scenario Generation Tools – (ASGT) for physical attacks” was to test and evaluate the PADS and the E-SMoS/E-SCC as part of the E-SMS based on prioritised explosive and high powered microwave attack scenarios.
- Attack Scenario Generation Tool (ASGT) for TT&C encryption solution
The purpose of “Attack Scenario Generation Tools – (ASGT) for TT&C encryption” was to test and evaluate the TT&C encryption solution described below.
- Risk Assessment Methodology (RAM)
The purpose of “Risk Assessment methodology (RAM)” is to assess threats on generic GNSS ground based infrastructure and assets operating space systems and their secure communication links to satellites and a prioritisation of the threats for which detection, protection and mitigation solutions should be developed.
- On Board Security Unit (OBSU)
On Board Security Unit prototype is an on-board software Telemetry Tracking & Command (TT&C) link encryption solution.
- Knowledge on the societal and economic impact of satellite systems failure and the PROGRESS E-SMS
This foreground’s first part is a result of a broad desk research study and experts interviews with their connected methodologies in connection with GNSS, economics and society. A better understanding has been gained of the relationship between GNSS and European society and economy and the impact on society and the economy in Europe of accidents and attacks on ground based ground based infrastructure and assets operating space systems.
The foreground’s second part is a result of the research into societal aspects connected with the PROGRESS SMS prototype which includes: a SWOT Assessment of Societal Aspects of the Security Management system (E-SMS); assessment of the transferability of PROGRESS to other non-GNSS sectors, cost assessment related to further development of E-SMS, and prediction of public attitudes towards the future resilience and security measures in the field of GNSS (E-SMS as a resilience mechanism).
- Educational content and learning material
The purpose of the “Educational content and learning material” is to inform current and future policy-makers and stakeholders in very important space infrastructures, on how to design the structures to be more resilient and on the issues surrounding the economic and societal impact of space and infrastructure policies.
- Contacts
The purpose of the “Contacts” is to enable the ability to access potential cooperation partners and/or experts within the area of security of very important space infrastructure. PROGRESS has enabled the consortium members to develop their network of contacts within the domains of security and very important space infrastructure.
- PROGRESS as reference project
This result consists in being a member of a successful international collaborative Research, Development and Innovation (RD&I) project and specifically in the area of the Framework 7 programme: Security of ground based infrastructure and assets operating space systems.
- Market analysis
The purpose of the markets analysis was to understand in more detail markets relevant to the technology developed in PROGRESS particularly in terms of their size, trends and forecasted growth. This was input into confirming the potential for the exploitation of the technology developed in the project and will help to target financing to increase the Technology Readiness Levels (TRLs) of the technological results. The markets analysed were (horizontal) cyber and physical security and (vertical) critical infrastructure protection, particularly space, but also other sectors such as transport and energy.
- Roadmaps to increase Technology Readiness Levels (TRLs)
The purpose of the “roadmaps” was to evaluate the TRLS status of the technology developed in the project and to estimate the main activities, timeframe and costs to increase the individual TRLs to TRL9 – actual systems proven in operational environments and launch of products.
- Business Model Canvases
The purpose of the Business Model Canvasses (BMCs) are to provide exploitation models for the project results.
Potential Impact:
The project has provided research and development results targeted towards the project objectives listed above. The E-SMS and OBSU (and connected sub-systems and sub-modules) were validated in laboratories which lead the consortium to the conclusion that they have reached at least the Technology Readiness Level (TRL) 4.
In our opinion, the development of downstream service business models relying on advanced GNSS requirements, such as those to be fulfilled by Galileo (and EGNOS), will make the need to ensure the resilience of European GNSS quality of service even more critical. In our evaluation, PROGRES results demonstrated the ability of the E-SMS and further protection solutions developed in the project to improve the resilience of GNSS.
The main benefits to GNSS would be: GNSS risk assessment methodology which includes risks with low probability but high impact; detection, identification, localisation and impact analysis of advanced and emerging RF interference, physical and cyber attacks; protective and mitigating solutions, including reconfiguration recommendations for RF interference, physical and cyber attacks; advanced security of information and data transmission for up and down links between satellites and ground stations; and maximising of space system resilience, particularly for the types of threats we concentrated on, through providing prompt and accurate information which enables the maximum exploitation of the redundancy within the specific space system.
Many of the approaches and tools developed in PROGRESS could also be applied to infrastructure in further sectors, such as transport and energy.
Dissemination and communication activities accompanied the project. This included e.g. the establishment and updating of the project website, presentations, leaflets and posters etc.; writing of articles and conference proceeding contributions; and attendance at, primarily, specialist events. We estimate that over 20.000 within our target audience were reached.
Roadmaps have been developed detailing the activities and connected timelines and costs foreseen as needed to increase the Technology Readiness Levels (TRLs) of the project results. Ideally, these activities could be funded through a customer(s) ready to pay the development in order to implement the solutions. A further possibility could be to obtain co-funding through international or national programmes such as the European Union’s H2020 programme.
List of Websites:
http://www.progress-satellite.eu/